On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote: > Currently freshclam can only be started from cron or init. This adds > the option of starting from a different process and optionally > transitioning or staying in the callers domain. > > Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> > --- > policy/modules/services/clamav.if | 64 > +++++++++++++++++++++++++++++++ > 1 file changed, 64 insertions(+) > > diff --git a/policy/modules/services/clamav.if > b/policy/modules/services/clamav.if > index 0dc1e23c..30d0b814 100644 > --- a/policy/modules/services/clamav.if > +++ b/policy/modules/services/clamav.if > @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',` > typeattribute $1 clam_scannable_type; > ') > > +######################################## > +## <summary> > +## Execute a domain transition to run freshclam. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`clamav_domtrans_freshclam',` > + gen_require(` > + type freshclam_t, freshclam_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, freshclam_exec_t, freshclam_t) > +') > + > +######################################## > +## <summary> > +## Execute freshclam in the freshclam domain, and > +## allow the specified role the freshclam domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## Role allowed access. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`clamav_run_freshclam',` > + gen_require(` > + type freshclam_t; > + ') > + > + clamav_domtrans_freshclam($1) > + role $2 types freshclam_t; > +') > + > +######################################## > +## <summary> > +## Execute freshclam in the caller domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`clamav_exec_freshclam',` > + gen_require(` > + type freshclam_exec_t; > + ') > + > + corecmd_search_bin($1) > + can_exec($1, freshclam_exec_t) > +') > + > ######################################## > ## <summary> > ## Allow specified domain to enable clamd units Merged. -- Chris PeBenito
