On 1/12/19 2:34 PM, Chris PeBenito wrote:
> On 1/11/19 10:30 AM, Sugar, David wrote:
>> ClamAV configuration controls where temporary files are stored.
>> Default is /tmp but the configuration option 'TemporaryDirectory'
>> allows for this location to be changed. This change allows for
>> the type of this directory to be something other than 'tmp_t'
>> and have files created in this directory still be clamd_tmp_t.
>
> In this case, it would seem to be more appropriate to simply label this
> alternative tmp directory as clamd_tmp_t.
>
In this case the directory wasn't labeled clamd_tmp_t and was labeled
for primary access by program controlling files sent to clamd. I was
just adding this as a directory for clam to use as temp files also. I
have altered the configuration a bit more to make the temp directory for
clam elsewhere (on the same partition) and labeled it clamd_tmp_t. This
should work for our use case at this point without this patch. And this
patch can be ignored.
>
>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>> ---
>> policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
>> policy/modules/services/clamav.te | 2 ++
>> 2 files changed, 31 insertions(+)
>>
>> diff --git a/policy/modules/services/clamav.if
>> b/policy/modules/services/clamav.if
>> index 7b6df49e..a8d1603c 100644
>> --- a/policy/modules/services/clamav.if
>> +++ b/policy/modules/services/clamav.if
>> @@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
>> typeattribute $1 clam_scannable_type;
>> ')
>> +#######################################
>> +## <summary>
>> +## Denote a particular directory type to
>> +## be a temporary working directory for ClamAV
>> +## </summary>
>> +## <desc>
>> +## <p>
>> +## Allow the specified domain to be a directory to be
>> +## used by ClamAV for temp files. This is only needed
>> +## if the TemporaryDirectory in the clamd.conf is
>> +## modified to point to a directory that is not already
>> +## labeled tmp_t.
>> +## </p>
>> +## </desc>
>> +## <param name="domain">
>> +## <summary>
>> +## Type of directory to hold clamd temp files.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`clamav_temp_dir',`
>> + gen_require(`
>> + attribute clam_tmp_type;
>> + ')
>> +
>> + typeattribute $1 clam_tmp_type;
>> +')
>> +
>> +
>> ########################################
>> ## <summary>
>> ## Allow specified domain to enable clamd units
>> diff --git a/policy/modules/services/clamav.te
>> b/policy/modules/services/clamav.te
>> index 84a0bc76..6fc9cc7e 100644
>> --- a/policy/modules/services/clamav.te
>> +++ b/policy/modules/services/clamav.te
>> @@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
>> # Declarations
>> #
>> attribute clam_scannable_type;
>> +attribute clam_tmp_type;
>> type clamd_t;
>> type clamd_exec_t;
>> @@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t,
>> clamd_etc_t)
>> manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>> manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>> files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
>> +filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
>> manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>> manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>>
>
>
