Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC932C43381 for ; Mon, 25 Feb 2019 23:38:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 90389218D3 for ; Mon, 25 Feb 2019 23:38:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="IKrVtE9E" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726575AbfBYXi2 (ORCPT ); Mon, 25 Feb 2019 18:38:28 -0500 Received: from mail-eopbgr720125.outbound.protection.outlook.com ([40.107.72.125]:63072 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726867AbfBYXi2 (ORCPT ); Mon, 25 Feb 2019 18:38:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xJbtFnO6RHz5qyczjBQIIkzmTJO0cCKzcBzHAP8twOo=; b=IKrVtE9ESzlct6fJW40I/61K8hMHDq6mKblmaFzMf1OiWcn48ar6f4d/S2ie5X6UIQYqGlfx1ncVCZw5tY7O83tUwI1Mdu6gaTYlgsZlpIPj0aRsUdigJRYwDGuRYWW9E2qamZBFTA+b/nIosSWoUeRjk1YGKatkNibJPuDfW7o= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1602.namprd15.prod.outlook.com (10.175.126.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 23:37:46 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 23:37:46 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Add interfaces to run freshclam Thread-Topic: [PATCH] Add interfaces to run freshclam Thread-Index: AQHUzWMb8+6+fnWsh0Kj7GEn+4KDUA== Date: Mon, 25 Feb 2019 23:37:45 +0000 Message-ID: <20190225233708.15319-2-dsugar@tresys.com> References: <20190225233708.15319-1-dsugar@tresys.com> In-Reply-To: <20190225233708.15319-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] x-clientproxiedby: BN6PR1401CA0006.namprd14.prod.outlook.com (2603:10b6:405:4b::16) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2029d58c-2156-4428-c25e-08d69b7a3df6 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1602; x-ms-traffictypediagnostic: BN6PR15MB1602: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1602;23:Ud3wnq21GXFpGS4+jgp81FH9DVZLewVWk8F9lNj?= =?iso-8859-1?Q?X+CcfMxSOsSqLTvUZLQnIkzIv5LBhjbRON0hkkopIYd6BCVBwxkvrwlXJ+?= =?iso-8859-1?Q?vEDj2J+Oz3gL2OO2OlMtbZcjgfo3FE8RRu7fL7UwBJS8eCJf/iVrcT8e5m?= =?iso-8859-1?Q?XSCQmko0fF9S14ZP4rAwljMu3trNpnU6o0jm3oqJ1M/IIatwLfgxW1zfla?= =?iso-8859-1?Q?rh3zpx35T/7M1YWrSzsp72xwzL/ZbNu1eBIpVYux600Gqyngw4zeMRQeid?= =?iso-8859-1?Q?abdGVvTbiweob3wu/vKiKdy8DeoYEPiFt/2WlW4ASJUkUu02PkCes35Fgr?= =?iso-8859-1?Q?+NzeZQVupwQ3yCTPd9sl7t3l6hdPLjW/7O02lvOnXYXUk+X+05ShF5Btk6?= =?iso-8859-1?Q?W5GQSvPA6RKeIjzRHt7PW4MGFp+cJlHS+9K6Pp0mDB8J/4Ko7+zGFHFIJU?= =?iso-8859-1?Q?rc3OeRMBqnInI/R9dA5SZWpRXE9iMMig3ChXfsAeDha21ZVhGOjnmu8zp0?= =?iso-8859-1?Q?xjEzYmgMp8460K2H+L6BeDRm/mTjh1RkkeLMFYjl51PEJum/AcdulF7UNv?= =?iso-8859-1?Q?5j0IbvcnHpaKWg9vyBBL9sFOSPVu8wwBvM2pc0NEg445bUIL6VBYHIGcEU?= =?iso-8859-1?Q?AvSfptRumfwKq+FNZugFWT8M+8TmqAE/b2ERXHVRvS7+nJDMr2+n+Tqd5V?= =?iso-8859-1?Q?rFwkjHAOBL8UP4oMCvqpFADF4sFusmxBIEWn1fnVNkn4eY9Gf9IeFWuxvJ?= =?iso-8859-1?Q?IUY4X+k6AobUjOQySlLwchWsLjzo/1F7txm8kG6cgYz1KKXMcorqWUas7b?= =?iso-8859-1?Q?EX3tm09zZFmPb037p2P9su4zxf5MLOJaWNjwyEDx4QR2WOEF10I8DQ2/Re?= =?iso-8859-1?Q?DgvoPc1vmPq5omnYYtR0JqBpWhGrynYv1zJMxNmzW4/V+WaNUxDE/ouW/2?= =?iso-8859-1?Q?jqzVh5PniMunAvBsBdQG9xs4am+pN8/b5lTRFVsOMto6VDx1M//UZ2uguq?= =?iso-8859-1?Q?7hSGsmH71qqjvF9AAX0nH/mJJ8tx/Za80dFwWj3OapuaLSa1cgPwef+b/q?