selinux-policy/policy/modules/services/clamav.te
Dominick Grift ef521e9919 Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
2010-09-22 15:41:43 +02:00

290 lines
7.9 KiB
Plaintext

policy_module(clamav, 1.8.1)
## <desc>
## <p>
## Allow clamd to use JIT compiler
## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
########################################
#
# Declarations
#
# Main clamd domain
type clamd_t;
type clamd_exec_t;
init_daemon_domain(clamd_t, clamd_exec_t)
# configuration files
type clamd_etc_t;
files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
# log files
type clamd_var_log_t;
logging_log_file(clamd_var_log_t)
# var/lib files
type clamd_var_lib_t;
files_type(clamd_var_lib_t)
# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
typealias clamd_var_run_t alias clamd_sock_t;
type clamscan_t;
type clamscan_exec_t;
init_daemon_domain(clamscan_t, clamscan_exec_t)
# tmp files
type clamscan_tmp_t;
files_tmp_file(clamscan_tmp_t)
type freshclam_t;
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)
# log files
type freshclam_var_log_t;
logging_log_file(freshclam_var_log_t)
########################################
#
# clamd local policy
#
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };
# configuration files
allow clamd_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
# tmp files
manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
# log files
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)
corecmd_exec_shell(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
corenet_tcp_sendrecv_clamd_port(clamd_t)
corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
domain_use_interactive_fds(clamd_t)
files_read_etc_files(clamd_t)
files_read_etc_runtime_files(clamd_t)
files_search_spool(clamd_t)
auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
mta_read_config(clamd_t)
mta_send_mail(clamd_t)
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
amavis_create_pid_files(clamd_t)
')
optional_policy(`
exim_read_spool_files(clamd_t)
')
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
allow clamscan_t self:process execmem;
',`
dontaudit clamd_t self:process execmem;
dontaudit clamscan_t self:process execmem;
')
########################################
#
# Freshclam local policy
#
allow freshclam_t self:capability { setgid setuid dac_override };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
allow freshclam_t self:unix_dgram_socket create_socket_perms;
allow freshclam_t self:tcp_socket { listen accept };
# configuration files
allow freshclam_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
# var/lib files together with clamd
manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
# pidfiles- var/run together with clamd
manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
kernel_read_kernel_sysctls(freshclam_t)
kernel_read_system_state(freshclam_t)
corecmd_exec_shell(freshclam_t)
corecmd_exec_bin(freshclam_t)
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
files_read_etc_files(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
auth_use_nsswitch(freshclam_t)
logging_send_syslog_msg(freshclam_t)
miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
userdom_stream_connect(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
',`
dontaudit freshclam_t self:process execmem;
')
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
########################################
#
# clamscam local policy
#
allow clamscan_t self:capability { setgid setuid dac_override };
allow clamscan_t self:fifo_file rw_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
allow clamscan_t self:tcp_socket create_stream_socket_perms;
# configuration files
allow clamscan_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
# tmp files
manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
# var/lib files together with clamd
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
mta_send_mail(clamscan_t)
optional_policy(`
amavis_read_spool_files(clamscan_t)
')
optional_policy(`
apache_read_sys_content(clamscan_t)
')