]>
Commit | Line | Data |
---|---|---|
29f3bfa4 | 1 | policy_module(clamav, 1.8.1) |
4804cd43 CP |
2 | |
3 | ## <desc> | |
4 | ## <p> | |
5 | ## Allow clamd to use JIT compiler | |
6 | ## </p> | |
7 | ## </desc> | |
8 | gen_tunable(clamd_use_jit, false) | |
8a0a9944 CP |
9 | |
10 | ######################################## | |
11 | # | |
12 | # Declarations | |
13 | # | |
14 | ||
15 | # Main clamd domain | |
16 | type clamd_t; | |
17 | type clamd_exec_t; | |
18 | init_daemon_domain(clamd_t, clamd_exec_t) | |
19 | ||
20 | # configuration files | |
21 | type clamd_etc_t; | |
ad0aea53 CP |
22 | files_config_file(clamd_etc_t) |
23 | ||
24 | type clamd_initrc_exec_t; | |
25 | init_script_file(clamd_initrc_exec_t) | |
8a0a9944 | 26 | |
8a0a9944 CP |
27 | # tmp files |
28 | type clamd_tmp_t; | |
29 | files_tmp_file(clamd_tmp_t) | |
30 | ||
31 | # log files | |
32 | type clamd_var_log_t; | |
33 | logging_log_file(clamd_var_log_t) | |
34 | ||
35 | # var/lib files | |
36 | type clamd_var_lib_t; | |
37 | files_type(clamd_var_lib_t) | |
38 | ||
39 | # pid files | |
40 | type clamd_var_run_t; | |
41 | files_pid_file(clamd_var_run_t) | |
46551033 | 42 | typealias clamd_var_run_t alias clamd_sock_t; |
8a0a9944 | 43 | |
165b42d2 CP |
44 | type clamscan_t; |
45 | type clamscan_exec_t; | |
46 | init_daemon_domain(clamscan_t, clamscan_exec_t) | |
47 | ||
522b59bb CP |
48 | # tmp files |
49 | type clamscan_tmp_t; | |
50 | files_tmp_file(clamscan_tmp_t) | |
51 | ||
8a0a9944 CP |
52 | type freshclam_t; |
53 | type freshclam_exec_t; | |
54 | init_daemon_domain(freshclam_t, freshclam_exec_t) | |
55 | ||
56 | # log files | |
57 | type freshclam_var_log_t; | |
58 | logging_log_file(freshclam_var_log_t) | |
59 | ||
60 | ######################################## | |
61 | # | |
62 | # clamd local policy | |
63 | # | |
64 | ||
65 | allow clamd_t self:capability { kill setgid setuid dac_override }; | |
4804cd43 | 66 | dontaudit clamd_t self:capability sys_tty_config; |
c0868a7a | 67 | allow clamd_t self:fifo_file rw_fifo_file_perms; |
ad0aea53 | 68 | allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
8a0a9944 CP |
69 | allow clamd_t self:unix_dgram_socket create_socket_perms; |
70 | allow clamd_t self:tcp_socket { listen accept }; | |
71 | ||
72 | # configuration files | |
c0868a7a | 73 | allow clamd_t clamd_etc_t:dir list_dir_perms; |
0bfccda4 CP |
74 | read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) |
75 | read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) | |
8a0a9944 | 76 | |
8a0a9944 | 77 | # tmp files |
0bfccda4 CP |
78 | manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) |
79 | manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) | |
80 | files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) | |
8a0a9944 CP |
81 | |
82 | # var/lib files for clamd | |
3eaa9939 | 83 | manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) |
0bfccda4 CP |
84 | manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) |
85 | manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) | |
8a0a9944 CP |
86 | |
87 | # log files | |
0bfccda4 CP |
88 | manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) |
89 | manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) | |
90 | logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) | |
8a0a9944 CP |
91 | |
92 | # pid file | |
08e567dc | 93 | manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) |
0bfccda4 CP |
94 | manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) |
95 | manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) | |
3eaa9939 | 96 | files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir }) |
8a0a9944 CP |
97 | |
98 | kernel_dontaudit_list_proc(clamd_t) | |
d6d16b97 | 99 | kernel_read_sysctl(clamd_t) |
016e5c5c | 100 | kernel_read_kernel_sysctls(clamd_t) |
ad0aea53 CP |
101 | kernel_read_system_state(clamd_t) |
102 | ||
103 | corecmd_exec_shell(clamd_t) | |
8a0a9944 | 104 | |
19006686 CP |
