[people/stevee/selinux-policy.git] / policy / modules / services / clamav.te

policy_module(clamav, 1.9.0)

## <desc>
##	<p>
##	Allow clamscan to read user content 
##	</p>
## </desc>
gen_tunable(clamscan_read_user_content, false)

## <desc>
##	<p>
##	Allow clamd to use JIT compiler
##	</p>
## </desc>
gen_tunable(clamd_use_jit, false)

########################################
#
# Declarations
#

# Main clamd domain
type clamd_t;
type clamd_exec_t;
init_daemon_domain(clamd_t, clamd_exec_t)

# configuration files
type clamd_etc_t;
files_config_file(clamd_etc_t)

type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)

# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)

# log files
type clamd_var_log_t;
logging_log_file(clamd_var_log_t)

# var/lib files
type clamd_var_lib_t;
files_type(clamd_var_lib_t)

# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
typealias clamd_var_run_t alias clamd_sock_t;

type clamscan_t;
type clamscan_exec_t;
init_daemon_domain(clamscan_t, clamscan_exec_t)

# tmp files
type clamscan_tmp_t;
files_tmp_file(clamscan_tmp_t)

type freshclam_t;
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)

# log files
type freshclam_var_log_t;
logging_log_file(freshclam_var_log_t)

########################################
#
# clamd local policy
#

allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;

allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };

# configuration files
allow clamd_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)

# tmp files
manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })

# var/lib files for clamd
manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)

# log files
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })

# pid file
manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })

kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)

corecmd_exec_shell(clamd_t)

corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
corenet_tcp_sendrecv_clamd_port(clamd_t)
corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)

dev_read_rand(clamd_t)
dev_read_urand(clamd_t)

domain_use_interactive_fds(clamd_t)

files_read_etc_files(clamd_t)
files_read_etc_runtime_files(clamd_t)
files_search_spool(clamd_t)

auth_use_nsswitch(clamd_t)

logging_send_syslog_msg(clamd_t)

miscfiles_read_localization(clamd_t)

optional_policy(`
	amavis_read_lib_files(clamd_t)
	amavis_read_spool_files(clamd_t)
	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
	amavis_create_pid_files(clamd_t)
')

optional_policy(`
	cron_use_fds(clamd_t)
	cron_use_system_job_fds(clamd_t)
	cron_rw_pipes(clamd_t)
')

optional_policy(`
	exim_read_spool_files(clamd_t)
')

optional_policy(`
	mta_read_config(clamd_t)
	mta_send_mail(clamd_t)
')

optional_policy(`
	spamd_stream_connect(clamd_t)
	spamassassin_read_pid_files(clamd_t)
')

tunable_policy(`clamd_use_jit',`
	allow clamd_t self:process execmem;
	allow clamscan_t self:process execmem;
',`
	dontaudit clamd_t self:process execmem;
	dontaudit clamscan_t self:process execmem;
')

########################################
#
# Freshclam local policy
#

allow freshclam_t self:capability { setgid setuid dac_override };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
allow freshclam_t self:unix_dgram_socket create_socket_perms;
allow freshclam_t self:tcp_socket { listen accept };

# configuration files
allow freshclam_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)

# var/lib files together with clamd
manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)

# pidfiles- var/run together with clamd
manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
files_pid_filetrans(freshclam_t, clamd_var_run_t, file)

# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)

kernel_read_kernel_sysctls(freshclam_t)
kernel_read_system_state(freshclam_t)

corecmd_exec_shell(freshclam_t)
corecmd_exec_bin(freshclam_t)

corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)

dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)

domain_use_interactive_fds(freshclam_t)

files_read_etc_files(freshclam_t)
files_read_etc_runtime_files(freshclam_t)

auth_use_nsswitch(freshclam_t)

logging_send_syslog_msg(freshclam_t)

miscfiles_read_localization(freshclam_t)

clamav_stream_connect(freshclam_t)

userdom_stream_connect(freshclam_t)

tunable_policy(`clamd_use_jit',`
	allow freshclam_t self:process execmem;
',`
	dontaudit freshclam_t self:process execmem;
')

optional_policy(`
	cron_system_entry(freshclam_t, freshclam_exec_t)
')

