This allows a process connecting to a local clamd server to send an open file descriptor for A/V scanning. This still requires the file type to be readable by clamd. Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/services/clamav.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 2adb1230..7b6df49e 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -35,6 +35,8 @@ interface(`clamav_stream_connect',` type clamd_t, clamd_var_run_t; ') + allow clamd_t $1:fd use; + files_search_pids($1) stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) ') -- 2.14.4
