Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 e8e9a21... b2c9403... M policy/modules/services/clamav.fc
:100644 100644 e5f35e8... d955113... M policy/modules/services/clamav.if
:100644 100644 c48c85b... 58f23ec... M policy/modules/services/clamav.te
policy/modules/services/clamav.fc | 5 ++-
policy/modules/services/clamav.if | 88 +++++++++++++++++++++++++++++++++++++
policy/modules/services/clamav.te | 53 ++++++++++++++++++++++
3 files changed, 145 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
index e8e9a21..b2c9403 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
@@ -1,5 +1,7 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
-/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+/etc/clamsmtpd.conf -- gen_context(system_u:object_r:clamsmtpd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_initrc_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
@@ -7,6 +9,7 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_exec_t,s0)
/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index e5f35e8..d955113 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -20,6 +20,42 @@ interface(`clamav_domtrans',`
########################################
## <summary>
+## Execute a domain transition to run clamsmtpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans_clamsmtpd',`
+ gen_require(`
+ type clamsmtpd_t, clamsmtpd_exec_t;
+ ')
+
+ domtrans_pattern($1, clamsmtpd_exec_t, clamsmtpd_t)
+')
+
+########################################
+## <summary>
+## Execute clamsmtpd server in the clamsmtpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_initrc_domtrans_clamsmtpd',`
+ gen_require(`
+ type clamsmtpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Connect to run clamd.
## </summary>
## <param name="domain">
@@ -78,6 +114,25 @@ interface(`clamav_read_config',`
########################################
## <summary>
+## Read clamsmtpd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_read_clamsmtpd_config',`
+ gen_require(`
+ type clamsmtpd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 clamsmtpd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Search clamav libraries directories.
## </summary>
## <param name="domain">
@@ -97,6 +152,25 @@ interface(`clamav_search_lib',`
########################################
## <summary>
+## Read clamsmtpd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_read_clamsmtpd_tmp_files',`
+ gen_require(`
+ type clamsmtpd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, tmp_t, clamsmtpd_tmp_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run clamscan.
## </summary>
## <param name="domain">
@@ -155,6 +229,8 @@ interface(`clamav_admin',`
type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
type clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
+ type clamsmtpd_t, clamsmtpd_initrc_exec_t;
+ type clamsmtpd_etc_t, clamsmtpd_tmp_t;
')
allow $1 clamd_t:process { ptrace signal_perms };
@@ -163,6 +239,9 @@ interface(`clamav_admin',`
allow $1 clamscan_t:process { ptrace signal_perms };
ps_process_pattern($1, clamscan_t)
+ allow $1 clamsmtpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamsmtpd_t)
+
allow $1 freshclam_t:process { ptrace signal_perms };
ps_process_pattern($1, freshclam_t)
@@ -171,6 +250,11 @@ interface(`clamav_admin',`
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
+ init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamsmtpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
@@ -188,5 +272,9 @@ interface(`clamav_admin',`
admin_pattern($1, clamscan_tmp_t)
+ admin_pattern($1, clamsmtpd_etc_t)
+
+ admin_pattern($1, clamsmtpd_tmp_t)
+
admin_pattern($1, freshclam_var_log_t)
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index c48c85b..58f23ec 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -43,6 +43,19 @@ init_daemon_domain(clamscan_t, clamscan_exec_t)
type clamscan_tmp_t;
files_tmp_file(clamscan_tmp_t)
+type clamsmtpd_t;
+type clamsmtpd_exec_t;
+init_daemon_domain(clamsmtpd_t, clamsmtpd_exec_t)
+
+type clamsmtpd_etc_t;
+files_config_file(clamsmtpd_etc_t)
+
+type clamsmtpd_initrc_exec_t;
+init_script_file(clamsmtpd_initrc_exec_t)
+
+type clamsmtpd_tmp_t;
+files_tmp_file(clamsmtpd_tmp_t)
+
type freshclam_t;
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)
@@ -121,6 +134,8 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
+clamav_read_clamsmtpd_tmp_files(clamd_t)
+
cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
@@ -141,6 +156,44 @@ optional_policy(`
########################################
#
+# ClamSMTPd local policy
+#
+
