commit: 81711bb3a8d8dc9b91d1fd8c9450050c5a598277
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov 2 19:10:20 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=81711bb3
Allow clamd to use sent file descriptor
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning. This still requires
the file type to be readable by clamd.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/clamav.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/clamav.if
b/policy/modules/services/clamav.if
index 2adb1230..7b6df49e 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -35,6 +35,8 @@ interface(`clamav_stream_connect',`
type clamd_t, clamd_var_run_t;
')
+ allow clamd_t $1:fd use;
+
files_search_pids($1)
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
')
