[PATCH 2/3] Interface to add domain allowed to be read by ClamAV for scanning.

David Sugar <dsugar@xxxxxxxxxx> · Fri, 2 Nov 2018 00:39:58 +0000

Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
 policy/modules/services/amavis.te |  1 +
 policy/modules/services/apache.te |  1 +
 policy/modules/services/clamav.if | 18 ++++++++++++++++++
 policy/modules/services/clamav.te | 23 +++++++++--------------
 policy/modules/services/exim.te   |  1 +
 policy/modules/services/mta.te    |  1 +
 6 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 9517486e..59d87259 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',`
 ')
 
 optional_policy(`
+	clamav_scannable_files(amavis_spool_t)
 	clamav_stream_connect(amavis_t)
 	clamav_domtrans_clamscan(amavis_t)
 	clamav_read_state_clamd(amavis_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index d1fbeb17..5cb38386 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
 
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_sys_script_t)
+	clamav_scannable_files(httpd_sys_content_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 80ac5c1e..d1296fcc 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -205,6 +205,24 @@ interface(`clamav_read_signatures',`
 	read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##	Denote a particular type to be scanned by ClamAV
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type that clamd_t and clamscan_t can read.
+##	</summary>
+## </param>
+#
+interface(`clamav_scannable_files',`
+	gen_require(`
+		attribute clam_scannable_type;
+	')
+
+	typeattribute $1 clam_scannable_type;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index a2f30133..b63503f1 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false)
 #
 # Declarations
 #
+attribute clam_scannable_type;
 
 type clamd_t;
 type clamd_exec_t;
@@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
 
+read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_crypto_sysctls(clamd_t)
 kernel_read_sysctl(clamd_t)
@@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',`
 
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
-	amavis_read_spool_files(clamd_t)
 	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
 	amavis_create_pid_files(clamd_t)
 ')
@@ -163,10 +167,6 @@ optional_policy(`
 	cron_rw_pipes(clamd_t)
 ')
 
-optional_policy(`
-	exim_read_spool_files(clamd_t)
-')
-
 optional_policy(`
 	mta_read_config(clamd_t)
 	mta_send_mail(clamd_t)
@@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
 manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
 files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file })
 
+read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+
 allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
 manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
 
@@ -320,15 +324,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
 	files_getattr_all_sockets(clamscan_t)
 ')
 
-optional_policy(`
-	amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
-	apache_read_sys_content(clamscan_t)
-')
-
 optional_policy(`
 	mta_send_mail(clamscan_t)
-	mta_read_queue(clamscan_t)
 ')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 693ac491..6430aee8 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',`
 
 optional_policy(`
 	clamav_domtrans_clamscan(exim_t)
+	clamav_scannable_files(exim_spool_t)
 	clamav_stream_connect(exim_t)
 ')
 
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 3b45c48e..c741a461 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -233,6 +233,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	clamav_scannable_files(mqueue_spool_t)
 	clamav_stream_connect(system_mail_t)
 	clamav_append_log(system_mail_t)
 ')
-- 
2.14.4