+allow clamsmtpd_t self:capability { kill setgid setuid };
+allow clamsmtpd_t self:process { fork signal };
+allow clamsmtpd_t self:fifo_file rw_fifo_file_perms;
+allow clamsmtpd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamsmtpd_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(clamsmtpd_t, clamsmtpd_tmp_t, clamsmtpd_tmp_t)
+files_tmp_filetrans(clamsmtpd_t, clamsmtpd_tmp_t, file)
+
+corenet_all_recvfrom_unlabeled(clamsmtpd_t)
+corenet_all_recvfrom_netlabel(clamsmtpd_t)
+corenet_tcp_sendrecv_generic_if(clamsmtpd_t)
+corenet_tcp_sendrecv_generic_node(clamsmtpd_t)
+corenet_tcp_sendrecv_all_ports(clamsmtpd_t)
+corenet_tcp_bind_generic_node(clamsmtpd_t)
+corenet_tcp_bind_smtp_beforequeue_port(clamsmtpd_t)
+corenet_tcp_connect_smtp_afterqueue_port(clamsmtpd_t)
+corenet_sendrecv_smtp_afterqueue_client_packets(clamsmtpd_t)
+corenet_sendrecv_smtp_beforequeue_server_packets(clamsmtpd_t)
+
+auth_use_nsswitch(clamsmtpd_t)
+
+domain_use_interactive_fds(clamsmtpd_t)
+
+clamav_stream_connect(clamsmtpd_t)
+clamav_read_clamsmtpd_config(clamsmtpd_t)
+
+logging_send_syslog_msg(clamsmtpd_t)
+
+miscfiles_read_localization(clamsmtpd_t)
+
+sysnet_dns_name_resolve(clamsmtpd_t)
+
+########################################
+#
# Freshclam local policy
#
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100427/fc32f782/attachment-0001.bin
On Tue, 2010-04-27 at 13:55 +0200, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 e8e9a21... b2c9403... M policy/modules/services/clamav.fc
> :100644 100644 e5f35e8... d955113... M policy/modules/services/clamav.if
> :100644 100644 c48c85b... 58f23ec... M policy/modules/services/clamav.te
> policy/modules/services/clamav.fc | 5 ++-
> policy/modules/services/clamav.if | 88 +++++++++++++++++++++++++++++++++++++
> policy/modules/services/clamav.te | 53 ++++++++++++++++++++++
> 3 files changed, 145 insertions(+), 1 deletions(-)
I think this needs to go in its own module.
> diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
> index e8e9a21..b2c9403 100644
> --- a/policy/modules/services/clamav.fc
> +++ b/policy/modules/services/clamav.fc
> @@ -1,5 +1,7 @@
> /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
> -/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
> +/etc/clamsmtpd.conf -- gen_context(system_u:object_r:clamsmtpd_etc_t,s0)
> +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_initrc_exec_t,s0)
>
> /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
> /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
> @@ -7,6 +9,7 @@
>
> /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
> /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
> +/usr/sbin/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_exec_t,s0)
>
> /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
> /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index e5f35e8..d955113 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -20,6 +20,42 @@ interface(`clamav_domtrans',`
>
> ########################################
> ## <summary>
> +## Execute a domain transition to run clamsmtpd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_domtrans_clamsmtpd',`
> + gen_require(`
> + type clamsmtpd_t, clamsmtpd_exec_t;
> + ')
> +
> + domtrans_pattern($1, clamsmtpd_exec_t, clamsmtpd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute clamsmtpd server in the clamsmtpd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_initrc_domtrans_clamsmtpd',`
> + gen_require(`
> + type clamsmtpd_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Connect to run clamd.
> ## </summary>
> ## <param name="domain">
> @@ -78,6 +114,25 @@ interface(`clamav_read_config',`
>
> ########################################
> ## <summary>
> +## Read clamsmtpd configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_read_clamsmtpd_config',`
> + gen_require(`
> + type clamsmtpd_etc_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 clamsmtpd_etc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Search clamav libraries directories.
> ## </summary>
> ## <param name="domain">
> @@ -97,6 +152,25 @@ interface(`clamav_search_lib',`
>
> ########################################
> ## <summary>
> +## Read clamsmtpd temporary files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_read_clamsmtpd_tmp_files',`
> + gen_require(`
> + type clamsmtpd_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + read_files_pattern($1, tmp_t, clamsmtpd_tmp_t)
> +')
> +
> +########################################
> +## <summary>
> ## Execute a domain transition to run clamscan.
