|
Chris PeBenito |
0fbfa5 |
#DESC CLAM - Anti-virus program
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Brian May <bam@snoopy.apana.org.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: clamav
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the clamscan_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Virus database
|
|
Chris PeBenito |
0fbfa5 |
type clamav_var_lib_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# clamscan_t is the domain of the clamscan virus scanner
|
|
Chris PeBenito |
0fbfa5 |
type clamscan_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Freshclam
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
daemon_base_domain(freshclam, `, web_client_domain')
|
|
Chris PeBenito |
0fbfa5 |
read_locale(freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# not sure why it needs this
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
can_network_client_tcp(freshclam_t, http_port_t);
|
|
Chris PeBenito |
2705f9 |
allow freshclam_t http_port_t:tcp_socket name_connect;
|
|
Chris PeBenito |
2705f9 |
can_resolve(freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access virus signatures
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t { var_t var_lib_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file(freshclam_t, clamav_var_lib_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t devpts_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t urandom_device_t:chr_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit freshclam_t urandom_device_t:chr_file ioctl;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for nscd
|
|
Chris PeBenito |
0fbfa5 |
dontaudit freshclam_t var_run_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# setuid/getuid used (although maybe not required...)
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t self:capability { setgid setuid };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t sbin_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow notification to daemon that virus database has changed
|
|
Chris PeBenito |
0fbfa5 |
can_clamd_connect(freshclam)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t etc_runtime_t:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow freshclam_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Log files for freshclam executable
|
|
Chris PeBenito |
0fbfa5 |
logdir_domain(freshclam)
|
|
Chris PeBenito |
0fbfa5 |
allow initrc_t freshclam_log_t:file append;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
# Pid files for freshclam
|
|
Chris PeBenito |
2705f9 |
allow initrc_t clamd_var_run_t:file { create setattr };
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
0fbfa5 |
system_crond_entry(freshclam_exec_t, freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types freshclam_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
create_dir_file(freshclam_t, clamd_var_run_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Clamscan
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
0fbfa5 |
# macros/program/clamav_macros.te.
|
|
Chris PeBenito |
0fbfa5 |
user_clamscan_domain(sysadm)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Clamd
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
type clamd_sock_t, file_type, sysadmfile;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
0fbfa5 |
# clamd executable
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(clamd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(clamd)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# The dir containing the clamd log files is labelled freshclam_t
|
|
Chris PeBenito |
0fbfa5 |
logdir_domain(clamd)
|
|
Chris PeBenito |
2705f9 |
allow clamd_t freshclam_log_t:dir search;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
allow clamd_t self:capability { kill setgid setuid dac_override };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
# Give the clamd local communications socket a unique type
|
|
Chris PeBenito |
2705f9 |
ifdef(`distro_debian', `
|
|
Chris PeBenito |
2705f9 |
file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
2705f9 |
file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
2705f9 |
# Clamd can be configured to listen on a TCP port.
|
|
Chris PeBenito |
2705f9 |
can_network_server_tcp(clamd_t, clamd_port_t)
|
|
Chris PeBenito |
2705f9 |
allow clamd_t clamd_port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
2705f9 |
can_resolve(clamd_t);
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow clamd_t var_lib_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(clamd_t, clamav_var_lib_t)
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(clamd_t, etc_t)
|
|
Chris PeBenito |
0fbfa5 |
# allow access /proc/sys/kernel/version
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(clamd_t)
|
|
Chris PeBenito |
0fbfa5 |
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow clamd_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
##########
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Interaction with external programs
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
ifdef(`amavis.te',`
|
|
Chris PeBenito |
2705f9 |
allow amavisd_t clamd_var_run_t:dir search;
|
|
Chris PeBenito |
2705f9 |
allow amavisd_t clamd_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
2705f9 |
allow amavisd_t clamd_sock_t:sock_file write;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|