rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/domains/program/unused/clamav.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   16e8e265b2075a1c0a54d2d56b39b1a71a3494b5
  2.   strict
  3.   domains
  4.   program
  5.   unused
  6.   clamav.te
Blob History Raw
Chris PeBenito 0fbfa5 
#DESC CLAM - Anti-virus program
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Author:  Brian May <bam@snoopy.apana.org.au>
Chris PeBenito 0fbfa5 
# X-Debian-Packages: clamav
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Rules for the clamscan_t domain.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Virus database
Chris PeBenito 0fbfa5 
type clamav_var_lib_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# clamscan_t is the domain of the clamscan virus scanner
Chris PeBenito 0fbfa5 
type clamscan_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
daemon_base_domain(freshclam)
Chris PeBenito 0fbfa5 
read_locale(freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# not sure why it needs this
Chris PeBenito 0fbfa5 
read_sysctl(freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network_server(freshclam_t)
Chris PeBenito 0fbfa5 
can_ypbind(freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Access virus signatures
Chris PeBenito 0fbfa5 
allow freshclam_t { var_t var_lib_t }:dir search;
Chris PeBenito 0fbfa5 
rw_dir_create_file(freshclam_t, clamav_var_lib_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow freshclam_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5 
allow freshclam_t devpts_t:dir search;
Chris PeBenito 0fbfa5 
allow freshclam_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5 
allow freshclam_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow freshclam_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5 
dontaudit freshclam_t urandom_device_t:chr_file ioctl;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# for nscd
Chris PeBenito 0fbfa5 
dontaudit freshclam_t var_run_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# setuid/getuid used (although maybe not required...)
Chris PeBenito 0fbfa5 
allow freshclam_t self:capability { setgid setuid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow freshclam_t sbin_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Allow notification to daemon that virus database has changed
Chris PeBenito 0fbfa5 
can_clamd_connect(freshclam)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow freshclam_t etc_runtime_t:file { read getattr };
Chris PeBenito 0fbfa5 
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5 
allow freshclam_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5 
allow freshclam_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Log files for freshclam executable
Chris PeBenito 0fbfa5 
logdir_domain(freshclam)
Chris PeBenito 0fbfa5 
allow initrc_t freshclam_log_t:file append;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
system_crond_entry(freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5 
domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5 
role sysadm_r types freshclam_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# macros/program/clamav_macros.te.
Chris PeBenito 0fbfa5 
user_clamscan_domain(sysadm)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# clamd executable
Chris PeBenito 0fbfa5 
daemon_domain(clamd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
tmp_domain(clamd)
Chris PeBenito 0fbfa5 
logdir_domain(clamd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow clamd_t self:capability { kill setgid setuid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow clamd_t var_lib_t:dir search;
Chris PeBenito 0fbfa5 
r_dir_file(clamd_t, clamav_var_lib_t)
Chris PeBenito 0fbfa5 
r_dir_file(clamd_t, etc_t)
Chris PeBenito 0fbfa5 
# allow access /proc/sys/kernel/version
Chris PeBenito 0fbfa5 
read_sysctl(clamd_t)
Chris PeBenito 0fbfa5 
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5 
allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5 
allow clamd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
Chris PeBenito 0fbfa5 
dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation