From ec3f3d600dcab165b3210c7b90101c903bc5b81a Mon Sep 17 00:00:00 2001 From: Oliver Falk Date: Sep 09 2005 12:16:10 +0000 Subject: - Make it K12LTSP compatible, so a possible upgrade doesn't break anything/much... - Add SELinux stuff - Move dbdir to /var/squidGuard/blacklists, instead of /var/lib/squidGuard - Added update script and template config from/for K12 - Add perlwarnings and sed patch - Install cgis in /var/www/cgi-bin - Added initrd stuff - Remove questionable -ldb from make - Remove questionable db version check --- diff --git a/squidGuard-perlwarning.patch b/squidGuard-perlwarning.patch new file mode 100644 index 0000000..dfeca28 --- /dev/null +++ b/squidGuard-perlwarning.patch @@ -0,0 +1,8 @@ +--- ./squidGuard-1.2.0/samples/squidGuard.cgi.in.orig 2003-04-12 14:58:38.000000000 -0700 ++++ ./squidGuard-1.2.0/samples/squidGuard.cgi.in 2003-04-12 14:58:59.000000000 -0700 +@@ -1,4 +1,4 @@ +-#! @PERL@ -w ++#! @PERL@ + # + # Explain to the user that the URL is blocked and by which rule set + # diff --git a/squidGuard-sed.patch b/squidGuard-sed.patch new file mode 100644 index 0000000..5365d56 --- /dev/null +++ b/squidGuard-sed.patch @@ -0,0 +1,99 @@ +diff -Naur squidGuard-1.2.0/src/sgDiv.c squidGuard-1.2.0-patch/src/sgDiv.c +--- squidGuard-1.2.0/src/sgDiv.c Tue May 15 05:01:37 2001 ++++ squidGuard-1.2.0-patch/src/sgDiv.c Tue Aug 6 14:39:55 2002 +@@ -500,13 +500,13 @@ + #endif + { + struct sgRegExp *re; +- regmatch_t pm; ++ regmatch_t pm[10]; + static char newstring[MAX_BUF]; + char *result = NULL, *p; + int substlen; + *newstring='\0'; + for(re = regexp; re != NULL; re = re->next){ +- if (regexec (re->compiled, pattern, 1, &pm, 0) != 0){ ++ if (regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, 0) != 0){ + result = NULL; + } else { + substlen = strlen(re->substitute); +@@ -516,14 +516,65 @@ + *newstring = '\0'; + p = newstring; + do { +- if((p - newstring)+ pm.rm_so >= MAX_BUF) ++ if((p - newstring)+ pm[0].rm_so >= MAX_BUF) + break; +- p = strncat(newstring,pattern,pm.rm_so); +- if((p - newstring)+ substlen >= MAX_BUF) +- break; +- p = strcat(newstring,re->substitute); +- pattern = pattern + pm.rm_eo; +- } while(regexec (re->compiled, pattern, 1, &pm, REG_NOTBOL)== 0 && ++ p = strncat(newstring,pattern,pm[0].rm_so); ++ { ++ char *p_cur; ++ char *p_next; ++ ++ for (p_next = p_cur = re->substitute; ++ p_next < (re->substitute + substlen); ++ p_next++) ++ { ++ if (*p_next == '\\') ++ { ++ if (p_cur < p_next) ++ { ++ if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF) ++ goto err; ++ p = strncat(newstring, p_cur, p_next - p_cur); ++ } ++ p_next++; ++ if (p_next < (re->substitute + substlen) ++ && '0' <= *p_next && *p_next <= '9') ++ { ++ int i = *p_next - '0'; ++ if ((p - newstring) + (pm[i].rm_eo - pm[i].rm_so) >= MAX_BUF) ++ goto err; ++ p = strncat(newstring, pattern + pm[i].rm_so, pm[i].rm_eo - pm[i].rm_so); ++ } ++ else ++ { ++ if ((p - newstring + 1) >= MAX_BUF) ++ goto err; ++ p = strncat(newstring, p_next, 1); ++ } ++ p_cur = p_next + 1; ++ } ++ else if (*p_next == '&') ++ { ++ if (p_cur < p_next) ++ { ++ if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF) ++ goto err; ++ p = strncat(newstring, p_cur, p_next - p_cur); ++ } ++ if (((p - newstring) + (pm[0].rm_eo - pm[0].rm_so)) >= MAX_BUF) ++ goto err; ++ p = strncat(newstring, pattern + pm[0].rm_so, pm[0].rm_eo - pm[0].rm_so); ++ p_cur = p_next + 1; ++ } ++ } ++ if (p_cur < p_next) ++ { ++ if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF) ++ goto err; ++ p = strncat(newstring, p_cur, p_next - p_cur); ++ } ++ } ++ pattern = pattern + pm[0].rm_eo; ++ } while(regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, REG_NOTBOL)== 0 && + re->global); + if((p - newstring)+ strlen(pattern) <= MAX_BUF) + p = strcat(newstring,pattern); +@@ -531,6 +582,7 @@ + break; + } + } ++err: + return result; + } diff --git a/squidGuard.conf b/squidGuard.conf new file mode 100644 index 0000000..ed653c6 --- /dev/null +++ b/squidGuard.conf @@ -0,0 +1,109 @@ +# +# CONFIG FILE FOR SQUIDGUARD +# +# See http://www.squidguard.org/config/ for more examples +# + +dbhome /var/squidGuard/blacklists +logdir /var/log/squidGuard + +dest ads { + log ads + domainlist ads/domains + urllist ads/urls +} + +dest audio-video { + log audio-video + domainlist audio-video/domains + urllist audio-video/urls +} + +dest aggressive { + log aggressive + domainlist aggressive/domains + urllist aggressive/urls +} + +dest drugs { + log drugs + domainlist drugs/domains + urllist drugs/urls +} + +dest gambling{ + log gambling + domainlist gambling/domains + urllist gambling/urls +} + +dest hacking { + log hacking + domainlist hacking/domains + urllist hacking/urls +} + +dest mail { + log mail + domainlist mail/domains + urllist mail/urls +} + +dest porn{ + log porn + domainlist porn/domains + urllist porn/urls +} + +dest proxy{ + log proxy + domainlist proxy/domains + urllist proxy/urls +} + +dest violence{ + log violence + domainlist violence/domains + urllist violence/urls +} + +dest warez{ + log warez + domainlist warez/domains + urllist warez/urls +} + +dest local-ok{ + domainlist local-ok/domains + urllist local-ok/urls +} + +dest local-block{ + log local-block + domainlist local-block/domains + urllist local-block/urls +} + +rewrite google { + s@(google.com/search.*q=.*)@\1\&safe=active@i + s@(google.com/images.*q=.*)@\1\&safe=active@i + s@(google.com/groups.*q=.*)@\1\&safe=active@i + s@(google.com/news.*q=.*)@\1\&safe=active@i + # log google +} + +acl { + default { + # for google to be in "safe mode" + rewrite google + + # the default categories are conservative, please add any additional + # categories listed above or simply comment out this line and uncomment + # out the line below it. + pass local-ok !local-block !gambling !porn !warez all +# pass local-ok !local-block !aggressive !drugs !gambling !hacking !porn !proxy !violence !warez all + + redirect 302:http://SERVERNAME/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u + # redirect 302:http://SERVERNAME/cgi-bin/squidGuard-simple.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetclass=%t&url=%u + } +} diff --git a/squidGuard.fc b/squidGuard.fc new file mode 100644 index 0000000..bf98d18 --- /dev/null +++ b/squidGuard.fc @@ -0,0 +1,5 @@ +# squid + +/usr/sbin/squidGuard -- system_u:object_r:squid_exec_t +/var/log/squidGuard(/.*)? system_u:object_r:squid_log_t +/var/squidGuard/blacklists(/.*)? system_u:object_r:squid_cache_t diff --git a/squidGuard.spec b/squidGuard.spec index 0d8df6b..237f1c3 100644 --- a/squidGuard.spec +++ b/squidGuard.spec @@ -1,12 +1,11 @@ -# $Id: squidGuard.spec,v 1.1 2005/09/06 10:50:41 oliver Exp $ +# $Id: squidGuard.spec,v 1.2 2005/09/09 12:16:10 oliver Exp $ -%define _dbhomedir %{_var}/lib/%{name} - -%define _dbrpmver %(eval "rpm -q --queryformat \"%{VERSION}\" db4") +%define _dbhomedir %{_var}/%{name}/blacklists +%define _cgibin /var/www/cgi-bin Name: squidGuard Version: 1.2.0 -Release: 11 +Release: 12%{?dist} Summary: Filter, redirector and access controller plugin for squid Group: System Environment/Daemons @@ -17,15 +16,30 @@ Source1: squidGuard.logrotate Source2: http://ftp.teledanmark.no/pub/www/proxy/%{name}/contrib/blacklists.tar.gz Source3: http://cuda.port-aransas.k12.tx.us/squid-getlist.html +# K12LTSP stuff +Source100: squidGuard.conf +Source101: update_squidguard_blacklists +Source102: squidguard +Source103: transparent-proxying + +# SELinux (taken from K12LTSP package) +Source200: squidGuard.te +Source201: squidGuard.fc + Patch0: squidGuard-destdir.patch Patch1: squidGuard-paths.patch Patch2: squidguard-1.2.0-db4.patch Patch3: squid-getlist.html.patch +Patch4: squidGuard-perlwarning.patch +Patch5: squidGuard-sed.patch + URL: http://www.squidguard.