Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53B4DC31D64 for ; Mon, 21 Jan 2019 07:17:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 16D5A20880 for ; Mon, 21 Jan 2019 07:17:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="SCnsUayS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726244AbfAUHRc (ORCPT ); Mon, 21 Jan 2019 02:17:32 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:36379 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725976AbfAUHRc (ORCPT ); Mon, 21 Jan 2019 02:17:32 -0500 Received: by mail-qt1-f196.google.com with SMTP id t13so22548836qtn.3 for ; Sun, 20 Jan 2019 23:17:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=cm84hqE/l1BEuOw4kWQgiPn0DOhFmpttnyxd5gfEPfU=; b=SCnsUaySye4HTSXnqo6DywzFWuIv21qxe7Mm2TrwF07e5X2BsCK4Fwuk+rxUsDKRcQ dZC9BwyF0U0SkNCw7OuEa09vpHkBwy5oUl2gd8ymrLGj0V3vdyymEQm5KJ8EWHBjmzgG XpIPRWDEOqSn9XDTkTCfeTHKz7/KRceb9bSUs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cm84hqE/l1BEuOw4kWQgiPn0DOhFmpttnyxd5gfEPfU=; b=R2jB0RhF/dqHEAlWvCMa5Zcr/cw5C9XLNHTsn5lFfLIlLOSOorvbmjZjqbYtZwCzjb /Zo44I81BpgeFR39fH2xMKWfDCBnuOmA/XvKo96k0cSYXp2aG9rhPhKRLtYOdBdHFbyf atHX+G1F3e+BTtir4HG3XSNQcgh4ZeMq+78Bi1327M+ZrqRGw16QXr7MkyVzA1QPaTgq vTk9Pnp7+eDuSeAlYXdiXDl/W4A3IxQm8dJ9+DIBtWEqZEYZ1l2WPYDZeK7HhWfeTLt4 G4PDfsFmseichos/id1k3r+sdlenxQj4i7uSnQwBAPGLCmVYqk+XpB3FMY0M5WsWMMC1 iRig== X-Gm-Message-State: AJcUukc+oKIYL0FUM++OrLUXhdJMhO7In3+q4Kztjlh6qkk+wJBddRhH qAc+deRsln8uT1pB155QJgTQf6P8yeY= X-Google-Smtp-Source: ALg8bN7fk0O+nz7K15YCfgyKD7Q65WMG4r7MGINipJ2GBak1S3fNch3prLnrYNyKPhC+JF3FslOjng== X-Received: by 2002:aed:2249:: with SMTP id o9mr24823903qtc.13.1548020773407; Sun, 20 Jan 2019 13:46:13 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id o17sm24760213qkj.45.2019.01.20.13.46.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Jan 2019 13:46:13 -0800 (PST) Subject: Re: [PATCH] Add interface clamav_run To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190119161905.25553-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: <42f89578-9715-964f-c87c-781ce29390cc@ieee.org> Date: Sun, 20 Jan 2019 16:34:03 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190119161905.25553-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/19/19 11:19 AM, Sugar, David wrote: > Signed-off-by: Dave Sugar > --- > policy/modules/services/clamav.if | 26 ++++++++++++++++++++++++++ > 1 file changed, 26 insertions(+) > > diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if > index 7b6df49e..3639d769 100644 > --- a/policy/modules/services/clamav.if > +++ b/policy/modules/services/clamav.if > @@ -19,6 +19,32 @@ interface(`clamav_domtrans',` > domtrans_pattern($1, clamd_exec_t, clamd_t) > ') > > +######################################## > +## > +## Execute clamd programs in the clamd > +## domain and allow the specified role > +## the clamd domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +# > +interface(`clamav_run',` > + gen_require(` > + type clamd_t; > + ') > + > + clamav_domtrans($1) > + role $2 types clamd_t; > +') > + > ######################################## > ## > ## Connect to clamd using a unix Merged. -- Chris PeBenito