selinux-policy/policy/modules/services/clamav.te

policy_module(clamav,1.3.2)

########################################
#
# Declarations
#

# Main clamd domain
type clamd_t;
type clamd_exec_t;
init_daemon_domain(clamd_t, clamd_exec_t)

# configuration files
type clamd_etc_t;
files_type(clamd_etc_t)

# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)

# log files
type clamd_var_log_t;
logging_log_file(clamd_var_log_t)

# var/lib files
type clamd_var_lib_t;
files_type(clamd_var_lib_t)

# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
typealias clamd_var_run_t alias clamd_sock_t;

type clamscan_t;
type clamscan_exec_t;
init_daemon_domain(clamscan_t, clamscan_exec_t)

# tmp files
type clamscan_tmp_t;
files_tmp_file(clamscan_tmp_t)

type freshclam_t;
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)

# log files
type freshclam_var_log_t;
logging_log_file(freshclam_var_log_t)

########################################
#
# clamd local policy
#

allow clamd_t self:capability { kill setgid setuid dac_override };
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };

# configuration files
allow clamd_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(clamd_t,clamd_etc_t,clamd_etc_t)
read_lnk_files_pattern(clamd_t,clamd_etc_t,clamd_etc_t)

# tmp files
manage_dirs_pattern(clamd_t,clamd_tmp_t,clamd_tmp_t)
manage_files_pattern(clamd_t,clamd_tmp_t,clamd_tmp_t)
files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })

# var/lib files for clamd
manage_dirs_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)

# log files
allow clamd_t clamd_var_log_t:dir setattr;
manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
logging_log_filetrans(clamd_t,clamd_var_log_t,file)

# pid file
manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
files_pid_filetrans(clamd_t,clamd_var_run_t,file)

kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)

corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
corenet_tcp_sendrecv_clamd_port(clamd_t)
corenet_tcp_bind_all_nodes(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)

dev_read_rand(clamd_t)
dev_read_urand(clamd_t)

domain_use_interactive_fds(clamd_t)

files_read_etc_files(clamd_t)
files_read_etc_runtime_files(clamd_t)
files_search_spool(clamd_t)

libs_use_ld_so(clamd_t)
libs_use_shared_libs(clamd_t)

logging_send_syslog_msg(clamd_t)

miscfiles_read_localization(clamd_t)

sysnet_dns_name_resolve(clamd_t)

cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(clamd_t)
	term_dontaudit_use_generic_ptys(clamd_t)
')

optional_policy(`
	amavis_read_lib_files(clamd_t)
	amavis_read_spool_files(clamd_t)
	amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
	amavis_create_pid_files(clamd_t)
')

########################################
#
# Freshclam local policy
#

allow freshclam_t self:capability { setgid setuid dac_override };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
allow freshclam_t self:unix_dgram_socket create_socket_perms;
allow freshclam_t self:tcp_socket { listen accept };

# configuration files
allow freshclam_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(freshclam_t,clamd_etc_t,clamd_etc_t)
read_lnk_files_pattern(freshclam_t,clamd_etc_t,clamd_etc_t)

# var/lib files together with clamd
manage_dirs_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t)
manage_files_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t)

# pidfiles- var/run together with clamd
manage_files_pattern(freshclam_t,clamd_var_run_t,clamd_var_run_t)
manage_sock_files_pattern(freshclam_t,clamd_var_run_t,clamd_var_run_t)
files_pid_filetrans(freshclam_t,clamd_var_run_t,file)

# log files (own logfiles only)
manage_files_pattern(freshclam_t,freshclam_var_log_t,freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr;
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)

corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_all_if(freshclam_t)
corenet_tcp_sendrecv_all_nodes(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)

dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)

domain_use_interactive_fds(freshclam_t)

files_read_etc_files(freshclam_t)
files_read_etc_runtime_files(freshclam_t)

libs_use_ld_so(freshclam_t)
libs_use_shared_libs(freshclam_t)

miscfiles_read_localization(freshclam_t)

sysnet_dns_name_resolve(freshclam_t)

clamav_stream_connect(freshclam_t)

cron_use_fds(freshclam_t)
cron_use_system_job_fds(freshclam_t)
cron_rw_pipes(freshclam_t)

########################################
#
# clamscam local policy
#

allow clamscan_t self:capability { setgid setuid dac_override };
allow clamscan_t self:fifo_file rw_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
allow clamscan_t self:tcp_socket { listen accept };

# configuration files
allow clamscan_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(clamscan_t,clamd_etc_t,clamd_etc_t)
read_lnk_files_pattern(clamscan_t,clamd_etc_t,clamd_etc_t)

# tmp files
manage_dirs_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t)
manage_files_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t)
files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })

# var/lib files together with clamd
read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;

kernel_read_kernel_sysctls(clamscan_t)

files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)

libs_use_ld_so(clamscan_t)
libs_use_shared_libs(clamscan_t)

miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)

clamav_stream_connect(clamscan_t)

optional_policy(`
	apache_read_sys_content(clamscan_t)
')