From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Xf3s=NN=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 441ADC0044C
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  2 Nov 2018 00:40:03 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id D21B820848
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  2 Nov 2018 00:40:02 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="WNeMYKyk"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D21B820848
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=tresys.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728060AbeKBJpP (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Fri, 2 Nov 2018 05:45:15 -0400
Received: from mail-sn1nam02on0123.outbound.protection.outlook.com ([104.47.36.123]:46235
        "EHLO NAM02-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728109AbeKBJpP (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 2 Nov 2018 05:45:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=08p7P9gwgRZ3heGWBBggbPpT/25wJiKq8smp8iPaNXA=;
 b=WNeMYKykMU+XryCaz5Hn5pVPq4EQaMpHn1MYapn22WHSez3MsRabJ/fDWUSRo76b3/16c06pQkYUGHvqcw61FwdIjKaJCD5SttzG1/Z0JmTzKWhPM3ygL0ZXYKfA3FfsdJvI/Top05Sw+0I7M2hVr9VM52mzG+BhQE96/PfxK9o=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1329.namprd15.prod.outlook.com (10.172.206.143) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1273.25; Fri, 2 Nov 2018 00:39:58 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::c0de:889e:7675:1b74]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::c0de:889e:7675:1b74%3]) with mapi id 15.20.1294.021; Fri, 2 Nov 2018
 00:39:58 +0000
From:   David Sugar <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 2/3] Interface to add domain allowed to be read by ClamAV for
 scanning.
Thread-Topic: [PATCH 2/3] Interface to add domain allowed to be read by ClamAV
 for scanning.
Thread-Index: AQHUckSVX2OKU7GAFU6fhhZNw75tqg==
Date:   Fri, 2 Nov 2018 00:39:58 +0000
Message-ID: <20181102003923.22817-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: BL0PR0102CA0037.prod.exchangelabs.com
 (2603:10b6:208:25::14) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1329;6:YXDMpXenXEmqLb5voX2zeVmuAFus3GY8O1d3gR5ZmWPF7dyBSwxqsfHmxzdokNZGl6gCme01y3gQRysLepxNv4A5akffMD7S9VXTBe+BvlEajEL6pc3ts7JgHxj0X2jK2cs8cULIG3dcIpwvf19RqXW6Z5tVqfzC4ZhnDl1mQWBf/UMrWxQp4m4CG8JiI2quSseeJXpAoTlMbh1OGswPBwnsjM8YA1eOH4sgTcT+33uFiR500/DTEW/M53RHRgJiY9l16pAEVuu4RU/+p7iZWlmQy7P3EQzWaLo6UYdo8YW5NkYgMGXEyIndqbVdykZ9amK3URziZ7D26p8rVPWFhSmMnqqDRVC6HNCD2BAmZw+5mXtcqJ+1fbGaxpPSLNeFg2889eYKS4B9CsCH1E9ohRFt6t6Hg8A1orBsM+dkhbRebPYepYRSsMbJOd+QdxMRKHIWe2k9Yo1IPtYn/KrAnw==;5:wxGaocFV54mZWK/idNQuYff3jIGYF5IMxyZ0m7uKxIRA9ZnJWowfIEAXREcPpQxDHQqGCEp8qWGwz1CMseWHmPIs/4ecD6jlFFCwV6apqTIFECTpFZ7lHFUTZfOS0+0c50N0D34XuxLfNcHtrNe1wJHkwEVIUzqPWsAN+QaInSs=;7:4Re8oHj4beJX9+A7WldmJuHkRXnJGV09zubrM7ytKZkx/DhG3E//HyRmazX0kJA8f3dKy3SIgxlIqeu+HNYd18M8tCcaBv+7bfe4TKmy38WJM4RxPnJCA6ZwXnMUxFQJxyFdxJmfsqzd9UzNzwdTTg==
x-ms-office365-filtering-correlation-id: 7705bcbb-6f89-4c0d-4063-08d6405bb77f
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1329;
x-ms-traffictypediagnostic: BN6PR15MB1329:
x-microsoft-antispam-prvs: <BN6PR15MB1329B9E6DD43AFCAB80DA25DB9CF0@BN6PR15MB1329.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(269456686620040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(148016)(149066)(150057)(6041310)(20161123564045)(20161123560045)(2016111802025)(20161123558120)(20161123562045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1329;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1329;
x-forefront-prvs: 08444C7C87
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(396003)(39830400003)(136003)(346002)(376002)(189003)(199004)(186003)(14454004)(36756003)(81156014)(81166006)(2501003)(5660300001)(52116002)(6116002)(6436002)(508600001)(6486002)(6506007)(386003)(3846002)(8936002)(68736007)(2906002)(86362001)(8676002)(106356001)(99286004)(2900100001)(97736004)(102836004)(26005)(2351001)(14444005)(256004)(476003)(2616005)(105586002)(53936002)(25786009)(7736002)(5640700003)(1076002)(305945005)(71190400001)(71200400001)(6512007)(486006)(66066001)(316002)(6916009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1329;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: dcHGzT6Q30PjuK6qoWcERvuMLHrHLEcqO64aMjlgdxH2iUkLH/nauDZXavPOS3SDlxSAVhCj9c5uR6ua2Ogt4tP2RUhVmg9j/oFQMmT4DvBJIPBNuuQERNAYaB9EAvSZqSMoI4+3p+uq6QAVNoXFPRyx27ZyQmpH67NuDYiUBwO9JZJtI12A9p+/i4Q6svyjxsqOei1YtxuxwLX4993jF5M7zGMIRJxEI4+Yl/WVrmOazBPhmS9E9WbszectrlKcmSqPTZt7cJi2w+GRWM98yKkOj6KLri1SbwmlioyLl8lUONx4N7KcnQdJ5ANw6OQ17O2+NL9ZZz8iDa6VGYQ2hO8ZDKZcGpk5VgXSo8PhDy0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7705bcbb-6f89-4c0d-4063-08d6405bb77f
