Return-Path: <SRS0=JOfW=RA=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CC932C43381
	for <selinux-refpolicy@archiver.kernel.org>; Mon, 25 Feb 2019 23:38:28 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 90389218D3
	for <selinux-refpolicy@archiver.kernel.org>; Mon, 25 Feb 2019 23:38:28 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="IKrVtE9E"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726575AbfBYXi2 (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Mon, 25 Feb 2019 18:38:28 -0500
Received: from mail-eopbgr720125.outbound.protection.outlook.com ([40.107.72.125]:63072
        "EHLO NAM05-CO1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726867AbfBYXi2 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 25 Feb 2019 18:38:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=xJbtFnO6RHz5qyczjBQIIkzmTJO0cCKzcBzHAP8twOo=;
 b=IKrVtE9ESzlct6fJW40I/61K8hMHDq6mKblmaFzMf1OiWcn48ar6f4d/S2ie5X6UIQYqGlfx1ncVCZw5tY7O83tUwI1Mdu6gaTYlgsZlpIPj0aRsUdigJRYwDGuRYWW9E2qamZBFTA+b/nIosSWoUeRjk1YGKatkNibJPuDfW7o=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1602.namprd15.prod.outlook.com (10.175.126.151) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1643.16; Mon, 25 Feb 2019 23:37:46 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019
 23:37:46 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Add interfaces to run freshclam
Thread-Topic: [PATCH] Add interfaces to run freshclam
Thread-Index: AQHUzWMb8+6+fnWsh0Kj7GEn+4KDUA==
Date:   Mon, 25 Feb 2019 23:37:45 +0000
Message-ID: <20190225233708.15319-2-dsugar@tresys.com>
References: <20190225233708.15319-1-dsugar@tresys.com>
In-Reply-To: <20190225233708.15319-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: BN6PR1401CA0006.namprd14.prod.outlook.com
 (2603:10b6:405:4b::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2029d58c-2156-4428-c25e-08d69b7a3df6
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1602;
x-ms-traffictypediagnostic: BN6PR15MB1602:
x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1602;23:Ud3wnq21GXFpGS4+jgp81FH9DVZLewVWk8F9lNj?=
 =?iso-8859-1?Q?X+CcfMxSOsSqLTvUZLQnIkzIv5LBhjbRON0hkkopIYd6BCVBwxkvrwlXJ+?=
 =?iso-8859-1?Q?vEDj2J+Oz3gL2OO2OlMtbZcjgfo3FE8RRu7fL7UwBJS8eCJf/iVrcT8e5m?=
 =?iso-8859-1?Q?XSCQmko0fF9S14ZP4rAwljMu3trNpnU6o0jm3oqJ1M/IIatwLfgxW1zfla?=
 =?iso-8859-1?Q?rh3zpx35T/7M1YWrSzsp72xwzL/ZbNu1eBIpVYux600Gqyngw4zeMRQeid?=
 =?iso-8859-1?Q?abdGVvTbiweob3wu/vKiKdy8DeoYEPiFt/2WlW4ASJUkUu02PkCes35Fgr?=
 =?iso-8859-1?Q?+NzeZQVupwQ3yCTPd9sl7t3l6hdPLjW/7O02lvOnXYXUk+X+05ShF5Btk6?=
 =?iso-8859-1?Q?W5GQSvPA6RKeIjzRHt7PW4MGFp+cJlHS+9K6Pp0mDB8J/4Ko7+zGFHFIJU?=
 =?iso-8859-1?Q?rc3OeRMBqnInI/R9dA5SZWpRXE9iMMig3ChXfsAeDha21ZVhGOjnmu8zp0?=
 =?iso-8859-1?Q?xjEzYmgMp8460K2H+L6BeDRm/mTjh1RkkeLMFYjl51PEJum/AcdulF7UNv?=
 =?iso-8859-1?Q?5j0IbvcnHpaKWg9vyBBL9sFOSPVu8wwBvM2pc0NEg445bUIL6VBYHIGcEU?=
 =?iso-8859-1?Q?AvSfptRumfwKq+FNZugFWT8M+8TmqAE/b2ERXHVRvS7+nJDMr2+n+Tqd5V?=
 =?iso-8859-1?Q?rFwkjHAOBL8UP4oMCvqpFADF4sFusmxBIEWn1fnVNkn4eY9Gf9IeFWuxvJ?=
 =?iso-8859-1?Q?IUY4X+k6AobUjOQySlLwchWsLjzo/1F7txm8kG6cgYz1KKXMcorqWUas7b?=
 =?iso-8859-1?Q?EX3tm09zZFmPb037p2P9su4zxf5MLOJaWNjwyEDx4QR2WOEF10I8DQ2/Re?=
 =?iso-8859-1?Q?DgvoPc1vmPq5omnYYtR0JqBpWhGrynYv1zJMxNmzW4/V+WaNUxDE/ouW/2?=
 =?iso-8859-1?Q?jqzVh5PniMunAvBsBdQG9xs4am+pN8/b5lTRFVsOMto6VDx1M//UZ2uguq?=