105 | corenet_all_recvfrom_unlabeled(clamd_t) |
106 | corenet_all_recvfrom_netlabel(clamd_t) | |
668b3093 | 107 | corenet_tcp_sendrecv_generic_if(clamd_t) |
c1262146 | 108 | corenet_tcp_sendrecv_generic_node(clamd_t) |
8a0a9944 CP |
109 | corenet_tcp_sendrecv_all_ports(clamd_t) |
110 | corenet_tcp_sendrecv_clamd_port(clamd_t) | |
c1262146 | 111 | corenet_tcp_bind_generic_node(clamd_t) |
141cffdd | 112 | corenet_tcp_bind_clamd_port(clamd_t) |
ad0aea53 CP |
113 | corenet_tcp_bind_generic_port(clamd_t) |
114 | corenet_tcp_connect_generic_port(clamd_t) | |
141cffdd | 115 | corenet_sendrecv_clamd_server_packets(clamd_t) |
8a0a9944 CP |
116 | |
117 | dev_read_rand(clamd_t) | |
118 | dev_read_urand(clamd_t) | |
119 | ||
120 | domain_use_interactive_fds(clamd_t) | |
121 | ||
122 | files_read_etc_files(clamd_t) | |
123 | files_read_etc_runtime_files(clamd_t) | |
522b59bb | 124 | files_search_spool(clamd_t) |
8a0a9944 | 125 | |
192fb874 CP |
126 | auth_use_nsswitch(clamd_t) |
127 | ||
522b59bb CP |
128 | logging_send_syslog_msg(clamd_t) |
129 | ||
8a0a9944 CP |
130 | miscfiles_read_localization(clamd_t) |
131 | ||
8a0a9944 CP |
132 | cron_use_fds(clamd_t) |
133 | cron_use_system_job_fds(clamd_t) | |
134 | cron_rw_pipes(clamd_t) | |
135 | ||
ad0aea53 CP |
136 | mta_read_config(clamd_t) |
137 | mta_send_mail(clamd_t) | |
138 | ||
bb7170f6 | 139 | optional_policy(` |
8a0a9944 | 140 | amavis_read_lib_files(clamd_t) |
522b59bb | 141 | amavis_read_spool_files(clamd_t) |
3f67f722 | 142 | amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) |
2c3ac47d | 143 | amavis_create_pid_files(clamd_t) |
8a0a9944 CP |
144 | ') |
145 | ||
ad0aea53 CP |
146 | optional_policy(` |
147 | exim_read_spool_files(clamd_t) | |
148 | ') | |
149 | ||
29f3bfa4 CP |
150 | tunable_policy(`clamd_use_jit',` |
151 | allow clamd_t self:process execmem; | |
3eaa9939 | 152 | allow clamscan_t self:process execmem; |
29f3bfa4 CP |
153 | ', ` |
154 | dontaudit clamd_t self:process execmem; | |
3eaa9939 | 155 | dontaudit clamscan_t self:process execmem; |
29f3bfa4 CP |
156 | ') |
157 | ||
8a0a9944 CP |
158 | ######################################## |
159 | # | |
160 | # Freshclam local policy | |
161 | # | |
162 | ||
163 | allow freshclam_t self:capability { setgid setuid dac_override }; | |
c0868a7a | 164 | allow freshclam_t self:fifo_file rw_fifo_file_perms; |
8a0a9944 CP |
165 | allow freshclam_t self:unix_stream_socket create_stream_socket_perms; |
166 | allow freshclam_t self:unix_dgram_socket create_socket_perms; | |
167 | allow freshclam_t self:tcp_socket { listen accept }; | |
168 | ||
169 | # configuration files | |
c0868a7a | 170 | allow freshclam_t clamd_etc_t:dir list_dir_perms; |
0bfccda4 CP |
171 | read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) |
172 | read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) | |
8a0a9944 CP |
173 | |
174 | # var/lib files together with clamd | |
0bfccda4 CP |
175 | manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) |
176 | manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) | |
8a0a9944 CP |
177 | |
178 | # pidfiles- var/run together with clamd | |
0bfccda4 CP |
179 | manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) |
180 | manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) | |
181 | files_pid_filetrans(freshclam_t, clamd_var_run_t, file) | |
8a0a9944 CP |
182 | |
183 | # log files (own logfiles only) | |
0bfccda4 | 184 | manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) |
c0868a7a | 185 | allow freshclam_t freshclam_var_log_t:dir setattr; |
f5b49a5e | 186 | read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) |
0bfccda4 | 187 | logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) |
8a0a9944 | 188 | |
3eaa9939 DW |
189 | kernel_read_kernel_sysctls(freshclam_t) |
190 | kernel_read_system_state(freshclam_t) | |
191 | ||
f5b49a5e DW |
192 | corecmd_exec_shell(freshclam_t) |
193 | corecmd_exec_bin(freshclam_t) | |
194 | ||
19006686 CP |