> ## </summary>
> ## <param name="domain">
> @@ -155,6 +229,8 @@ interface(`clamav_admin',`
> type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
> type clamd_initrc_exec_t;
> type freshclam_t, freshclam_var_log_t;
> + type clamsmtpd_t, clamsmtpd_initrc_exec_t;
> + type clamsmtpd_etc_t, clamsmtpd_tmp_t;
> ')
>
> allow $1 clamd_t:process { ptrace signal_perms };
> @@ -163,6 +239,9 @@ interface(`clamav_admin',`
> allow $1 clamscan_t:process { ptrace signal_perms };
> ps_process_pattern($1, clamscan_t)
>
> + allow $1 clamsmtpd_t:process { ptrace signal_perms };
> + ps_process_pattern($1, clamsmtpd_t)
> +
> allow $1 freshclam_t:process { ptrace signal_perms };
> ps_process_pattern($1, freshclam_t)
>
> @@ -171,6 +250,11 @@ interface(`clamav_admin',`
> role_transition $2 clamd_initrc_exec_t system_r;
> allow $2 system_r;
>
> + init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 clamsmtpd_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> files_list_etc($1)
> admin_pattern($1, clamd_etc_t)
>
> @@ -188,5 +272,9 @@ interface(`clamav_admin',`
>
> admin_pattern($1, clamscan_tmp_t)
>
> + admin_pattern($1, clamsmtpd_etc_t)
> +
> + admin_pattern($1, clamsmtpd_tmp_t)
> +
> admin_pattern($1, freshclam_var_log_t)
> ')
> diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
> index c48c85b..58f23ec 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -43,6 +43,19 @@ init_daemon_domain(clamscan_t, clamscan_exec_t)
> type clamscan_tmp_t;
> files_tmp_file(clamscan_tmp_t)
>
> +type clamsmtpd_t;
> +type clamsmtpd_exec_t;
> +init_daemon_domain(clamsmtpd_t, clamsmtpd_exec_t)
> +
> +type clamsmtpd_etc_t;
> +files_config_file(clamsmtpd_etc_t)
> +
> +type clamsmtpd_initrc_exec_t;
> +init_script_file(clamsmtpd_initrc_exec_t)
> +
> +type clamsmtpd_tmp_t;
> +files_tmp_file(clamsmtpd_tmp_t)
> +
> type freshclam_t;
> type freshclam_exec_t;
> init_daemon_domain(freshclam_t, freshclam_exec_t)
> @@ -121,6 +134,8 @@ logging_send_syslog_msg(clamd_t)
>
> miscfiles_read_localization(clamd_t)
>
> +clamav_read_clamsmtpd_tmp_files(clamd_t)
> +
> cron_use_fds(clamd_t)
> cron_use_system_job_fds(clamd_t)
> cron_rw_pipes(clamd_t)
> @@ -141,6 +156,44 @@ optional_policy(`
>
> ########################################
> #
> +# ClamSMTPd local policy
> +#
> +
> +allow clamsmtpd_t self:capability { kill setgid setuid };
> +allow clamsmtpd_t self:process { fork signal };
> +allow clamsmtpd_t self:fifo_file rw_fifo_file_perms;
> +allow clamsmtpd_t self:unix_stream_socket create_stream_socket_perms;
> +allow clamsmtpd_t self:tcp_socket create_stream_socket_perms;
> +
> +manage_files_pattern(clamsmtpd_t, clamsmtpd_tmp_t, clamsmtpd_tmp_t)
> +files_tmp_filetrans(clamsmtpd_t, clamsmtpd_tmp_t, file)
> +
> +corenet_all_recvfrom_unlabeled(clamsmtpd_t)
> +corenet_all_recvfrom_netlabel(clamsmtpd_t)
> +corenet_tcp_sendrecv_generic_if(clamsmtpd_t)
> +corenet_tcp_sendrecv_generic_node(clamsmtpd_t)
> +corenet_tcp_sendrecv_all_ports(clamsmtpd_t)
> +corenet_tcp_bind_generic_node(clamsmtpd_t)
> +corenet_tcp_bind_smtp_beforequeue_port(clamsmtpd_t)
> +corenet_tcp_connect_smtp_afterqueue_port(clamsmtpd_t)
> +corenet_sendrecv_smtp_afterqueue_client_packets(clamsmtpd_t)
> +corenet_sendrecv_smtp_beforequeue_server_packets(clamsmtpd_t)
> +
> +auth_use_nsswitch(clamsmtpd_t)
> +
> +domain_use_interactive_fds(clamsmtpd_t)
> +
> +clamav_stream_connect(clamsmtpd_t)
> +clamav_read_clamsmtpd_config(clamsmtpd_t)
> +
> +logging_send_syslog_msg(clamsmtpd_t)
> +
> +miscfiles_read_localization(clamsmtpd_t)
> +
> +sysnet_dns_name_resolve(clamsmtpd_t)
> +
> +########################################
> +#
> # Freshclam local policy
> #
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com