Chris PeBenito 0fbfa5
#DESC CLAM - Anti-virus program
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Brian May <bam@snoopy.apana.org.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: clamav
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the clamscan_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Virus database
Chris PeBenito 0fbfa5
type clamav_var_lib_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# clamscan_t is the domain of the clamscan virus scanner
Chris PeBenito 0fbfa5
type clamscan_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Freshclam
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
daemon_base_domain(freshclam, `, web_client_domain')
Chris PeBenito 0fbfa5
read_locale(freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# not sure why it needs this
Chris PeBenito 0fbfa5
read_sysctl(freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
can_network_client_tcp(freshclam_t, http_port_t);
Chris PeBenito 2705f9
allow freshclam_t http_port_t:tcp_socket name_connect;
Chris PeBenito 2705f9
can_resolve(freshclam_t)
Chris PeBenito 0fbfa5
can_ypbind(freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access virus signatures
Chris PeBenito 0fbfa5
allow freshclam_t { var_t var_lib_t }:dir search;
Chris PeBenito 0fbfa5
rw_dir_create_file(freshclam_t, clamav_var_lib_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow freshclam_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow freshclam_t devpts_t:dir search;
Chris PeBenito 0fbfa5
allow freshclam_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow freshclam_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow freshclam_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
dontaudit freshclam_t urandom_device_t:chr_file ioctl;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for nscd
Chris PeBenito 0fbfa5
dontaudit freshclam_t var_run_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# setuid/getuid used (although maybe not required...)
Chris PeBenito 0fbfa5
allow freshclam_t self:capability { setgid setuid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow freshclam_t sbin_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow notification to daemon that virus database has changed
Chris PeBenito 0fbfa5
can_clamd_connect(freshclam)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow freshclam_t etc_runtime_t:file { read getattr };
Chris PeBenito 0fbfa5
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow freshclam_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow freshclam_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Log files for freshclam executable
Chris PeBenito 0fbfa5
logdir_domain(freshclam)
Chris PeBenito 0fbfa5
allow initrc_t freshclam_log_t:file append;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Pid files for freshclam
Chris PeBenito 2705f9
allow initrc_t clamd_var_run_t:file { create setattr };
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5
system_crond_entry(freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5
domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5
role sysadm_r types freshclam_t;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
create_dir_file(freshclam_t, clamd_var_run_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Clamscan
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5
# macros/program/clamav_macros.te.
Chris PeBenito 0fbfa5
user_clamscan_domain(sysadm)
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Clamd
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
type clamd_sock_t, file_type, sysadmfile;
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5
# clamd executable
Chris PeBenito 0fbfa5
daemon_domain(clamd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(clamd)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# The dir containing the clamd log files is labelled freshclam_t
Chris PeBenito 0fbfa5
logdir_domain(clamd)
Chris PeBenito 2705f9
allow clamd_t freshclam_log_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
allow clamd_t self:capability { kill setgid setuid dac_override };
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Give the clamd local communications socket a unique type
Chris PeBenito 2705f9
ifdef(`distro_debian', `
Chris PeBenito 2705f9
file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
ifdef(`distro_redhat', `
Chris PeBenito 2705f9
file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
Chris PeBenito 2705f9
')
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Clamd can be configured to listen on a TCP port.
Chris PeBenito 2705f9
can_network_server_tcp(clamd_t, clamd_port_t)
Chris PeBenito 2705f9
allow clamd_t clamd_port_t:tcp_socket name_bind;
Chris PeBenito 2705f9
can_resolve(clamd_t);
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow clamd_t var_lib_t:dir search;
Chris PeBenito 0fbfa5
r_dir_file(clamd_t, clamav_var_lib_t)
Chris PeBenito 0fbfa5
r_dir_file(clamd_t, etc_t)
Chris PeBenito 0fbfa5
# allow access /proc/sys/kernel/version
Chris PeBenito 0fbfa5
read_sysctl(clamd_t)
Chris PeBenito 0fbfa5
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow clamd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
Chris PeBenito 0fbfa5
dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# Interaction with external programs
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
ifdef(`amavis.te',`
Chris PeBenito 2705f9
allow amavisd_t clamd_var_run_t:dir search;
Chris PeBenito 2705f9
allow amavisd_t clamd_t:unix_stream_socket connectto;
Chris PeBenito 2705f9
allow amavisd_t clamd_sock_t:sock_file write;
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9