 =?iso-8859-1?Q?7hSGsmH71qqjvF9AAX0nH/mJJ8tx/Za80dFwWj3OapuaLSa1cgPwef+b/q?=
 =?iso-8859-1?Q?Lvqcc7ykpQ8N5mJ6jKaEuqtx3YMMdXzkL73AyhX4RyVE/gvN645VmKg2B3?=
 =?iso-8859-1?Q?chmo9d7bhIjdpHPcS///7LL2Yje6Zb/5k0r6iUq6nWyO0hPg3KzfqgKdYV?=
 =?iso-8859-1?Q?siG7v1fwB680Vt493icS1ECOhMcQvEpLYitiSWmPONy8nOJtmJYa6dS2cd?=
 =?iso-8859-1?Q?XJKuCdTAC8aHXEmaNH/p90bxjnETmIXHj6AdE33Cz+MbiwUVs8keH3C8JJ?=
 =?iso-8859-1?Q?IM=3D?=
x-microsoft-antispam-prvs: <BN6PR15MB1602F243A09A74B0DD27E86FB97A0@BN6PR15MB1602.namprd15.prod.outlook.com>
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(376002)(366004)(39830400003)(346002)(396003)(199004)(189003)(36756003)(6486002)(6436002)(6512007)(97736004)(2906002)(5640700003)(71190400001)(68736007)(71200400001)(486006)(316002)(1076003)(66066001)(5660300002)(25786009)(105586002)(6916009)(446003)(86362001)(186003)(26005)(53936002)(6506007)(386003)(508600001)(2351001)(305945005)(7736002)(50226002)(8936002)(2501003)(3846002)(6116002)(476003)(81156014)(8676002)(81166006)(52116002)(2616005)(14444005)(256004)(11346002)(106356001)(99286004)(102836004)(76176011)(14454004);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1602;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: +7DWc5+u27Mh2WlMxqwLztMgJ1kcAfIiB7Hl5NeqiCd5p2grwYsBLD3rn6qRA5kdibsP0SiXzjNnxw1S3WuWdYyFfK5n+KFtUGwPUnUUQIegAUd3vMt5NuYft/zHtJ6DdxemRsPnfCbBeX75Mkp+byhRh/ONsfzJuBYnCWQ8By96V+8jPuq3M/TCOZCn//196JlRlIFNipDZgRU6NtjIpdoChS07iyVjcbtKajk0dUXXnqVH6vAst8wF++yuT9n8BgghQOFrQxgjZ7bYmh5HyUwWmjhQwCXTBBRdMDtmwAVPq0xJNr36/AQR6d4bAhMMzUPXZNGD0qtXoUYcArFbZNnLcdozGDGE0Krr8gcXuDKA9aj3olpp0p+97qzPYje1arsBxrr4TL7bIvJyavLVh1BrWJP9aM0K+q6LWd7Q9c8=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2029d58c-2156-4428-c25e-08d69b7a3df6
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 23:37:44.6740
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1602
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Currently freshclam can only be started from cron or init.  This adds
the option of starting from a different process and optionally=20
transitioning or staying in the callers domain.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl=
amav.if
index 0dc1e23c..30d0b814 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
 	typeattribute $1 clam_scannable_type;
 ')
=20
+########################################
+## <summary>
+##	Execute a domain transition to run freshclam.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clamav_domtrans_freshclam',`
+	gen_require(`
+		type freshclam_t, freshclam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, freshclam_exec_t, freshclam_t)
+')
+
+########################################
+## <summary>
+##	Execute freshclam in the freshclam domain, and
+##	allow the specified role the freshclam domain.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name=3D"role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_run_freshclam',`
+	gen_require(`
+		type freshclam_t;
+	')
+
+	clamav_domtrans_freshclam($1)
+	role $2 types freshclam_t;
+')
+
+########################################
+## <summary>
+##	Execute freshclam in the caller domain.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_exec_freshclam',`
+	gen_require(`
+		type freshclam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, freshclam_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to enable clamd units
--=20
2.20.1