Allow clamd to use sent file descriptor

This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar@tresys.com>

policy/modules/services/clamav.if

@@ -35,6 +35,8 @@ interface(`clamav_stream_connect',`
 		type clamd_t, clamd_var_run_t;
 	')
 
+	allow clamd_t $1:fd use;
+
 	files_search_pids($1)
 	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
 ')