On 1/11/19 10:30 AM, Sugar, David wrote:
ClamAV configuration controls where temporary files are stored.
Default is /tmp but the configuration option 'TemporaryDirectory'
allows for this location to be changed. This change allows for
the type of this directory to be something other than 'tmp_t'
and have files created in this directory still be clamd_tmp_t.
In this case, it would seem to be more appropriate to simply label this
alternative tmp directory as clamd_tmp_t.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
policy/modules/services/clamav.te | 2 ++
2 files changed, 31 insertions(+)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 7b6df49e..a8d1603c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
typeattribute $1 clam_scannable_type;
')
+#######################################
+## <summary>
+## Denote a particular directory type to
+## be a temporary working directory for ClamAV
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to be a directory to be
+## used by ClamAV for temp files. This is only needed
+## if the TemporaryDirectory in the clamd.conf is
+## modified to point to a directory that is not already
+## labeled tmp_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type of directory to hold clamd temp files.
+## </summary>
+## </param>
+#
+interface(`clamav_temp_dir',`
+ gen_require(`
+ attribute clam_tmp_type;
+ ')
+
+ typeattribute $1 clam_tmp_type;
+')
+
+
########################################
## <summary>
## Allow specified domain to enable clamd units
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 84a0bc76..6fc9cc7e 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
# Declarations
#
attribute clam_scannable_type;
+attribute clam_tmp_type;
type clamd_t;
type clamd_exec_t;
@@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
--
Chris PeBenito
