Hoshpak
/
debian-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227
							## <summary>ClamAV Virus Scanner.</summary>

########################################
## <summary>
##	Execute a domain transition to run clamd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`clamav_domtrans',`
	gen_require(`
		type clamd_t, clamd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, clamd_exec_t, clamd_t)
')

########################################
## <summary>
##	Connect to clamd using a unix
##	domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_stream_connect',`
	gen_require(`
		type clamd_t, clamd_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
')

########################################
## <summary>
##	Append clamav log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_append_log',`
	gen_require(`
		type clamd_var_log_t;
	')

	logging_search_logs($1)
	allow $1 clamd_var_log_t:dir list_dir_perms;
	append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	clamav pid content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_manage_pid_content',`
	gen_require(`
		type clamd_var_run_t;
	')

	files_search_pids($1)
	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
')

########################################
## <summary>
##	Read clamav configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_read_config',`
	gen_require(`
		type clamd_etc_t;
	')

	files_search_etc($1)
	allow $1 clamd_etc_t:file read_file_perms;
')

########################################
## <summary>
##	Search clamav library directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_search_lib',`
	gen_require(`
		type clamd_var_lib_t;
	')

	files_search_var_lib($1)
	allow $1 clamd_var_lib_t:dir search_dir_perms;
')

########################################
## <summary>
##	Execute a domain transition to run clamscan.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`clamav_domtrans_clamscan',`
	gen_require(`
		type clamscan_t, clamscan_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')

########################################
## <summary>
##	Execute clamscan in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_exec_clamscan',`
	gen_require(`
		type clamscan_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, clamscan_exec_t)
')

#######################################
## <summary>
##	Read clamd process state files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_read_state_clamd',`
	gen_require(`
		type clamd_t;
	')

	kernel_search_proc($1)
	allow $1 clamd_t:dir list_dir_perms;
	read_files_pattern($1, clamd_t, clamd_t)
	read_lnk_files_pattern($1, clamd_t, clamd_t)
')

########################################
## <summary>
##	All of the rules required to
##	administrate an clamav environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`clamav_admin',`
	gen_require(`
		type clamd_t, clamd_etc_t, clamd_tmp_t;
		type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
		type freshclam_t, freshclam_var_log_t;
	')

	allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
	ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })

	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 clamd_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_etc($1)
	admin_pattern($1, clamd_etc_t)

	files_list_var_lib($1)
	admin_pattern($1, clamd_var_lib_t)

	logging_list_logs($1)
	admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })

	files_list_pids($1)
	admin_pattern($1, clamd_var_run_t)

	files_list_tmp($1)
	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')