Return-Path: <SRS0=Xf3s=NN=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,T_DKIMWL_WL_MED,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1D362C65C22
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  2 Nov 2018 19:10:25 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 884D020831
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  2 Nov 2018 19:10:24 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="Ey6xBUG1"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 884D020831
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=tresys.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726100AbeKCESn (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 3 Nov 2018 00:18:43 -0400
Received: from mail-eopbgr710090.outbound.protection.outlook.com ([40.107.71.90]:54616
        "EHLO NAM05-BY2-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726016AbeKCESm (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 3 Nov 2018 00:18:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=GxM1rRgKEHlGYjjU8j5Kg2YpyNHwiM4BHRR9HQtWSB0=;
 b=Ey6xBUG1O3UAWx3DZgpoiUT3zJZHGc9qMapZE44Of7GSCPmdxzVfabRHUomq0BPFPSry4w6QjktWRyzT3kq5FkclE+hKbhopa33F73JR9m+vB0MwifUwHtCIBqRaBwdnHSwnhEbgXWe63V3t2QWBeq7nRd87p1QPsHxraqIeDkM=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1683.namprd15.prod.outlook.com (10.175.132.19) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1294.21; Fri, 2 Nov 2018 19:10:20 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::c0de:889e:7675:1b74]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::c0de:889e:7675:1b74%3]) with mapi id 15.20.1294.024; Fri, 2 Nov 2018
 19:10:20 +0000
From:   David Sugar <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Allow clamd to use sent file descriptor
Thread-Topic: [PATCH] Allow clamd to use sent file descriptor
Thread-Index: AQHUct+yo31Kvlx630WwPA60TJ2J/Q==
Date:   Fri, 2 Nov 2018 19:10:20 +0000
Message-ID: <20181102190937.5450-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BN6PR1401CA0006.namprd14.prod.outlook.com
 (2603:10b6:405:4b::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1683;6:OZjbirswoHp6rY8eiC1WuE/rMEl74LqeYvwW9qiH2ZhidSoktuLAXyzUBPd6anxKYdBGPn0INSYnmbInaHvkwGr/mex6qfUYlW2JkYpyhc5aTnowwsAhbfSb8MMacrKSnbMhBb/3LupxOUNlRA0dwqhcHAmmGTUu0r/vLsP0dCzcZAREPVlhQ0cr559JKwUQXeot/9qrHvm+msd/dwmsctXC4QPflIXy0VXdzHAt6KbkE20m2PxT7vSn2/wu8Q901qoJ1si0oMnRMjI6C9h05heo8ysEcNCVAyrbRQGNJRiYVm29OtrCxhNk9P/5RbArUgDrIbNJdHbwNrLAvlhEcqsWzuPde/WCrLk3kDdq3EA7Ph7wd/1RIb3IZYE5sPOjFTTyLWaGwph5fveA9xOz2Nwr1sB5gGCqDgsncSHQI//KfTzZI1WKkmMgQQ5J9tdJOf4uF9iWilh6yIR9WlmT6Q==;5:esG2tw7D229Z43DUPI5khvV7hKnodDrrjjP7k0hELw1fLCj+cn5ANQcq2S6gZcl4D4WMejG1+WGDcUbTX92NAe5cRaR26+pcHRABKugjQSCqAor0aJXnCUh+Ai8KYJsQIZ1nWp3RromBacQfNdJnhKuKAda5zIjIZmdwEL9C9TU=;7:Ry7J18IFQ8MlIRp9PgVimNah6Hg9TKq0YWxba6RUG6qLijWhAbUpnh2INKS/4PDoonzAPd3+AngEIW9PWqb6IEvnfPL1UEt6VSYLd8GJP0uqcMIVWt7QqJs0ihQSmFKG4AnO2uTd1DY2uMRqi8++DQ==
x-ms-office365-filtering-correlation-id: 43959d29-f8a2-4e1f-f37f-08d640f6d523
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1683;
x-ms-traffictypediagnostic: BN6PR15MB1683:
x-microsoft-antispam-prvs: <BN6PR15MB16834C7BA0E65A3A4B9D3BB3B9CF0@BN6PR15MB1683.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231382)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(148016)(149066)(150057)(6041310)(2016111802025)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1683;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1683;
x-forefront-prvs: 08444C7C87
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(366004)(136003)(39830400003)(189003)(199004)(2501003)(81156014)(508600001)(2906002)(81166006)(66066001)(2900100001)(316002)(1076002)(86362001)(6116002)(3846002)(305945005)(25786009)(2616005)(106356001)(97736004)(5640700003)(1857600001)(36756003)(6512007)(486006)(476003)(8936002)(14454004)(7736002)(6486002)(105586002)(2351001)(6506007)(6436002)(102836004)(186003)(53936002)(26005)(386003)(5660300001)(6916009)(68736007)(8676002)(99286004)(71190400001)(71200400001)(256004)(52116002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1683;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: UY5f4Yca06tjuJ8fA1QUk22JN/o7A0zNCpvwbzhCOsQzWClkmdKS4+F2qGYQQsS/CDh+5MiKzkbhMEfBghAufVmTULLzknmgTtWDY61fbwjHGXiabI4v44XdobXR34axQxZYb3iPgKs2kZ66dhYZmIT5Zl1YRrJ0NWNz2YRYqpSlkA3rfCI26EsQ5CU2cqKWWv/DTMjO+q6rhTTszXxowR1HlimSrO0vYjA2HiGqfkJB1wciefPVlhOUnBQKc+cv+ai7z9pxW8wxhAktFANdjckuU/vXQ/iXFoPNIJBVbprVtwrwjDB+Jm4mqz04sNz5876fbwUM/hLPP70Z2E4GKSbZn2HtvD9glZING/rUNlk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 43959d29-f8a2-4e1f-f37f-08d640f6d523
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2018 19:10:20.7534
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1683
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl=
amav.if
index 2adb1230..7b6df49e 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -35,6 +35,8 @@ interface(`clamav_stream_connect',`
 		type clamd_t, clamd_var_run_t;
 	')
=20
+	allow clamd_t $1:fd use;
+
 	files_search_pids($1)
 	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
 ')
--=20
2.14.4