From: Chris PeBenito <pebenito@ieee.org>
To: David Sugar <dsugar@tresys.com>,
"selinux-refpolicy@vger.kernel.org"
<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 2/3] Interface to add domain allowed to be read by ClamAV for scanning.
Date: Fri, 9 Nov 2018 19:07:01 -0500 [thread overview]
Message-ID: <206db618-c006-9039-7c8f-69ecf31bd664@ieee.org> (raw)
In-Reply-To: <20181102003923.22817-1-dsugar@tresys.com>
On 11/01/2018 08:39 PM, David Sugar wrote:
> Create an attribute for types that clamd_t and clamscan_t can read
> (for scanning purposes) rather than require clamav.te to be modified.
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/amavis.te | 1 +
> policy/modules/services/apache.te | 1 +
> policy/modules/services/clamav.if | 18 ++++++++++++++++++
> policy/modules/services/clamav.te | 23 +++++++++--------------
> policy/modules/services/exim.te | 1 +
> policy/modules/services/mta.te | 1 +
> 6 files changed, 31 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
> index 9517486e..59d87259 100644
> --- a/policy/modules/services/amavis.te
> +++ b/policy/modules/services/amavis.te
> @@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',`
> ')
>
> optional_policy(`
> + clamav_scannable_files(amavis_spool_t)
> clamav_stream_connect(amavis_t)
> clamav_domtrans_clamscan(amavis_t)
> clamav_read_state_clamd(amavis_t)
> diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
> index d1fbeb17..5cb38386 100644
> --- a/policy/modules/services/apache.te
> +++ b/policy/modules/services/apache.te
> @@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
>
> optional_policy(`
> clamav_domtrans_clamscan(httpd_sys_script_t)
> + clamav_scannable_files(httpd_sys_content_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index 80ac5c1e..d1296fcc 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -205,6 +205,24 @@ interface(`clamav_read_signatures',`
> read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
> ')
>
> +#######################################
> +## <summary>
> +## Denote a particular type to be scanned by ClamAV
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type that clamd_t and clamscan_t can read.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_scannable_files',`
> + gen_require(`
> + attribute clam_scannable_type;
> + ')
> +
> + typeattribute $1 clam_scannable_type;
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
> index a2f30133..b63503f1 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false)
> #
> # Declarations
> #
> +attribute clam_scannable_type;
>
> type clamd_t;
> type clamd_exec_t;
> @@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
> manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
> files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
>
> +read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
> +read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
> +list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
> +
> kernel_dontaudit_list_proc(clamd_t)
> kernel_read_crypto_sysctls(clamd_t)
> kernel_read_sysctl(clamd_t)
> @@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',`
>
> optional_policy(`
> amavis_read_lib_files(clamd_t)
> - amavis_read_spool_files(clamd_t)
> amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
> amavis_create_pid_files(clamd_t)
> ')
> @@ -163,10 +167,6 @@ optional_policy(`
> cron_rw_pipes(clamd_t)
> ')
>
> -optional_policy(`
> - exim_read_spool_files(clamd_t)
> -')
> -
> optional_policy(`
> mta_read_config(clamd_t)
> mta_send_mail(clamd_t)
> @@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
> manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
> files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file })
>
> +read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
> +read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
> +list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
> +
> allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
> manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
>
> @@ -320,15 +324,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
> files_getattr_all_sockets(clamscan_t)
> ')
>
> -optional_policy(`
> - amavis_read_spool_files(clamscan_t)
> -')
> -
> -optional_policy(`
> - apache_read_sys_content(clamscan_t)
> -')
> -
> optional_policy(`
> mta_send_mail(clamscan_t)
> - mta_read_queue(clamscan_t)
> ')
> diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> index 693ac491..6430aee8 100644
> --- a/policy/modules/services/exim.te
> +++ b/policy/modules/services/exim.te
> @@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',`
>
> optional_policy(`
> clamav_domtrans_clamscan(exim_t)
> + clamav_scannable_files(exim_spool_t)
> clamav_stream_connect(exim_t)
> ')
>
> diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
> index 3b45c48e..c741a461 100644
> --- a/policy/modules/services/mta.te
> +++ b/policy/modules/services/mta.te
> @@ -233,6 +233,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + clamav_scannable_files(mqueue_spool_t)
> clamav_stream_connect(system_mail_t)
> clamav_append_log(system_mail_t)
> ')
Merged.
--
Chris PeBenito
prev parent reply other threads:[~2018-11-10 0:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-02 0:39 [PATCH 2/3] Interface to add domain allowed to be read by ClamAV for scanning David Sugar
2018-11-10 0:07 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=206db618-c006-9039-7c8f-69ecf31bd664@ieee.org \
--to=pebenito@ieee.org \
--cc=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).