########################################
#
# clamscam local policy
#

allow clamscan_t self:capability { setgid setuid dac_override };
allow clamscan_t self:fifo_file rw_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
allow clamscan_t self:tcp_socket create_stream_socket_perms;

# configuration files
allow clamscan_t clamd_etc_t:dir list_dir_perms;
read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)

# tmp files
manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })

# var/lib files together with clamd
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;

read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
allow clamscan_t clamd_var_run_t:dir list_dir_perms;

kernel_read_system_state(clamscan_t)

corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)

corecmd_read_all_executables(clamscan_t)

tunable_policy(`clamscan_read_user_content',`
	userdom_read_user_home_content_files(clamscan_t)
	userdom_dontaudit_read_user_home_content_files(clamscan_t)
')

kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)

files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)

init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)

miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)

clamav_stream_connect(clamscan_t)

sysnet_read_config(clamscan_t)

optional_policy(`
	mta_send_mail(clamscan_t)
	mta_read_queue(clamscan_t)
')

optional_policy(`
	amavis_manage_spool_files(clamscan_t)
')

optional_policy(`
	apache_read_sys_content(clamscan_t)
')
Commit	Line	Data
826d0142	1	policy_module(clamav, 1.9.0)
4804cd43	2
94929a9b DW	3	## <desc>
	4	## <p>
	5	## Allow clamscan to read user content
	6	## </p>
	7	## </desc>
	8	gen_tunable(clamscan_read_user_content, false)
	9
4804cd43	10	## <desc>
68ac47d8 DG	11	## <p>
	12	## Allow clamd to use JIT compiler
	13	## </p>
4804cd43 CP	14	## </desc>
4804cd43 CP	15	gen_tunable(clamd_use_jit, false)
8a0a9944 CP	16
	17	########################################
	18	#
	19	# Declarations
	20	#
	21
	22	# Main clamd domain
	23	type clamd_t;
	24	type clamd_exec_t;
	25	init_daemon_domain(clamd_t, clamd_exec_t)
	26
	27	# configuration files
	28	type clamd_etc_t;
ad0aea53 CP	29	files_config_file(clamd_etc_t)
	30
	31	type clamd_initrc_exec_t;
	32	init_script_file(clamd_initrc_exec_t)
8a0a9944	33
8a0a9944 CP	34	# tmp files
	35	type clamd_tmp_t;
	36	files_tmp_file(clamd_tmp_t)
	37
	38	# log files
	39	type clamd_var_log_t;
	40	logging_log_file(clamd_var_log_t)
	41
	42	# var/lib files
	43	type clamd_var_lib_t;
	44	files_type(clamd_var_lib_t)
	45
	46	# pid files
	47	type clamd_var_run_t;
	48	files_pid_file(clamd_var_run_t)
46551033	49	typealias clamd_var_run_t alias clamd_sock_t;
8a0a9944	50
165b42d2 CP	51	type clamscan_t;
	52	type clamscan_exec_t;
	53	init_daemon_domain(clamscan_t, clamscan_exec_t)
	54
522b59bb CP	55	# tmp files
	56	type clamscan_tmp_t;
	57	files_tmp_file(clamscan_tmp_t)
	58
8a0a9944 CP	59	type freshclam_t;
	60	type freshclam_exec_t;
	61	init_daemon_domain(freshclam_t, freshclam_exec_t)
	62
	63	# log files
	64	type freshclam_var_log_t;
	65	logging_log_file(freshclam_var_log_t)
	66
	67	########################################
	68	#
	69	# clamd local policy
	70	#
	71
	72	allow clamd_t self:capability { kill setgid setuid dac_override };
4804cd43	73	dontaudit clamd_t self:capability sys_tty_config;
5212892e DW	74	allow clamd_t self:process signal;
