#DESC Scannerdaemon - Virus scanner daemon

#

# Author:  Brian May <bam@snoopy.apana.org.au>

# X-Debian-Packages:

#

#################################

#

# Rules for the scannerdaemon_t domain.

#

type scannerdaemon_etc_t, file_type, sysadmfile;

#networking

daemon_domain(scannerdaemon)

can_network_server(scannerdaemon_t)

ifdef(`postfix.te',

`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);')

# for testing

can_tcp_connect(sysadm_t,scannerdaemon_t)

# Can create unix sockets

allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms;

# Access config files (libc6).

allow scannerdaemon_t etc_t:file r_file_perms;

allow scannerdaemon_t etc_t:lnk_file r_file_perms;

allow scannerdaemon_t proc_t:file r_file_perms;

allow scannerdaemon_t etc_runtime_t:file r_file_perms;

# Access config files (scannerdaemon).

allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;

# Access signature files.

ifdef(`oav-update.te',`

allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;

allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;

')

log_domain(scannerdaemon)

ifdef(`logrotate.te', `

allow logrotate_t scannerdaemon_log_t:file create_file_perms;

')

# Can run kaffe

# Run helper programs.

can_exec_any(scannerdaemon_t)

allow scannerdaemon_t var_lib_t:dir search;

allow scannerdaemon_t { sbin_t bin_t }:dir search;

allow scannerdaemon_t bin_t:lnk_file read;

# unknown stuff

allow scannerdaemon_t self:fifo_file { read write };

# broken stuff

dontaudit scannerdaemon_t sysadm_home_dir_t:dir search;

dontaudit scannerdaemon_t devtty_t:chr_file { read write };

dontaudit scannerdaemon_t shadow_t:file { read getattr };