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2018 00:39:58.7218
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1329
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/amavis.te |  1 +
 policy/modules/services/apache.te |  1 +
 policy/modules/services/clamav.if | 18 ++++++++++++++++++
 policy/modules/services/clamav.te | 23 +++++++++--------------
 policy/modules/services/exim.te   |  1 +
 policy/modules/services/mta.te    |  1 +
 6 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/policy/modules/services/amavis.te b/policy/modules/services/am=
avis.te
index 9517486e..59d87259 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',`
 ')
=20
 optional_policy(`
+	clamav_scannable_files(amavis_spool_t)
 	clamav_stream_connect(amavis_t)
 	clamav_domtrans_clamscan(amavis_t)
 	clamav_read_state_clamd(amavis_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/ap=
ache.te
index d1fbeb17..5cb38386 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs && httpd_builtin_script=
ing',`
=20
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_sys_script_t)
+	clamav_scannable_files(httpd_sys_content_t)
 ')
=20
 optional_policy(`
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl=
amav.if
index 80ac5c1e..d1296fcc 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -205,6 +205,24 @@ interface(`clamav_read_signatures',`
 	read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
 ')
=20
+#######################################
+## <summary>
+##	Denote a particular type to be scanned by ClamAV
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Type that clamd_t and clamscan_t can read.
+##	</summary>
+## </param>
+#
+interface(`clamav_scannable_files',`
+	gen_require(`
+		attribute clam_scannable_type;
+	')
+
+	typeattribute $1 clam_scannable_type;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/cl=
amav.te
index a2f30133..b63503f1 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false)
 #
 # Declarations
 #
+attribute clam_scannable_type;
=20
 type clamd_t;
 type clamd_exec_t;
@@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_v=
ar_run_t)
 manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
=20
+read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_crypto_sysctls(clamd_t)
 kernel_read_sysctl(clamd_t)
@@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',`
=20
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
-	amavis_read_spool_files(clamd_t)
 	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
 	amavis_create_pid_files(clamd_t)
 ')
@@ -163,10 +167,6 @@ optional_policy(`
 	cron_rw_pipes(clamd_t)
 ')
=20
-optional_policy(`
-	exim_read_spool_files(clamd_t)
-')
-
 optional_policy(`
 	mta_read_config(clamd_t)
 	mta_send_mail(clamd_t)
@@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamsc=
an_tmp_t)
 manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
 files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file })
=20
+read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_typ=
e)
+list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+
 allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
 manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
=20
@@ -320,15 +324,6 @@ tunable_policy(`clamav_read_all_non_security_files_cla=
mscan',`
 	files_getattr_all_sockets(clamscan_t)
 ')
=20
-optional_policy(`
-	amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
-	apache_read_sys_content(clamscan_t)
-')
-
 optional_policy(`
 	mta_send_mail(clamscan_t)
-	mta_read_queue(clamscan_t)
 ')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim=
.te
index 693ac491..6430aee8 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',`
=20
 optional_policy(`
 	clamav_domtrans_clamscan(exim_t)
+	clamav_scannable_files(exim_spool_t)
 	clamav_stream_connect(exim_t)
 ')
=20
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.t=
e
index 3b45c48e..c741a461 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -233,6 +233,7 @@ optional_policy(`
 ')
=20
 optional_policy(`
+	clamav_scannable_files(mqueue_spool_t)
 	clamav_stream_connect(system_mail_t)
 	clamav_append_log(system_mail_t)
 ')
--=20
2.14.4