commit: 80fc619afbb4265a9158c776b0fb917bd5633f54
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov 2 00:39:58 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80fc619a
Interface to add domain allowed to be read by ClamAV for scanning.
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/amavis.te | 1 +
policy/modules/services/apache.te | 1 +
policy/modules/services/clamav.if | 18 ++++++++++++++++++
policy/modules/services/clamav.te | 23 +++++++++--------------
policy/modules/services/exim.te | 1 +
policy/modules/services/mta.te | 1 +
6 files changed, 31 insertions(+), 14 deletions(-)
diff --git a/policy/modules/services/amavis.te
b/policy/modules/services/amavis.te
index 9517486e..59d87259 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',`
')
optional_policy(`
+ clamav_scannable_files(amavis_spool_t)
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
clamav_read_state_clamd(amavis_t)
diff --git a/policy/modules/services/apache.te
b/policy/modules/services/apache.te
index 341dd150..f45cf73b 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs &&
httpd_builtin_scripting',`
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_scannable_files(httpd_sys_content_t)
')
optional_policy(`
diff --git a/policy/modules/services/clamav.if
b/policy/modules/services/clamav.if
index 80ac5c1e..d1296fcc 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -205,6 +205,24 @@ interface(`clamav_read_signatures',`
read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
')
+#######################################
+## <summary>
+## Denote a particular type to be scanned by ClamAV
+## </summary>
+## <param name="domain">
+## <summary>
+## Type that clamd_t and clamscan_t can read.
+## </summary>
+## </param>
+#
+interface(`clamav_scannable_files',`
+ gen_require(`
+ attribute clam_scannable_type;
+ ')
+
+ typeattribute $1 clam_scannable_type;
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/services/clamav.te
b/policy/modules/services/clamav.te
index b55bac56..1de8b4cb 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false)
#
# Declarations
#
+attribute clam_scannable_type;
type clamd_t;
type clamd_exec_t;
@@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t,
clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
+read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+
kernel_dontaudit_list_proc(clamd_t)
kernel_read_crypto_sysctls(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',`
optional_policy(`
amavis_read_lib_files(clamd_t)
- amavis_read_spool_files(clamd_t)
amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
amavis_create_pid_files(clamd_t)
')
@@ -163,10 +167,6 @@ optional_policy(`
cron_rw_pipes(clamd_t)
')
-optional_policy(`
- exim_read_spool_files(clamd_t)
-')
-
optional_policy(`
mta_read_config(clamd_t)
mta_send_mail(clamd_t)
@@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t,
clamscan_tmp_t)
manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file })
+read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
@@ -320,17 +324,8 @@
tunable_policy(`clamav_read_all_non_security_files_clamscan',`
files_getattr_all_sockets(clamscan_t)
')
-optional_policy(`
- amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
- apache_read_sys_content(clamscan_t)
-')
-
optional_policy(`
mta_send_mail(clamscan_t)
- mta_read_queue(clamscan_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 693ac491..6430aee8 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',`
optional_policy(`
clamav_domtrans_clamscan(exim_t)
+ clamav_scannable_files(exim_spool_t)
clamav_stream_connect(exim_t)
')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 3b389d02..a7133c2b 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -233,6 +233,7 @@ optional_policy(`
')
optional_policy(`
+ clamav_scannable_files(mqueue_spool_t)
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
