From ad0aea536bdb85dcc9d7b410d219eeda73281a12 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Jul 21 2009 14:10:31 +0000
Subject: clamav patch from dan.


---

diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
index 0455984..e8e9a21 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
@@ -1,20 +1,20 @@
 /etc/clamav(/.*)?			gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper --	gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
 
 /usr/bin/clamscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/clamdscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 
 /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter		--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
-/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
-
+/var/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
-
-/var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
-
+/var/log/clamd.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/MailScanner(/.*)?		gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index e1ab69e..e5f35e8 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -38,6 +38,27 @@ interface(`clamav_stream_connect',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to append
+##	to clamav log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_append_log',`
+	gen_require(`
+		type clamav_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 clamav_log_t:dir list_dir_perms;
+	append_files_pattern($1, clamav_log_t, clamav_log_t)
+')
+
+########################################
+## <summary>
 ##	Read clamav configuration files.
 ## </summary>
 ## <param name="domain">
@@ -91,3 +112,81 @@ interface(`clamav_domtrans_clamscan',`
 
 	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
 ')
+
+########################################
+## <summary>
+##	Execute clamscan without a transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_exec_clamscan',`
+	gen_require(`
+		type clamscan_exec_t;
+	')
+
+	can_exec($1, clamscan_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an clamav environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the clamav domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_admin',`
+	gen_require(`
+		type clamd_t, clamd_etc_t, clamd_tmp_t;
+		type clamd_var_log_t, clamd_var_lib_t;
+		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamd_initrc_exec_t;
+		type freshclam_t, freshclam_var_log_t;
+	')
+
+	allow $1 clamd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clamd_t)
+
+	allow $1 clamscan_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clamscan_t)
+
+	allow $1 freshclam_t:process { ptrace signal_perms };
+	ps_process_pattern($1, freshclam_t)
+
+	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 clamd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, clamd_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, clamd_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, clamd_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, clamd_var_run_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, clamd_tmp_t)
+
+	admin_pattern($1, clamscan_tmp_t)
+
+	admin_pattern($1, freshclam_var_log_t)
+')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 0ecdf66..77855b4 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
 
-policy_module(clamav, 1.6.2)
+policy_module(clamav, 1.6.3)
 
 ########################################
 #
@@ -13,7 +13,10 @@ init_daemon_domain(clamd_t, clamd_exec_t)
 
 # configuration files
 type clamd_etc_t;
-files_type(clamd_etc_t)
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
 
 # tmp files
 type clamd_tmp_t;
@@ -55,7 +58,7 @@ logging_log_file(freshclam_var_log_t)
 
 allow clamd_t self:capability { kill setgid setuid dac_override };
 allow clamd_t self:fifo_file rw_fifo_file_perms;
-allow clamd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow clamd_t self:unix_dgram_socket create_socket_perms;
 allow clamd_t self:tcp_socket { listen accept };
 
@@ -87,6 +90,9 @@ files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
 
 corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
@@ -96,6 +102,8 @@ corenet_tcp_sendrecv_all_ports(clamd_t)
 corenet_tcp_sendrecv_clamd_port(clamd_t)
 corenet_tcp_bind_generic_node(clamd_t)
 corenet_tcp_bind_clamd_port(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
 corenet_sendrecv_clamd_server_packets(clamd_t)
 
 dev_read_rand(clamd_t)
@@ -117,6 +125,9 @@ cron_use_fds(clamd_t)
 cron_use_system_job_fds(clamd_t)
 cron_rw_pipes(clamd_t)
 
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
 	amavis_read_spool_files(clamd_t)
@@ -124,6 +135,10 @@ optional_policy(`
 	amavis_create_pid_files(clamd_t)
 ')
 
+optional_policy(`
+	exim_read_spool_files(clamd_t)
+')
+
 ########################################
 #
 # Freshclam local policy
@@ -191,7 +206,7 @@ allow clamscan_t self:capability { setgid setuid dac_override };
 allow clamscan_t self:fifo_file rw_file_perms;
 allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
 allow clamscan_t self:unix_dgram_socket create_socket_perms;
-allow clamscan_t self:tcp_socket { listen accept };
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
 
 # configuration files
 allow clamscan_t clamd_etc_t:dir list_dir_perms;
@@ -207,6 +222,14 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
 manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
 allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
 
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_generic_if(clamscan_t)
+corenet_tcp_sendrecv_generic_node(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
 kernel_read_kernel_sysctls(clamscan_t)
 
 files_read_etc_files(clamscan_t)
@@ -221,6 +244,8 @@ miscfiles_read_public_files(clamscan_t)
 
 clamav_stream_connect(clamscan_t)
 
+mta_send_mail(clamscan_t)
+
 optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')