Clamav patch from Dan Walsh.

policy/modules/services/clamav.if

@@ -133,7 +133,7 @@ interface(`clamav_exec_clamscan',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an clamav environment
 ## </summary>
 ## <param name="domain">

policy/modules/services/clamav.te

@@ -1,5 +1,12 @@
 
-policy_module(clamav, 1.7.1)
+policy_module(clamav, 1.7.2)
+
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
+## </desc>
+gen_tunable(clamd_use_jit, false)
 
 ########################################
 #
@@ -57,6 +64,7 @@ logging_log_file(freshclam_var_log_t)
 #
 
 allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -189,6 +197,8 @@ files_read_etc_runtime_files(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)
 
+logging_send_syslog_msg(freshclam_t)
+
 miscfiles_read_localization(freshclam_t)
 
 clamav_stream_connect(freshclam_t)
@@ -246,6 +256,12 @@ clamav_stream_connect(clamscan_t)
 
 mta_send_mail(clamscan_t)
 
+tunable_policy(`clamd_use_jit',`
+	allow clamd_t self:process execmem;
+', `
+	dontaudit clamd_t self:process execmem;
+')
+
 optional_policy(`
 	amavis_read_spool_files(clamscan_t)
 ')