#DESC CLAM - Anti-virus program # # Author: Brian May <bam@snoopy.apana.org.au> # X-Debian-Packages: clamav # ################################# # # Rules for the clamscan_t domain. # # Virus database type clamav_var_lib_t, file_type, sysadmfile; # clamscan_t is the domain of the clamscan virus scanner type clamscan_exec_t, file_type, sysadmfile, exec_type; ########## ########## # # Freshclam # daemon_base_domain(freshclam, `, web_client_domain') read_locale(freshclam_t) # not sure why it needs this read_sysctl(freshclam_t) can_network_client_tcp(freshclam_t, http_port_t); allow freshclam_t http_port_t:tcp_socket name_connect; can_resolve(freshclam_t) can_ypbind(freshclam_t) # Access virus signatures allow freshclam_t { var_t var_lib_t }:dir search; rw_dir_create_file(freshclam_t, clamav_var_lib_t) allow freshclam_t devtty_t:chr_file { read write }; allow freshclam_t devpts_t:dir search; allow freshclam_t etc_t:file { getattr read }; allow freshclam_t proc_t:file { getattr read }; allow freshclam_t urandom_device_t:chr_file { getattr read }; dontaudit freshclam_t urandom_device_t:chr_file ioctl; # for nscd dontaudit freshclam_t var_run_t:dir search; # setuid/getuid used (although maybe not required...) allow freshclam_t self:capability { setgid setuid }; allow freshclam_t sbin_t:dir search; # Allow notification to daemon that virus database has changed can_clamd_connect(freshclam) allow freshclam_t etc_runtime_t:file { read getattr }; allow freshclam_t self:unix_stream_socket create_stream_socket_perms; allow freshclam_t self:unix_dgram_socket create_socket_perms; allow freshclam_t self:fifo_file rw_file_perms; # Log files for freshclam executable logdir_domain(freshclam) allow initrc_t freshclam_log_t:file append; # Pid files for freshclam allow initrc_t clamd_var_run_t:file { create setattr }; system_crond_entry(freshclam_exec_t, freshclam_t) domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t) domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t) role sysadm_r types freshclam_t; create_dir_file(freshclam_t, clamd_var_run_t) ########## ########## # # Clamscan # # macros/program/clamav_macros.te. user_clamscan_domain(sysadm) ########## ########## # # Clamd # type clamd_sock_t, file_type, sysadmfile; # clamd executable daemon_domain(clamd) tmp_domain(clamd) # The dir containing the clamd log files is labelled freshclam_t logdir_domain(clamd) allow clamd_t freshclam_log_t:dir search; allow clamd_t self:capability { kill setgid setuid dac_override }; # Give the clamd local communications socket a unique type ifdef(`distro_debian', ` file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file) ') ifdef(`distro_redhat', ` file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file) ') # Clamd can be configured to listen on a TCP port. can_network_server_tcp(clamd_t, clamd_port_t) allow clamd_t clamd_port_t:tcp_socket name_bind; can_resolve(clamd_t); allow clamd_t var_lib_t:dir search; r_dir_file(clamd_t, clamav_var_lib_t) r_dir_file(clamd_t, etc_t) # allow access /proc/sys/kernel/version read_sysctl(clamd_t) allow clamd_t self:unix_stream_socket create_stream_socket_perms; allow clamd_t self:unix_dgram_socket create_stream_socket_perms; allow clamd_t self:fifo_file rw_file_perms; allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read }; dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl; ########## ########## # # Interaction with external programs # ifdef(`amavis.te',` allow amavisd_t clamd_var_run_t:dir search; allow amavisd_t clamd_t:unix_stream_socket connectto; allow amavisd_t clamd_sock_t:sock_file write; ')