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: db4-devel Requires: squid +Requires(post): %{_bindir}/chcon +Requires(post): /sbin/chkconfig %description squidGuard can be used to @@ -56,10 +70,13 @@ Neither squidGuard nor Squid can be used to %{__cp} %{SOURCE3} . %patch0 -p1 -b .destdir %patch1 -p1 -b .paths -%if "%{_dbrpmver}" != "4.0.14" %patch2 -p0 -b .db4 -%endif %patch3 -p0 +%patch4 -p2 +%patch5 -p1 + +%{__cp} %{SOURCE100} ./squidGuard.conf.k12ltsp.template +%{__cp} %{SOURCE101} ./update_squidguard_blacklists.k12ltsp.sh %build %configure \ @@ -67,7 +84,11 @@ Neither squidGuard nor Squid can be used to --with-sg-logdir=%{_var}/log/squid \ --with-sg-dbhome=%{_dbhomedir} -%{__make} %{?_smp_mflags} LIBS=-ldb +%{__make} %{?_smp_mflags} + +pushd contrib +%{__make} %{?_smp_mflags} +popd %install %{__rm} -rf $RPM_BUILD_ROOT @@ -78,9 +99,21 @@ Neither squidGuard nor Squid can be used to %{__install} -p -D -m 0644 samples/sample.conf $RPM_BUILD_ROOT%{_sysconfdir}/squid/squidGuard.conf %{__install} -p -D -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_dbhomedir}/blacklists.tar.gz -# Don't use SOURCE3, but use the allready patched one #165689, also install it with perm 755 not 750 +# Don't use SOURCE3, but use the allready patched one #165689 %{__install} -p -D -m 0755 squid-getlist.html $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/squidGuard +%{__install} -p -D %{SOURCE200} $RPM_BUILD_ROOT%{_sysconfdir}/selinux/targeted/src/policy/domains/program/squidGuard.te +%{__install} -p -D %{SOURCE201} $RPM_BUILD_ROOT%{_sysconfdir}/selinux/targeted/src/policy/file_contexts/program/squidGuard.fc + +%{__install} -p -d $RPM_BUILD_ROOT%{_cgibin} +%{__install} samples/squid*cgi $RPM_BUILD_ROOT%{_cgibin} + +%{__install} contrib/hostbyname/hostbyname $RPM_BUILD_ROOT%{_bindir} +%{__install} contrib/sgclean/sgclean $RPM_BUILD_ROOT%{_bindir} + +%{__install} -p -D -m 0755 %{SOURCE102} $RPM_BUILD_ROOT%{_initrddir}/squidGuard +%{__install} -p -D -m 0755 %{SOURCE103} $RPM_BUILD_ROOT%{_initrddir}/transparent-proxying + pushd $RPM_BUILD_ROOT%{_dbhomedir} tar xfz $RPM_BUILD_ROOT%{_dbhomedir}/blacklists.tar.gz popd @@ -90,20 +123,71 @@ sed -i "s,dest/adult/,blacklists/porn/,g" $RPM_BUILD_ROOT%{_sysconfdir}/squid/sq %clean %{__rm} -rf $RPM_BUILD_ROOT +%post +# fix SELinux bits +%{_bindir}/chcon -R system_u:object_r:squid_cache_t /var/squidGuard >/dev/null 2>&1 +%{_bindir}/chcon -R system_u:object_r:squid_log_t /var/log/squidGuard >/dev/null 2>&1 + +# do we need a new config file? +if [ -s %{_sysconfdir}/squid/squidGuard.conf ]; then + CONFFILE="%{_sysconfdir}/squid/squidGuard.conf.rpmnew" + echo "/etc/squid/squidGuard.conf created as /etc/squid/squidGuard.conf.rpmnew" +else + CONFFILE="/etc/squid/squidGuard.conf" +fi +cat %{_docdir}/%{name}-%{version}/squidGuard.conf.k12ltsp.template | \ + sed s/SERVERNAME/$HOSTNAME/g > $CONFFILE + +/sbin/chkconfig --add squidGuard +/sbin/chkconfig --add transparent-proxying + +# reload SELinux policies +echo "Loading new SELinux policy" +pushd %{_sysconfdir}/selinux/targeted/src/policy/ +%{__make} load &> /dev/null +popd + +#### End of %post + +%preun +if [ $1 = 0 ] ; then + service squidGuard stop >/dev/null 2>&1 + /sbin/chkconfig --del squidGuard + /sbin/chkconfig --del transparent-proxying +fi + %files %defattr(-,root,root) %doc samples/*.conf %doc samples/*.cgi %doc samples/dest/blacklists.tar.gz -%doc COPYING GPL +%doc COPYING GPL %doc doc/*.txt doc/*.html doc/*.gif +%doc squidGuard.conf.k12ltsp.template %{_bindir}/* %config(noreplace) %{_sysconfdir}/squid/squidGuard.conf %config(noreplace) %{_sysconfdir}/logrotate.d/squidGuard %config(noreplace) %{_sysconfdir}/cron.daily/squidGuard %{_dbhomedir}/ +%{_sysconfdir}/selinux/targeted/src/policy/domains/program/squidGuard.te +%{_sysconfdir}/selinux/targeted/src/policy/file_contexts/program/squidGuard.fc +%attr(07550,root,root) %{_cgibin}/*.cgi +%{_initrddir}/squidGuard +%{_initrddir}/transparent-proxying %changelog +* Fri Sep 09 2005 Oliver Falk - 1.2.0-12 +- Make it K12LTSP compatible, so a possible upgrade doesn't break + anything/much... + - Add SELinux stuff + - Move dbdir to /var/squidGuard/blacklists, instead of /var/lib/squidGuard + - Added update script and template config from/for K12 + - Add perlwarnings and sed patch + - Install cgis in /var/www/cgi-bin + - Added initrd stuff +- Remove questionable -ldb from make +- Remove questionable db version check + * Tue Sep 06 2005 Oliver Falk - 1.2.0-11 - More bugs from Bug #165689 Install cron script with perm 755 diff --git a/squidGuard.te b/squidGuard.te new file mode 100644 index 0000000..0397a70 --- /dev/null +++ b/squidGuard.te @@ -0,0 +1 @@ +allow squid_t usr_t:lnk_file read; diff --git a/squidguard b/squidguard new file mode 100755 index 0000000..7f5219e --- /dev/null +++ b/squidguard @@ -0,0 +1,165 @@ +#!/bin/bash +# squid-filtering This shell script takes care of starting and stopping +# Squid Internet Object Cache and squidGuard web filter +# +# chkconfig: - 91 25 +# description: SquidGuard - web filtering system for the Squid proxy server. \ +# Squid - Internet Object Cache. Internet object caching is \ +# a way to store requested Internet objects (i.e., data available \ +# via the HTTP, FTP, and gopher protocols) on a system closer to the \ +# requesting site than to the source. Web browsers can then use the \ +# local Squid cache as a proxy HTTP server, reducing access time as \ +# well as bandwidth consumption. +# pidfile: /var/run/squid.pid +# config: /etc/squid/squid-squidGuard.conf + +PATH=/usr/bin:/sbin:/bin:/usr/sbin +export PATH + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# check if the squid-squidGuard.conf file is present +[ -f /etc/squid/squid-squidGuard.conf ] || exit 0 + +if [ -f /etc/sysconfig/squid ]; then + . /etc/sysconfig/squid +fi + +# don't raise an error if the config file is incomplete +# set defaults instead: +SQUID_OPTS=${SQUID_OPTS:-"-D"} +SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20} +SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} + +# determine the name of the squid binary +[ -f /usr/sbin/squid ] && SQUID=squid +[ -z "$SQUID" ] && exit 0 + +prog="$SQUID" + +# determine which one is the cache_swap directory +CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid-squidGuard.conf | \ + grep cache_dir | awk '{ print $3 }'` +[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/spool/squid + +RETVAL=0 + +start() { + for adir in $CACHE_SWAP; do + if [ ! -d $adir/00 ]; then + echo -n "init_cache_dir $adir... " + $SQUID -f /etc/squid/squid-squidGuard.conf -z -F -D 2>/dev/null + fi + done + echo -n $"Starting $prog: " + $SQUID $SQUID_OPTS -f /etc/squid/squid-squidGuard.conf 2> /dev/null + RETVAL=$? + if [ $RETVAL -eq 0 ]; then + timeout=0; + while : ; do + [ ! -f /var/run/squid.pid ] || break + if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then + RETVAL=1 + break + fi + sleep 1 && echo -n "." + timeout=$((timeout+1)) + done + fi + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID + [ $RETVAL -eq 0 ] && echo_success + [ $RETVAL -ne 0 ] && echo_failure + echo + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + $SQUID -k check -f /etc/squid/squid-squidGuard.conf >/dev/null 2>&1 + RETVAL=$? + if [ $RETVAL -eq 0 ] ; then + $SQUID -k shutdown -f /etc/squid/squid-squidGuard.conf & + rm -f /var/lock/subsys/$SQUID + timeout=0 + while : ; do + [ -f /var/run/squid.pid ] || break + if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then + echo + return 1 + fi + sleep 2 && echo -n "." + timeout=$((timeout+2)) + done + echo_success + echo + else + echo_failure + echo + fi + return $RETVAL +} + +reload() { + $SQUID $SQUID_OPTS -k reconfigure -f /etc/squid/squid-squidGuard.conf +} + +restart() { + stop + start +} + +condrestart() { + [ -e /var/lock/subsys/squid ] && restart || : +} + +rhstatus() { + status $SQUID + $SQUID -k check -f /etc/squid/squid-squidGuard.conf +} + +probe() { + return 0 +} + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +reload) + reload + ;; + +restart) + restart + ;; + +condrestart) + condrestart + ;; + +status) + rhstatus + ;; + +probe) + exit 0 + ;; + +*) + echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}" + exit 1 +esac + +exit $? diff --git a/transparent-proxying b/transparent-proxying new file mode 100755 index 0000000..ea6b663 --- /dev/null +++ b/transparent-proxying @@ -0,0 +1,75 @@ +#!/bin/bash +# transparent_proxying This shell script takes care of starting and stopping +# transparent proxying +# +# chkconfig: - 91 24 +# description: transparent proxying: this will force all web traffic to be \ +# redirected to the squid proxy server. It will only work if squid \ +# is running +# pidfile: /var/run/squid.pid + +# Source function library. +. /etc/init.d/functions + +start() { + echo -n "Starting transparent proxying: " + if [ -f /var/run/squid.pid ] + then + # Turn on IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # Turn on transparent proxy redirect + /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 + echo_success + else + echo -n "Squid is not running! " + echo_failure + fi + echo + return 0 +} +stop() { + echo -n "Stopping transparent proxying: " + echo 0 > /proc/sys/net/ipv4/ip_forward + # Turn off transparent proxy redirect + /sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 + echo_success + echo + return 0 +} +status() { + if [ "`/sbin/iptables -L -n -t nat | grep '80 redir ports 3128'`" ] + then + echo "Transparent proxying is active" + return 0 + else + echo "Transparent proxying is inactive" + return 0 + fi +} + + +restart() { + stop + start +} + +case "$1" in + start) + start + ;; + status) + status + ;; + stop) + stop + ;; + restart|reload) + restart + ;; + *) + echo "*** Usage: {start|stop|restart}" + exit 1 +esac + +exit $? diff --git a/update_squidguard_blacklists b/update_squidguard_blacklists new file mode 100755 index 0000000..c6f76f9 --- /dev/null +++ b/update_squidguard_blacklists @@ -0,0 +1,37 @@ +#!/bin/sh + +TARGET=/var/squidGuard/blacklists + +cd $TARGET || exit + +# only run if squidGuard is active! +[ "`ps auxw | grep squid[G]uard`" ] || exit + +rsync -az squidguard.mesd.k12.or.us::filtering $TARGET + +for DIR in `ls $TARGET` +do + if [ -f $DIR/domains.include ] + then + TMP=$RANDOM + cat $DIR/domains $DIR/domains.include | sort | uniq > $DIR/domains.$TMP + mv -f $DIR/domains.$TMP $DIR/domains + fi + if [ -f $DIR/urls.include ] + then + TMP=$RANDOM + cat $DIR/urls $DIR/urls.include | sort | uniq > $DIR/urls.$TMP + mv -f $DIR/urls.$TMP $DIR/urls + fi +done + +/usr/sbin/squidGuard -c /etc/squid/squidGuard.conf -C all +# /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf -u + +chown -R squid.squid $TARGET +chown -R squid.squid /var/log/squidGuard/ + +sleep 5s + +/usr/bin/killall -HUP squid +