5212892e DW	75
c0868a7a	76	allow clamd_t self:fifo_file rw_fifo_file_perms;
ad0aea53	77	allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
8a0a9944 CP	78	allow clamd_t self:unix_dgram_socket create_socket_perms;
	79	allow clamd_t self:tcp_socket { listen accept };
	80
	81	# configuration files
c0868a7a	82	allow clamd_t clamd_etc_t:dir list_dir_perms;
0bfccda4 CP	83	read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
0bfccda4 CP	84	read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
8a0a9944	85
8a0a9944	86	# tmp files
0bfccda4 CP	87	manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
	88	manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
	89	files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
8a0a9944 CP	90
8a0a9944 CP	91	# var/lib files for clamd
3eaa9939	92	manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
0bfccda4 CP	93	manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
0bfccda4 CP	94	manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
8a0a9944 CP	95
8a0a9944 CP	96	# log files
0bfccda4 CP	97	manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
	98	manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
	99	logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
8a0a9944 CP	100
8a0a9944 CP	101	# pid file
08e567dc	102	manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
0bfccda4 CP	103	manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
0bfccda4 CP	104	manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
3eaa9939	105	files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
8a0a9944 CP	106
8a0a9944 CP	107	kernel_dontaudit_list_proc(clamd_t)
d6d16b97	108	kernel_read_sysctl(clamd_t)
016e5c5c	109	kernel_read_kernel_sysctls(clamd_t)
ad0aea53 CP	110	kernel_read_system_state(clamd_t)
	111
	112	corecmd_exec_shell(clamd_t)
8a0a9944	113
19006686 CP	114	corenet_all_recvfrom_unlabeled(clamd_t)
19006686 CP	115	corenet_all_recvfrom_netlabel(clamd_t)
668b3093	116	corenet_tcp_sendrecv_generic_if(clamd_t)
c1262146	117	corenet_tcp_sendrecv_generic_node(clamd_t)
8a0a9944 CP	118	corenet_tcp_sendrecv_all_ports(clamd_t)
8a0a9944 CP	119	corenet_tcp_sendrecv_clamd_port(clamd_t)
c1262146	120	corenet_tcp_bind_generic_node(clamd_t)
141cffdd	121	corenet_tcp_bind_clamd_port(clamd_t)
ad0aea53 CP	122	corenet_tcp_bind_generic_port(clamd_t)
ad0aea53 CP	123	corenet_tcp_connect_generic_port(clamd_t)
6cf02752	124	corenet_tcp_connect_clamd_port(clamd_t)
141cffdd	125	corenet_sendrecv_clamd_server_packets(clamd_t)
8a0a9944 CP	126
	127	dev_read_rand(clamd_t)
	128	dev_read_urand(clamd_t)
	129
	130	domain_use_interactive_fds(clamd_t)
	131
	132	files_read_etc_files(clamd_t)
	133	files_read_etc_runtime_files(clamd_t)
522b59bb	134	files_search_spool(clamd_t)
8a0a9944	135
192fb874 CP	136	auth_use_nsswitch(clamd_t)
192fb874 CP	137
522b59bb CP	138	logging_send_syslog_msg(clamd_t)
522b59bb CP	139
8a0a9944 CP	140	miscfiles_read_localization(clamd_t)
8a0a9944 CP	141
0117b6b5 DW	142	optional_policy(`
	143	amavis_read_lib_files(clamd_t)
	144	amavis_read_spool_files(clamd_t)
	145	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
	146	amavis_create_pid_files(clamd_t)
	147	')
	148
8898c090 MG	149	optional_policy(`
	150	cron_use_fds(clamd_t)
	151	cron_use_system_job_fds(clamd_t)
	152	cron_rw_pipes(clamd_t)
	153	')
8a0a9944	154
