Currently freshclam can only be started from cron or init. This adds the option of starting from a different process and optionally transitioning or staying in the callers domain. Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 0dc1e23c..30d0b814 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',` typeattribute $1 clam_scannable_type; ') +######################################## +## <summary> +## Execute a domain transition to run freshclam. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clamav_domtrans_freshclam',` + gen_require(` + type freshclam_t, freshclam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, freshclam_exec_t, freshclam_t) +') + +######################################## +## <summary> +## Execute freshclam in the freshclam domain, and +## allow the specified role the freshclam domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`clamav_run_freshclam',` + gen_require(` + type freshclam_t; + ') + + clamav_domtrans_freshclam($1) + role $2 types freshclam_t; +') + +######################################## +## <summary> +## Execute freshclam in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_exec_freshclam',` + gen_require(` + type freshclam_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, freshclam_exec_t) +') + ######################################## ## <summary> ## Allow specified domain to enable clamd units -- 2.20.1
