From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Alternate ClamAV temp directory
Thread-Topic: [PATCH] Alternate ClamAV temp directory
Thread-Index: AQHUqcKjheTTODWIIEO/3UeyRIsXAQ==
Date:   Fri, 11 Jan 2019 15:30:52 +0000
Message-ID: <20190111153011.27275-3-dsugar@tresys.com>
References: <20190111153011.27275-1-dsugar@tresys.com>
In-Reply-To: <20190111153011.27275-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1378;6:AO7vNxq9mkPcGHi9pkEafYtiabbeszTNOuGdMAYmYAhee2VQfAs3o6ASLm1qejqXN16QUs+UX/TixOCrCkJ0iixjXhN5482SOutTUiSDNY9xMHkAzn6R37ruJkJyIQiIiSFNgyQGP8ZMF4SiZSGfpUSGHlsXRHhjvtyq9Q+b9GI2BZZICELJtVjeqfJGCMSkhKqGGiFFaQ/MuPPfDVVdwJW9dH8SaIlG5cBihHxhTWt9qdl786gR5oMxJ4mLMsDoJfTO2Ix2XJXCVxnrdv6bHYWpWAFboRaG9rQjwXyzyrhGXs6/yews7nSt9FoxLPcIuDk4DWzr69d/POQ3FzOnX70d3oMTJkZrbwxUOf2GSnFFjfUd0UgDMMcFC6ptRpadtCMkcFpBEQX3a2NpMEp8GXw8bEhOxY5ifkXGPtbykhY9gCCwMHWEuSGW7SCTACrDnf+QElqDVPdsYUP7cllk1w==;5:8BdmRR41+xzY1XleKLla42OcXd5Vasfw8BqztTNNui8M9Bw5JFAIJN5i+vt50yg4SK3WbHDm4ClV2yaTeEh59R1A3zn0gio90Z+tQN/7NMHGFn2Sr5mXBn/Jg3taMtYST8bAfI9ml3iEu57h8OHIYICvsUVq0klIA+XT0dN91LgCrGfuk9kbTdAFYB0k4+lLeJHRSAAVRvl1S2Jr0WO3bQ==;7:S4FZIg1khzOlZMSHA+zgofKQ+Efoox4nqk7oerMuGenqqj017hDnPK+6i4/1zsNb8USg27ZkyGtaAMqIEN/JRS2FAMlmWwXWhIy3bo7u9ZIwwMmGorHIhhzMdcL3plqW4829RVNqmhzP/yEA3Q6m7Q==
x-ms-office365-filtering-correlation-id: f8401755-7d6e-45ad-2159-08d677d9c583
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1378;
x-ms-traffictypediagnostic: BN6PR15MB1378:
x-microsoft-antispam-prvs: <BN6PR15MB13781FDDD110957871D3D81FB9850@BN6PR15MB1378.namprd15.prod.outlook.com>
x-forefront-prvs: 09144DB0F7
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39830400003)(376002)(366004)(136003)(346002)(396003)(189003)(199004)(316002)(86362001)(14444005)(575784001)(6916009)(36756003)(66066001)(256004)(97736004)(508600001)(99286004)(14454004)(5660300001)(71200400001)(71190400001)(105586002)(106356001)(2906002)(76176011)(26005)(102836004)(2351001)(6506007)(386003)(53936002)(6512007)(6116002)(3846002)(7736002)(11346002)(52116002)(486006)(476003)(2616005)(8676002)(81156014)(8936002)(186003)(2501003)(446003)(6486002)(81166006)(5640700003)(6436002)(305945005)(68736007)(1076003)(25786009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1378;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Cne2v0Oj9FKgXXTomCYaTh/5xXmmFC7FyeYGcX1Jqnh98+vBJL/scaX2d+B2L5dH7nDgufi1oxdcoZQ7PtobnEMrBB0Yfk7mEDwtQLbYJ21SJtmnUlGq2cwWZzKzcOg5YHOK0LIgTvRM+kmC19owcDo/5OkdoGDvr7tyEyczoVScTYfAErUsrarr3dZyS2FwpWWemyDOJUsnPrQqCQDXjSr5bKJInGCaLM9EOa4RXtflJUIjTStHYVKO45Rymb4DiwD8Eih4ddKzDahuplrl5xd9/O7+6BzE8yGMge6TiAQNzzKSTZII46HzHvdge+uILE9dOI96bi1zD+sa7xxkqgvaRelYgvw+IuRncrc6HNTraU/Ql20M+ZYfDzLqLrOcDUabsSjLG0FpkNor+SZCtekXlg1xOf+gIAye7HtWmGY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f8401755-7d6e-45ad-2159-08d677d9c583
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2019 15:30:52.6559
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1378
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

ClamAV configuration controls where temporary files are stored.
Default is /tmp but the configuration option 'TemporaryDirectory'
allows for this location to be changed.  This change allows for
the type of this directory to be something other than 'tmp_t'
and have files created in this directory still be clamd_tmp_t.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
 policy/modules/services/clamav.te |  2 ++
 2 files changed, 31 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl=
amav.if
index 7b6df49e..a8d1603c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
 	typeattribute $1 clam_scannable_type;
 ')
=20
+#######################################
+## <summary>
+##	Denote a particular directory type to
+##	be a temporary working directory for ClamAV
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to be a directory to be
+##	used by ClamAV for temp files.  This is only needed
+##	if the TemporaryDirectory in the clamd.conf is
+##	modified to point to a directory that is not already
+##	labeled tmp_t.
+##	</p>
+## </desc>
+## <param name=3D"domain">
+##	<summary>
+##	Type of directory to hold clamd temp files.
+##	</summary>
+## </param>
+#
+interface(`clamav_temp_dir',`
+	gen_require(`
+		attribute clam_tmp_type;
+	')
+
+	typeattribute $1 clam_tmp_type;
+')
+
+
 ########################################
 ## <summary>
 ##	Allow specified domain to enable clamd units
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/cl=
amav.te
index 84a0bc76..6fc9cc7e 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
 # Declarations
 #
 attribute clam_scannable_type;
+attribute clam_tmp_type;
=20
 type clamd_t;
 type clamd_exec_t;
@@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
 manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
 manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
 files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
=20
 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
 manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
--=20
2.20.1