We have some duo-enabled CentOS 7 systems which are on rfc1918 addresses, and so have to access the api servers through a provided proxy which runs on port 3128 (standard squid port).

However selinux policy prevents duo from connecting to this port so we get an error:
Failsafe Duo login for 'user' from hostname: Couldn't connect to api-82d56263.duosecurity.com: Failed to connect

(This does work if we disable selinux.)

Here is the problem: port 3128 is already defined by policy so it seems impossible to add to the http_cache_port_t list used by duo, nor can I remove that port from the squid_port_t list:

# semanage port -a -t http_cache_port_t -p tcp 3128
ValueError: Port tcp/3128 already defined
# semanage port -d -t squid_port_t -p tcp 3128                                                                                                                                                 
ValueError: Port tcp/3128 is defined in policy, cannot be deleted

Since duo_linux is designed to support connection through a proxy, and squid is a fairly common implementation, maybe it would make sense to add squid_port_t to the set of permitted port lists (in pam_duo/authlogin_duo.te)?

Or perhaps there is another solution?