Squid rpm cache for dnf on lan and Selinux working

I’m on Fedora 39 workstation and have a Fedora 39 server on rpi4 (arm64).
squid is on rpi4 and his cache is on usb drive.
I like to make a rpm cache solution for my home lan (Fedora pc) uson squid as proxy cache for dnf.

All is working so I can skip to report some configuration but to let it work I have to release a bit Selinux.
My intent is to ripristine Selinux in total enforcing but manteining squid rpm proxy working.

on rpi4

$ sudo cat /etc/squid/squid.conf
...
refresh_pattern .		129600	33%	525600
cache_dir aufs /images/squid/cache 100000 16 256
...
store_id_program /images/squid/store_id_program/store_id_program
store_id_children 5 startup=1
maximum_object_size 1 GB
...

to make it work I try:

$ sudo semanage fcontext -a -t squid_cache_t "/images/squid/cache/(.*)?"
$ sudo restorecon -Rv /images/squid/cache
$ sudo firewall-cmd --add-service=squid
$ sudo firewall-cmd --runtime-to-permanent
$ sudo semanage port -a -t http_port_t  -p tcp 3128

but this is not enought.
I have strange error on squid startup related at store_id_program permission and cache (I belive)
store_id_program is a go program and of course cache and this program are on squid:squid user:grouip and the program is esecutable and all travelling directory are xecutable.

$ sudo cat /var/log/squid/squid.out
2023/12/23 15:59:46| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2023/12/23 15:59:46| ERROR: store_id_program /images/squid/store_id_program/store_id_program: (13) Permission denied
2023/12/23 15:59:46| Not currently OK to rewrite swap log.
2023/12/23 15:59:46| storeDirWriteCleanLogs: Operation aborted.
2023/12/23 15:59:46| FATAL: store_id_program /images/squid/store_id_program/store_id_program: (13) Permission denied
2023/12/23 15:59:46| Squid Cache (Version 6.5): Terminated abnormally.
CPU Usage: 0.029 seconds = 0.014 user + 0.015 sys
Maximum Resident Size: 52768 KB
Page faults with physical i/o: 0

at the last the only solution I have found after tousand of check is this:

$ sudo semanage permissive -a squid_t

Using this command all work.

Anyone konw the right semanage command to make squid work happy avoid permissive on squid_t?

(After this message I leave and I will not be able to connect for 2 days)

Best regards,
Leonardo

The proper SELinux policy can be created from the error message:

journalctl -b -g avc:

audit2allow | policycoreutils-python-utils Commands | Man Pages | ManKier

YES!!!
@vgaetera Work very well.
I’m from Ubuntu an haven’t see Selinux before. Your link makes use Selinux easyer.
I have write 4 module fixing some problem.
Thank you very mutch.

best regards,
Leonardo