195 | corenet_all_recvfrom_unlabeled(freshclam_t) |
196 | corenet_all_recvfrom_netlabel(freshclam_t) | |
668b3093 | 197 | corenet_tcp_sendrecv_generic_if(freshclam_t) |
c1262146 | 198 | corenet_tcp_sendrecv_generic_node(freshclam_t) |
8a0a9944 CP |
199 | corenet_tcp_sendrecv_all_ports(freshclam_t) |
200 | corenet_tcp_sendrecv_clamd_port(freshclam_t) | |
8a0a9944 | 201 | corenet_tcp_connect_http_port(freshclam_t) |
3eaa9939 | 202 | corenet_tcp_connect_clamd_port(freshclam_t) |
141cffdd | 203 | corenet_sendrecv_http_client_packets(freshclam_t) |
8a0a9944 CP |
204 | |
205 | dev_read_rand(freshclam_t) | |
206 | dev_read_urand(freshclam_t) | |
207 | ||
208 | domain_use_interactive_fds(freshclam_t) | |
209 | ||
210 | files_read_etc_files(freshclam_t) | |
211 | files_read_etc_runtime_files(freshclam_t) | |
212 | ||
192fb874 | 213 | auth_use_nsswitch(freshclam_t) |
8a0a9944 | 214 | |
4804cd43 CP |
215 | logging_send_syslog_msg(freshclam_t) |
216 | ||
192fb874 | 217 | miscfiles_read_localization(freshclam_t) |
8a0a9944 CP |
218 | |
219 | clamav_stream_connect(freshclam_t) | |
220 | ||
3eaa9939 DW |
221 | userdom_stream_connect(freshclam_t) |
222 | ||
192fb874 CP |
223 | optional_policy(` |
224 | cron_system_entry(freshclam_t, freshclam_exec_t) | |
225 | ') | |
165b42d2 | 226 | |
29f3bfa4 CP |
227 | tunable_policy(`clamd_use_jit',` |
228 | allow freshclam_t self:process execmem; | |
229 | ', ` | |
230 | dontaudit freshclam_t self:process execmem; | |
231 | ') | |
232 | ||
165b42d2 CP |
233 | ######################################## |
234 | # | |
235 | # clamscam local policy | |
236 | # | |
237 | ||
238 | allow clamscan_t self:capability { setgid setuid dac_override }; | |
239 | allow clamscan_t self:fifo_file rw_file_perms; | |
240 | allow clamscan_t self:unix_stream_socket create_stream_socket_perms; | |
241 | allow clamscan_t self:unix_dgram_socket create_socket_perms; | |
ad0aea53 | 242 | allow clamscan_t self:tcp_socket create_stream_socket_perms; |
165b42d2 CP |
243 | |
244 | # configuration files | |
c0868a7a | 245 | allow clamscan_t clamd_etc_t:dir list_dir_perms; |
0bfccda4 CP |
246 | read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) |
247 | read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) | |
165b42d2 | 248 | |
522b59bb | 249 | # tmp files |
0bfccda4 CP |
250 | manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) |
251 | manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) | |
252 | files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) | |
522b59bb | 253 | |
165b42d2 | 254 | # var/lib files together with clamd |
0bfccda4 | 255 | manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) |
c0868a7a | 256 | allow clamscan_t clamd_var_lib_t:dir list_dir_perms; |
165b42d2 | 257 | |
ad0aea53 CP |
258 | corenet_all_recvfrom_unlabeled(clamscan_t) |
259 | corenet_all_recvfrom_netlabel(clamscan_t) | |
260 | corenet_tcp_sendrecv_generic_if(clamscan_t) | |
261 | corenet_tcp_sendrecv_generic_node(clamscan_t) | |
262 | corenet_tcp_sendrecv_all_ports(clamscan_t) | |
263 | corenet_tcp_sendrecv_clamd_port(clamscan_t) | |
264 | corenet_tcp_connect_clamd_port(clamscan_t) | |
265 | ||
165b42d2 | 266 | kernel_read_kernel_sysctls(clamscan_t) |
3eaa9939 | 267 | kernel_read_system_state(clamscan_t) |
165b42d2 CP |
268 | |
269 | files_read_etc_files(clamscan_t) | |
270 | files_read_etc_runtime_files(clamscan_t) | |
271 | files_search_var_lib(clamscan_t) | |
272 | ||
016e5c5c CP |
273 | init_read_utmp(clamscan_t) |
274 | init_dontaudit_write_utmp(clamscan_t) | |
275 | ||
165b42d2 CP |
276 | miscfiles_read_localization(clamscan_t) |
277 | miscfiles_read_public_files(clamscan_t) | |
278 | ||
279 | clamav_stream_connect(clamscan_t) | |
280 | ||
ad0aea53 CP |
281 | mta_send_mail(clamscan_t) |
282 | ||
192fb874 CP |
283 | optional_policy(` |
284 | amavis_read_spool_files(clamscan_t) | |
285 | ') | |
286 | ||
165b42d2 CP |
287 | optional_policy(` |
288 | apache_read_sys_content(clamscan_t) | |
289 | ') |