8898c090	155	optional_policy(`
0117b6b5	156	exim_read_spool_files(clamd_t)
8898c090	157	')
ad0aea53	158
bb7170f6	159	optional_policy(`
0117b6b5 DW	160	mta_read_config(clamd_t)
0117b6b5 DW	161	mta_send_mail(clamd_t)
8a0a9944 CP	162	')
8a0a9944 CP	163
ad0aea53	164	optional_policy(`
0117b6b5	165	spamd_stream_connect(clamd_t)
dc1bbfd4	166	spamassassin_read_pid_files(clamd_t)
ad0aea53 CP	167	')
ad0aea53 CP	168
29f3bfa4 CP	169	tunable_policy(`clamd_use_jit',`
29f3bfa4 CP	170	allow clamd_t self:process execmem;
3eaa9939	171	allow clamscan_t self:process execmem;
68ac47d8	172	',`
29f3bfa4	173	dontaudit clamd_t self:process execmem;
3eaa9939	174	dontaudit clamscan_t self:process execmem;
29f3bfa4 CP	175	')
29f3bfa4 CP	176
8a0a9944 CP	177	########################################
	178	#
	179	# Freshclam local policy
	180	#
	181
	182	allow freshclam_t self:capability { setgid setuid dac_override };
c0868a7a	183	allow freshclam_t self:fifo_file rw_fifo_file_perms;
8a0a9944 CP	184	allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
	185	allow freshclam_t self:unix_dgram_socket create_socket_perms;
	186	allow freshclam_t self:tcp_socket { listen accept };
	187
	188	# configuration files
c0868a7a	189	allow freshclam_t clamd_etc_t:dir list_dir_perms;
0bfccda4 CP	190	read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
0bfccda4 CP	191	read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
8a0a9944 CP	192
8a0a9944 CP	193	# var/lib files together with clamd
0bfccda4 CP	194	manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
0bfccda4 CP	195	manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
8a0a9944 CP	196
8a0a9944 CP	197	# pidfiles- var/run together with clamd
0bfccda4 CP	198	manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
	199	manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
	200	files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
8a0a9944 CP	201
8a0a9944 CP	202	# log files (own logfiles only)
0bfccda4	203	manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
1dfc76f7	204	allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
f5b49a5e	205	read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
0bfccda4	206	logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
8a0a9944	207
3eaa9939 DW	208	kernel_read_kernel_sysctls(freshclam_t)
	209	kernel_read_system_state(freshclam_t)
	210
f5b49a5e DW	211	corecmd_exec_shell(freshclam_t)
	212	corecmd_exec_bin(freshclam_t)
	213
19006686 CP	214	corenet_all_recvfrom_unlabeled(freshclam_t)
19006686 CP	215	corenet_all_recvfrom_netlabel(freshclam_t)
668b3093	216	corenet_tcp_sendrecv_generic_if(freshclam_t)
c1262146	217	corenet_tcp_sendrecv_generic_node(freshclam_t)
8a0a9944 CP	218	corenet_tcp_sendrecv_all_ports(freshclam_t)
8a0a9944 CP	219	corenet_tcp_sendrecv_clamd_port(freshclam_t)
8a0a9944	220	corenet_tcp_connect_http_port(freshclam_t)
3eaa9939	221	corenet_tcp_connect_clamd_port(freshclam_t)
141cffdd	222	corenet_sendrecv_http_client_packets(freshclam_t)
8a0a9944 CP	223
	224	dev_read_rand(freshclam_t)
	225	dev_read_urand(freshclam_t)
	226
	227	domain_use_interactive_fds(freshclam_t)
	228
	229	files_read_etc_files(freshclam_t)
	230	files_read_etc_runtime_files(freshclam_t)
	231
192fb874	232	auth_use_nsswitch(freshclam_t)
8a0a9944	233
4804cd43 CP	234	logging_send_syslog_msg(freshclam_t)
4804cd43 CP	235
