Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66444C43387 for ; Fri, 11 Jan 2019 15:31:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2CCB420836 for ; Fri, 11 Jan 2019 15:31:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="Oc9mfgVi" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732220AbfAKPbK (ORCPT ); Fri, 11 Jan 2019 10:31:10 -0500 Received: from mail-eopbgr700120.outbound.protection.outlook.com ([40.107.70.120]:34256 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731244AbfAKPbJ (ORCPT ); Fri, 11 Jan 2019 10:31:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bhTmgPfZ91HoqGVPx9OXOLQOuCMemrnlqqdaJF25jOo=; b=Oc9mfgVibi8R3f6Tqlbdn8l5ewkWn7PPxm/PvSEDUddPUVZBVqsQrql8JGaDA4JANE7WW3B/dH6FhQvoq/POvX7Dat5bGr6R/QDfFW2itHXH6ZBHbE7ieiTXambddCoizo0arCu1GAN43ieXu/CdF77l1FCFQ0ug8pHAS8PeeKg= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1378.namprd15.prod.outlook.com (10.172.150.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.15; Fri, 11 Jan 2019 15:30:53 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::6d82:5bd:50b3:6a10]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::6d82:5bd:50b3:6a10%3]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 15:30:53 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Alternate ClamAV temp directory Thread-Topic: [PATCH] Alternate ClamAV temp directory Thread-Index: AQHUqcKjheTTODWIIEO/3UeyRIsXAQ== Date: Fri, 11 Jan 2019 15:30:52 +0000 Message-ID: <20190111153011.27275-3-dsugar@tresys.com> References: <20190111153011.27275-1-dsugar@tresys.com> In-Reply-To: <20190111153011.27275-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN8PR12CA0034.namprd12.prod.outlook.com (2603:10b6:408:60::47) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR15MB1378;6:AO7vNxq9mkPcGHi9pkEafYtiabbeszTNOuGdMAYmYAhee2VQfAs3o6ASLm1qejqXN16QUs+UX/TixOCrCkJ0iixjXhN5482SOutTUiSDNY9xMHkAzn6R37ruJkJyIQiIiSFNgyQGP8ZMF4SiZSGfpUSGHlsXRHhjvtyq9Q+b9GI2BZZICELJtVjeqfJGCMSkhKqGGiFFaQ/MuPPfDVVdwJW9dH8SaIlG5cBihHxhTWt9qdl786gR5oMxJ4mLMsDoJfTO2Ix2XJXCVxnrdv6bHYWpWAFboRaG9rQjwXyzyrhGXs6/yews7nSt9FoxLPcIuDk4DWzr69d/POQ3FzOnX70d3oMTJkZrbwxUOf2GSnFFjfUd0UgDMMcFC6ptRpadtCMkcFpBEQX3a2NpMEp8GXw8bEhOxY5ifkXGPtbykhY9gCCwMHWEuSGW7SCTACrDnf+QElqDVPdsYUP7cllk1w==;5:8BdmRR41+xzY1XleKLla42OcXd5Vasfw8BqztTNNui8M9Bw5JFAIJN5i+vt50yg4SK3WbHDm4ClV2yaTeEh59R1A3zn0gio90Z+tQN/7NMHGFn2Sr5mXBn/Jg3taMtYST8bAfI9ml3iEu57h8OHIYICvsUVq0klIA+XT0dN91LgCrGfuk9kbTdAFYB0k4+lLeJHRSAAVRvl1S2Jr0WO3bQ==;7:S4FZIg1khzOlZMSHA+zgofKQ+Efoox4nqk7oerMuGenqqj017hDnPK+6i4/1zsNb8USg27ZkyGtaAMqIEN/JRS2FAMlmWwXWhIy3bo7u9ZIwwMmGorHIhhzMdcL3plqW4829RVNqmhzP/yEA3Q6m7Q== x-ms-office365-filtering-correlation-id: f8401755-7d6e-45ad-2159-08d677d9c583 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1378; x-ms-traffictypediagnostic: BN6PR15MB1378: x-microsoft-antispam-prvs: x-forefront-prvs: 09144DB0F7 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39830400003)(376002)(366004)(136003)(346002)(396003)(189003)(199004)(316002)(86362001)(14444005)(575784001)(6916009)(36756003)(66066001)(256004)(97736004)(508600001)(99286004)(14454004)(5660300001)(71200400001)(71190400001)(105586002)(106356001)(2906002)(76176011)(26005)(102836004)(2351001)(6506007)(386003)(53936002)(6512007)(6116002)(3846002)(7736002)(11346002)(52116002)(486006)(476003)(2616005)(8676002)(81156014)(8936002)(186003)(2501003)(446003)(6486002)(81166006)(5640700003)(6436002)(305945005)(68736007)(1076003)(25786009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1378;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: Cne2v0Oj9FKgXXTomCYaTh/5xXmmFC7FyeYGcX1Jqnh98+vBJL/scaX2d+B2L5dH7nDgufi1oxdcoZQ7PtobnEMrBB0Yfk7mEDwtQLbYJ21SJtmnUlGq2cwWZzKzcOg5YHOK0LIgTvRM+kmC19owcDo/5OkdoGDvr7tyEyczoVScTYfAErUsrarr3dZyS2FwpWWemyDOJUsnPrQqCQDXjSr5bKJInGCaLM9EOa4RXtflJUIjTStHYVKO45Rymb4DiwD8Eih4ddKzDahuplrl5xd9/O7+6BzE8yGMge6TiAQNzzKSTZII46HzHvdge+uILE9dOI96bi1zD+sa7xxkqgvaRelYgvw+IuRncrc6HNTraU/Ql20M+ZYfDzLqLrOcDUabsSjLG0FpkNor+SZCtekXlg1xOf+gIAye7HtWmGY= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: f8401755-7d6e-45ad-2159-08d677d9c583 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2019 15:30:52.6559 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1378 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org ClamAV configuration controls where temporary files are stored. Default is /tmp but the configuration option 'TemporaryDirectory' allows for this location to be changed. This change allows for the type of this directory to be something other than 'tmp_t' and have files created in this directory still be clamd_tmp_t. Signed-off-by: Dave Sugar --- policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++ policy/modules/services/clamav.te | 2 ++ 2 files changed, 31 insertions(+) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl= amav.if index 7b6df49e..a8d1603c 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -225,6 +225,35 @@ interface(`clamav_scannable_files',` typeattribute $1 clam_scannable_type; ') =20 +####################################### +## +## Denote a particular directory type to +## be a temporary working directory for ClamAV +## +## +##

+## Allow the specified domain to be a directory to be +## used by ClamAV for temp files. This is only needed +## if the TemporaryDirectory in the clamd.conf is +## modified to point to a directory that is not already +## labeled tmp_t. +##

+##
+## +## +## Type of directory to hold clamd temp files. +## +## +# +interface(`clamav_temp_dir',` + gen_require(` + attribute clam_tmp_type; + ') + + typeattribute $1 clam_tmp_type; +') + + ######################################## ## ## Allow specified domain to enable clamd units diff --git a/policy/modules/services/clamav.te b/policy/modules/services/cl= amav.te index 84a0bc76..6fc9cc7e 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false) # Declarations # attribute clam_scannable_type; +attribute clam_tmp_type; =20 type clamd_t; type clamd_exec_t; @@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) +filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir }) =20 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) --=20 2.20.1