= =?iso-8859-1?Q?Lvqcc7ykpQ8N5mJ6jKaEuqtx3YMMdXzkL73AyhX4RyVE/gvN645VmKg2B3?= =?iso-8859-1?Q?chmo9d7bhIjdpHPcS///7LL2Yje6Zb/5k0r6iUq6nWyO0hPg3KzfqgKdYV?= =?iso-8859-1?Q?siG7v1fwB680Vt493icS1ECOhMcQvEpLYitiSWmPONy8nOJtmJYa6dS2cd?= =?iso-8859-1?Q?XJKuCdTAC8aHXEmaNH/p90bxjnETmIXHj6AdE33Cz+MbiwUVs8keH3C8JJ?= =?iso-8859-1?Q?IM=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 095972DF2F x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(376002)(366004)(39830400003)(346002)(396003)(199004)(189003)(36756003)(6486002)(6436002)(6512007)(97736004)(2906002)(5640700003)(71190400001)(68736007)(71200400001)(486006)(316002)(1076003)(66066001)(5660300002)(25786009)(105586002)(6916009)(446003)(86362001)(186003)(26005)(53936002)(6506007)(386003)(508600001)(2351001)(305945005)(7736002)(50226002)(8936002)(2501003)(3846002)(6116002)(476003)(81156014)(8676002)(81166006)(52116002)(2616005)(14444005)(256004)(11346002)(106356001)(99286004)(102836004)(76176011)(14454004);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1602;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: +7DWc5+u27Mh2WlMxqwLztMgJ1kcAfIiB7Hl5NeqiCd5p2grwYsBLD3rn6qRA5kdibsP0SiXzjNnxw1S3WuWdYyFfK5n+KFtUGwPUnUUQIegAUd3vMt5NuYft/zHtJ6DdxemRsPnfCbBeX75Mkp+byhRh/ONsfzJuBYnCWQ8By96V+8jPuq3M/TCOZCn//196JlRlIFNipDZgRU6NtjIpdoChS07iyVjcbtKajk0dUXXnqVH6vAst8wF++yuT9n8BgghQOFrQxgjZ7bYmh5HyUwWmjhQwCXTBBRdMDtmwAVPq0xJNr36/AQR6d4bAhMMzUPXZNGD0qtXoUYcArFbZNnLcdozGDGE0Krr8gcXuDKA9aj3olpp0p+97qzPYje1arsBxrr4TL7bIvJyavLVh1BrWJP9aM0K+q6LWd7Q9c8= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2029d58c-2156-4428-c25e-08d69b7a3df6 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 23:37:44.6740 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1602 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Currently freshclam can only be started from cron or init. This adds the option of starting from a different process and optionally=20 transitioning or staying in the callers domain. Signed-off-by: Dave Sugar --- policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/cl= amav.if index 0dc1e23c..30d0b814 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',` typeattribute $1 clam_scannable_type; ') =20 +######################################## +## +## Execute a domain transition to run freshclam. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`clamav_domtrans_freshclam',` + gen_require(` + type freshclam_t, freshclam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, freshclam_exec_t, freshclam_t) +') + +######################################## +## +## Execute freshclam in the freshclam domain, and +## allow the specified role the freshclam domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`clamav_run_freshclam',` + gen_require(` + type freshclam_t; + ') + + clamav_domtrans_freshclam($1) + role $2 types freshclam_t; +') + +######################################## +## +## Execute freshclam in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_exec_freshclam',` + gen_require(` + type freshclam_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, freshclam_exec_t) +') + ######################################## ## ## Allow specified domain to enable clamd units --=20 2.20.1