439 lines
8.6 KiB
Plaintext
439 lines
8.6 KiB
Plaintext
## <summary>ClamAV Virus Scanner.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run clamd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_domtrans',`
|
|
gen_require(`
|
|
type clamd_t, clamd_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, clamd_exec_t, clamd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute clamd programs in the clamd
|
|
## domain and allow the specified role
|
|
## the clamd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_run',`
|
|
gen_require(`
|
|
type clamd_t;
|
|
')
|
|
|
|
clamav_domtrans($1)
|
|
role $2 types clamd_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to clamd using a unix
|
|
## domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_stream_connect',`
|
|
gen_require(`
|
|
type clamd_t, clamd_runtime_t;
|
|
')
|
|
|
|
allow clamd_t $1:fd use;
|
|
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, clamd_runtime_t, clamd_runtime_t, clamd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Append clamav log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_append_log',`
|
|
gen_require(`
|
|
type clamd_var_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
allow $1 clamd_var_log_t:dir list_dir_perms;
|
|
append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## clamav pid content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_manage_pid_content',`
|
|
gen_require(`
|
|
type clamd_runtime_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
manage_dirs_pattern($1, clamd_runtime_t, clamd_runtime_t)
|
|
manage_files_pattern($1, clamd_runtime_t, clamd_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read clamav configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_read_config',`
|
|
gen_require(`
|
|
type clamd_etc_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 clamd_etc_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search clamav library directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_search_lib',`
|
|
gen_require(`
|
|
type clamd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
allow $1 clamd_var_lib_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run clamscan.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_domtrans_clamscan',`
|
|
gen_require(`
|
|
type clamscan_t, clamscan_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute clamscan in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_exec_clamscan',`
|
|
gen_require(`
|
|
type clamscan_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, clamscan_exec_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read clamd process state files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_read_state_clamd',`
|
|
gen_require(`
|
|
type clamd_t;
|
|
')
|
|
|
|
kernel_search_proc($1)
|
|
allow $1 clamd_t:dir list_dir_perms;
|
|
read_files_pattern($1, clamd_t, clamd_t)
|
|
read_lnk_files_pattern($1, clamd_t, clamd_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read clam virus signature files
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Useful for when using things like 'sigtool'
|
|
## which provides useful information about
|
|
## ClamAV signature files.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_read_signatures',`
|
|
gen_require(`
|
|
type clamd_var_lib_t;
|
|
')
|
|
|
|
clamav_search_lib($1)
|
|
allow $1 clamd_var_lib_t:dir list_dir_perms;
|
|
read_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
|
|
read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Denote a particular type to be scanned by ClamAV
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type that clamd_t and clamscan_t can read.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_scannable_files',`
|
|
gen_require(`
|
|
attribute clam_scannable_type;
|
|
')
|
|
|
|
typeattribute $1 clam_scannable_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run freshclam.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_domtrans_freshclam',`
|
|
gen_require(`
|
|
type freshclam_t, freshclam_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, freshclam_exec_t, freshclam_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute freshclam in the freshclam domain, and
|
|
## allow the specified role the freshclam domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`clamav_run_freshclam',`
|
|
gen_require(`
|
|
type freshclam_t;
|
|
')
|
|
|
|
clamav_domtrans_freshclam($1)
|
|
role $2 types freshclam_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute freshclam in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_exec_freshclam',`
|
|
gen_require(`
|
|
type freshclam_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, freshclam_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to enable clamd units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_enabledisable_clamd',`
|
|
gen_require(`
|
|
type clamd_unit_t;
|
|
class service { enable disable };
|
|
')
|
|
|
|
allow $1 clamd_unit_t:service { enable disable };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to start clamd units
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_startstop_clamd',`
|
|
gen_require(`
|
|
type clamd_unit_t;
|
|
class service { start stop };
|
|
')
|
|
|
|
allow $1 clamd_unit_t:service { start stop };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to get status of clamd
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_status_clamd',`
|
|
gen_require(`
|
|
type clamd_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 clamd_unit_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain reload of clamd
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`clamav_reload_clamd',`
|
|
gen_require(`
|
|
type clamd_unit_t;
|
|
class service reload;
|
|
')
|
|
|
|
allow $1 clamd_unit_t:service reload;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate an clamav environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`clamav_admin',`
|
|
gen_require(`
|
|
type clamd_t, clamd_etc_t, clamd_tmp_t;
|
|
type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
|
|
type clamd_runtime_t, clamscan_t, clamscan_tmp_t;
|
|
type freshclam_t, freshclam_var_log_t;
|
|
')
|
|
|
|
allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
|
|
ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
|
|
|
|
init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, clamd_etc_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, clamd_var_lib_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, clamd_runtime_t)
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
|
|
')
|