192fb874	236	miscfiles_read_localization(freshclam_t)
8a0a9944 CP	237
	238	clamav_stream_connect(freshclam_t)
	239
3eaa9939 DW	240	userdom_stream_connect(freshclam_t)
3eaa9939 DW	241
29f3bfa4 CP	242	tunable_policy(`clamd_use_jit',`
29f3bfa4 CP	243	allow freshclam_t self:process execmem;
68ac47d8	244	',`
29f3bfa4 CP	245	dontaudit freshclam_t self:process execmem;
	246	')
	247
ef521e99 DG	248	optional_policy(`
	249	cron_system_entry(freshclam_t, freshclam_exec_t)
	250	')
	251
165b42d2 CP	252	########################################
	253	#
	254	# clamscam local policy
	255	#
	256
	257	allow clamscan_t self:capability { setgid setuid dac_override };
	258	allow clamscan_t self:fifo_file rw_file_perms;
	259	allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
	260	allow clamscan_t self:unix_dgram_socket create_socket_perms;
ad0aea53	261	allow clamscan_t self:tcp_socket create_stream_socket_perms;
165b42d2 CP	262
165b42d2 CP	263	# configuration files
c0868a7a	264	allow clamscan_t clamd_etc_t:dir list_dir_perms;
0bfccda4 CP	265	read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
0bfccda4 CP	266	read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
165b42d2	267
522b59bb	268	# tmp files
0bfccda4 CP	269	manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
	270	manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
	271	files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
522b59bb	272
165b42d2	273	# var/lib files together with clamd
0bfccda4	274	manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
c0868a7a	275	allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
165b42d2	276
42753faf DG	277	read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
	278	allow clamscan_t clamd_var_run_t:dir list_dir_perms;
	279
	280	kernel_read_system_state(clamscan_t)
	281
ad0aea53 CP	282	corenet_all_recvfrom_unlabeled(clamscan_t)
	283	corenet_all_recvfrom_netlabel(clamscan_t)
	284	corenet_tcp_sendrecv_generic_if(clamscan_t)
	285	corenet_tcp_sendrecv_generic_node(clamscan_t)
	286	corenet_tcp_sendrecv_all_ports(clamscan_t)
	287	corenet_tcp_sendrecv_clamd_port(clamscan_t)
bf998489	288	corenet_tcp_bind_generic_node(clamscan_t)
ad0aea53 CP	289	corenet_tcp_connect_clamd_port(clamscan_t)
ad0aea53 CP	290
94929a9b DW	291	corecmd_read_all_executables(clamscan_t)
	292
	293	tunable_policy(`clamscan_read_user_content',`
	294	userdom_read_user_home_content_files(clamscan_t)
	295	userdom_dontaudit_read_user_home_content_files(clamscan_t)
	296	')
	297
165b42d2	298	kernel_read_kernel_sysctls(clamscan_t)
3eaa9939	299	kernel_read_system_state(clamscan_t)
165b42d2 CP	300
	301	files_read_etc_files(clamscan_t)
	302	files_read_etc_runtime_files(clamscan_t)
	303	files_search_var_lib(clamscan_t)
	304
016e5c5c CP	305	init_read_utmp(clamscan_t)
	306	init_dontaudit_write_utmp(clamscan_t)
	307
165b42d2 CP	308	miscfiles_read_localization(clamscan_t)
	309	miscfiles_read_public_files(clamscan_t)
	310
	311	clamav_stream_connect(clamscan_t)
	312
bf998489	313	sysnet_read_config(clamscan_t)
ad0aea53	314
8898c090 MG	315	optional_policy(`
	316	mta_send_mail(clamscan_t)
	317	mta_read_queue(clamscan_t)
	318	')
	319
192fb874	320	optional_policy(`
b174ead7	321	amavis_manage_spool_files(clamscan_t)
192fb874 CP	322	')
192fb874 CP	323
165b42d2 CP	324	optional_policy(`
	325	apache_read_sys_content(clamscan_t)
	326	')