From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Xf3s=NN=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7402DC0044C
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  2 Nov 2018 00:41:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 22C0C20848
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  2 Nov 2018 00:41:00 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="PiBdSNV/"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 22C0C20848
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=tresys.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728109AbeKBJqM (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Fri, 2 Nov 2018 05:46:12 -0400
Received: from mail-sn1nam02on0130.outbound.protection.outlook.com ([104.47.36.130]:24656
        "EHLO NAM02-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728060AbeKBJqM (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 2 Nov 2018 05:46:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=8urPNs9eDkFgebBoUhOWekIfUhmFnr2c6A8KBaBhydU=;
 b=PiBdSNV/V+o2qpPvRCpZVfJpnQQ/gbU1yEGD56S1EAPxdpHHWuFdNV0Cr2II+O5UVufupG9+fHCf1dyxERrzNqMxgc+GKY4q8t/W2KkRPpkttSUIPBjJdvQKZOT7E9bQSXwQRdmn1/gRh1iM+LPJ0EPCZKpEbrvSxnY5GtGzkgE=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1329.namprd15.prod.outlook.com (10.172.206.143) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1273.25; Fri, 2 Nov 2018 00:40:57 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::c0de:889e:7675:1b74]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::c0de:889e:7675:1b74%3]) with mapi id 15.20.1294.021; Fri, 2 Nov 2018
 00:40:57 +0000
From:   David Sugar <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 3/3] Add interfaces to control clamav_unit_t systemd services
Thread-Topic: [PATCH 3/3] Add interfaces to control clamav_unit_t systemd
 services
Thread-Index: AQHUckS4OB7hFFPzwEu8jqwoXpwI2Q==
Date:   Fri, 2 Nov 2018 00:40:57 +0000
Message-ID: <20181102004022.22927-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: BN4PR12CA0006.namprd12.prod.outlook.com
 (2603:10b6:403:2::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1329;6:UJiVYYU0P5iIVDgHJFcokMHtSjx4LRWDQAoYaO3lE/u5hjBFi2XROmp0OfNFU5IAMM802tpZ6yYJ5LsTJOs5zasOztAtLfW/h8DO6Po5YiClivOiFSbyMPCVofEsTIMg8J9+0P1BS430ihhjHhb4NiDafyRmWNjcRVK5jpmga9hV+eDuFb3v95tB0rZq2pSVOBjQrH8yBgBbBK9JbJT6NKXsHe5EbpmUOowHz6exYEL+WhIPATWD+kVuNB/jDQVHumQHm4PGJOYm03ZtsClPaJHODBz4q5SyCuVC+RVyHkGiceK60fGeTEf7h3lFU22rnRFbqs5yY4bvHliPMnbE/3IvRBd9Pi+QWQI4YRrjzOo5az58RJ2/d48Hf8hrOzpTu8c+CbZab2G7NJKPKGK7ed6MAbvo/wE6oyX+Gg8pLz1z0nXrimEXjJSX3iLpVwxiXXSO2fdRnf+xAd8Gtv8Dlw==;5:oVbvWcWjyv5cg5uHEux3Ozo+tOTgZlhMPfs5ZE5/5jEyQojGig0mZ1Zu7nfRjJ8f+kPwaMJL8zD1ekNL7V/3XMEhjhKOWzr9ku8ZkMz3rKKK8wlzEE3M/iNnea+duuCoap7Pv48hiBa0EuqA/E+F/hZYJuuRr1+15mew2JoTquk=;7:KBnxKbv3MtxNS/rC6Z12+KqBZENbl+8zVEd567/nlYtB2KsiGTbeVSWvleQnW/UxqRqke2RPkH/2sGvSR9t7wy1f7J81aQfc9PS/MFn8cA+oXUO5ggIrobLjauNPp25xVdzUkZajXeqdXuiWX3CXgA==
x-ms-office365-filtering-correlation-id: a2a61c56-8efd-493d-ff1f-08d6405bda8d
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1329;
x-ms-traffictypediagnostic: BN6PR15MB1329:
x-microsoft-antispam-prvs: <BN6PR15MB13295CD503A3542E358B7E6DB9CF0@BN6PR15MB1329.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(269456686620040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(148016)(149066)(150057)(6041310)(20161123564045)(20161123560045)(2016111802025)(20161123558120)(20161123562045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1329;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1329;
x-forefront-prvs: 08444C7C87
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(396003)(39830400003)(136003)(346002)(376002)(189003)(199004)(186003)(14454004)(36756003)(81156014)(81166006)(2501003)(5660300001)(52116002)(6116002)(6436002)(508600001)(6486002)(6506007)(386003)(3846002)(8936002)(68736007)(2906002)(86362001)(8676002)(106356001)(99286004)(2900100001)(97736004)(102836004)(26005)(2351001)(14444005)(256004)(476003)(2616005)(105586002)(53936002)(25786009)(7736002)(5640700003)(1076002)(305945005)(71190400001)(71200400001)(6512007)(486006)(66066001)(316002)(6916009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1329;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: tLe6IfSrvKXxONUchGuJHPF0OTryeLrrli1Gd+uP83crMSvkuMj05e6PkFh2BZAhRN8S9qeFZnLZHVh2eM1EVbMJ1bCIi1y2LuPcjERZ5WC4aPdgnkF70yf7OZhG2Eyw3OXODpaEK+p5eU6qX1XvVZNgahtAdZWWF7M3pxb1yNEQiPUb7gzqdAVxtWoSn3lLVW/VCUg3ktf+Y9XQcJ1T4utIxbpWJaQh2gRC9TO4u2t/FaItynvNMN4zdctfkcX+N8g57xPoxBh4IqESdq/38RwwXILP73CZkp9MRlO6GmZ87g0v2WjdgGrDtdVMVIeEc6LR1av4IFlci6+5JbzF13N5boIqAUXBmT587xFeNWk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a2a61c56-8efd-493d-ff1f-08d6405bda8d
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2018 00:40:57.5226
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1329
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 76 +++++++++++++++++++++++++++++++++++=
++++
 1 file changed, 76 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl=
amav.if
index d1296fcc..2adb1230 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -223,6 +223,82 @@ interface(`clamav_scannable_files',`
 	typeattribute $1 clam_scannable_type;
 ')
=20
+########################################
+## <summary>
+##	Allow specified domain to enable clamd units
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_enabledisable_clamd',`
+	gen_require(`
+		type clamav_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 clamav_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start clamd units
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_startstop_clamd',`
+	gen_require(`
+		type clamd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 clamd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of clamd
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_status_clamd',`
+	gen_require(`
+		type clamd_unit_t;
+		class service status;
+	')
+
+	allow $1 clamd_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Allow specified domain reload of clamd
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_reload_clamd',`
+	gen_require(`
+		type clamd_unit_t;
+		class service reload;
+	')
+
+	allow $1 clamd_unit_t:service reload;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--=20
2.14.4