# selinux policy for allowing Squid to use the TPROXY mode # # AVC denials seen: # #type=AVC msg=audit(1268903378.893:6): avc: denied { net_admin } for pid=1058 comm="squid" capability=12 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:squid_t:s0 tclass=capability #type=AVC msg=audit(1268905151.992:16): avc: denied { name_bind } for pid=1184 comm="squid" src=3129 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket # # The tcp_socket denial is already addressed via a squid_connect_any # boolean and therefore not included in this policy module. module squidtproxy 1.0; require { type squid_t; type port_t; class capability net_admin; } allow squid_t self:capability net_admin;