Re: [PATCH 2/3] Interface to add domain allowed to be read by ClamAV for scanning.

[Chris PeBenito <pebenito@ieee.org>]

On 11/01/2018 08:39 PM, David Sugar wrote:
> Create an attribute for types that clamd_t and clamscan_t can read
> (for scanning purposes) rather than require clamav.te to be modified.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/amavis.te |  1 +
>   policy/modules/services/apache.te |  1 +
>   policy/modules/services/clamav.if | 18 ++++++++++++++++++
>   policy/modules/services/clamav.te | 23 +++++++++--------------
>   policy/modules/services/exim.te   |  1 +
>   policy/modules/services/mta.te    |  1 +
>   6 files changed, 31 insertions(+), 14 deletions(-)
> 
> diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
> index 9517486e..59d87259 100644
> --- a/policy/modules/services/amavis.te
> +++ b/policy/modules/services/amavis.te
> @@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',`
>   ')
>   
>   optional_policy(`
> +	clamav_scannable_files(amavis_spool_t)
>   	clamav_stream_connect(amavis_t)
>   	clamav_domtrans_clamscan(amavis_t)
>   	clamav_read_state_clamd(amavis_t)
> diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
> index d1fbeb17..5cb38386 100644
> --- a/policy/modules/services/apache.te
> +++ b/policy/modules/services/apache.te
> @@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
>   
>   optional_policy(`
>   	clamav_domtrans_clamscan(httpd_sys_script_t)
> +	clamav_scannable_files(httpd_sys_content_t)
>   ')
>   
>   optional_policy(`
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index 80ac5c1e..d1296fcc 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -205,6 +205,24 @@ interface(`clamav_read_signatures',`
>   	read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
>   ')
>   
> +#######################################
> +## <summary>
> +##	Denote a particular type to be scanned by ClamAV
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type that clamd_t and clamscan_t can read.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_scannable_files',`
> +	gen_require(`
> +		attribute clam_scannable_type;
> +	')
> +
> +	typeattribute $1 clam_scannable_type;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	All of the rules required to
> diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
> index a2f30133..b63503f1 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false)
>   #
>   # Declarations
>   #
> +attribute clam_scannable_type;
>   
>   type clamd_t;
>   type clamd_exec_t;
> @@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
>   manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
>   files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
>   
> +read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
> +read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
> +list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
> +
>   kernel_dontaudit_list_proc(clamd_t)
>   kernel_read_crypto_sysctls(clamd_t)
>   kernel_read_sysctl(clamd_t)
> @@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',`
>   
>   optional_policy(`
>   	amavis_read_lib_files(clamd_t)
> -	amavis_read_spool_files(clamd_t)
>   	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
>   	amavis_create_pid_files(clamd_t)
>   ')
> @@ -163,10 +167,6 @@ optional_policy(`
>   	cron_rw_pipes(clamd_t)
>   ')
>   
> -optional_policy(`
> -	exim_read_spool_files(clamd_t)
> -')
> -
>   optional_policy(`
>   	mta_read_config(clamd_t)
>   	mta_send_mail(clamd_t)
> @@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
>   manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
>   files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file })
>   
> +read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
> +read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
> +list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
> +
>   allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
>   manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
>   
> @@ -320,15 +324,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
>   	files_getattr_all_sockets(clamscan_t)
>   ')
>   
> -optional_policy(`
> -	amavis_read_spool_files(clamscan_t)
> -')
> -
> -optional_policy(`
> -	apache_read_sys_content(clamscan_t)
> -')
> -
>   optional_policy(`
>   	mta_send_mail(clamscan_t)
> -	mta_read_queue(clamscan_t)
>   ')
> diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> index 693ac491..6430aee8 100644
> --- a/policy/modules/services/exim.te
> +++ b/policy/modules/services/exim.te
> @@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',`
>   
>   optional_policy(`
>   	clamav_domtrans_clamscan(exim_t)
> +	clamav_scannable_files(exim_spool_t)
>   	clamav_stream_connect(exim_t)
>   ')
>   
> diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
> index 3b45c48e..c741a461 100644
> --- a/policy/modules/services/mta.te
> +++ b/policy/modules/services/mta.te
> @@ -233,6 +233,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	clamav_scannable_files(mqueue_spool_t)
>   	clamav_stream_connect(system_mail_t)
>   	clamav_append_log(system_mail_t)
>   ')

Merged.

-- 
Chris PeBenito