From c418d0e81d6cda3ae0c2d2c7e3c5e9be372981a2 Mon Sep 17 00:00:00 2001 From: "Sugar, David" Date: Mon, 25 Feb 2019 23:37:45 +0000 Subject: [PATCH] Add interfaces to run freshclam Currently freshclam can only be started from cron or init. This adds the option of starting from a different process and optionally transitioning or staying in the callers domain. Signed-off-by: Dave Sugar --- policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 0dc1e23c9..30d0b814d 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',` typeattribute $1 clam_scannable_type; ') +######################################## +## +## Execute a domain transition to run freshclam. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`clamav_domtrans_freshclam',` + gen_require(` + type freshclam_t, freshclam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, freshclam_exec_t, freshclam_t) +') + +######################################## +## +## Execute freshclam in the freshclam domain, and +## allow the specified role the freshclam domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`clamav_run_freshclam',` + gen_require(` + type freshclam_t; + ') + + clamav_domtrans_freshclam($1) + role $2 types freshclam_t; +') + +######################################## +## +## Execute freshclam in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_exec_freshclam',` + gen_require(` + type freshclam_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, freshclam_exec_t) +') + ######################################## ## ## Allow specified domain to enable clamd units