Message-ID: <610ce5825c5871d06207b6d505f63dffe8c163d7.camel@ieee.org>
Subject: Re: [PATCH] Add interfaces to run freshclam
From:   Chris PeBenito <pebenito@ieee.org>
To:     "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Date:   Tue, 26 Feb 2019 19:22:38 -0800
In-Reply-To: <20190225233708.15319-2-dsugar@tresys.com>
References: <20190225233708.15319-1-dsugar@tresys.com>
         <20190225233708.15319-2-dsugar@tresys.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Currently freshclam can only be started from cron or init.  This adds
> the option of starting from a different process and optionally 
> transitioning or staying in the callers domain.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/services/clamav.if | 64
> +++++++++++++++++++++++++++++++
>  1 file changed, 64 insertions(+)
> 
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 0dc1e23c..30d0b814 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
>  	typeattribute $1 clam_scannable_type;
>  ')
>  
> +########################################
> +## <summary>
> +##	Execute a domain transition to run freshclam.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_domtrans_freshclam',`
> +	gen_require(`
> +		type freshclam_t, freshclam_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, freshclam_exec_t, freshclam_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute freshclam in the freshclam domain, and
> +##	allow the specified role the freshclam domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`clamav_run_freshclam',`
> +	gen_require(`
> +		type freshclam_t;
> +	')
> +
> +	clamav_domtrans_freshclam($1)
> +	role $2 types freshclam_t;
> +')
> +
> +########################################
> +## <summary>
> +##	Execute freshclam in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_exec_freshclam',`
> +	gen_require(`
> +		type freshclam_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, freshclam_exec_t)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Allow specified domain to enable clamd units

Merged.

-- 
Chris PeBenito