From: domg472@gmail.com (Dominick Grift) Date: Tue, 27 Apr 2010 13:55:38 +0200 Subject: [refpolicy] [ Implement ClamSMTPd policy. 3/5] Implement ClamSMTPd policy. Message-ID: <20100427115535.GA32761@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- :100644 100644 e8e9a21... b2c9403... M policy/modules/services/clamav.fc :100644 100644 e5f35e8... d955113... M policy/modules/services/clamav.if :100644 100644 c48c85b... 58f23ec... M policy/modules/services/clamav.te policy/modules/services/clamav.fc | 5 ++- policy/modules/services/clamav.if | 88 +++++++++++++++++++++++++++++++++++++ policy/modules/services/clamav.te | 53 ++++++++++++++++++++++ 3 files changed, 145 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc index e8e9a21..b2c9403 100644 --- a/policy/modules/services/clamav.fc +++ b/policy/modules/services/clamav.fc @@ -1,5 +1,7 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) -/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) +/etc/clamsmtpd.conf -- gen_context(system_u:object_r:clamsmtpd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_initrc_exec_t,s0) /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) @@ -7,6 +9,7 @@ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/sbin/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_exec_t,s0) /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index e5f35e8..d955113 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -20,6 +20,42 @@ interface(`clamav_domtrans',` ######################################## ## +## Execute a domain transition to run clamsmtpd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`clamav_domtrans_clamsmtpd',` + gen_require(` + type clamsmtpd_t, clamsmtpd_exec_t; + ') + + domtrans_pattern($1, clamsmtpd_exec_t, clamsmtpd_t) +') + +######################################## +## +## Execute clamsmtpd server in the clamsmtpd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`clamav_initrc_domtrans_clamsmtpd',` + gen_require(` + type clamsmtpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t) +') + +######################################## +## ## Connect to run clamd. ## ## @@ -78,6 +114,25 @@ interface(`clamav_read_config',` ######################################## ## +## Read clamsmtpd configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_read_clamsmtpd_config',` + gen_require(` + type clamsmtpd_etc_t; + ') + + files_search_etc($1) + allow $1 clamsmtpd_etc_t:file read_file_perms; +') + +######################################## +## ## Search clamav libraries directories. ## ## @@ -97,6 +152,25 @@ interface(`clamav_search_lib',` ######################################## ## +## Read clamsmtpd temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_read_clamsmtpd_tmp_files',` + gen_require(` + type clamsmtpd_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, tmp_t, clamsmtpd_tmp_t) +') + +######################################## +## ## Execute a domain transition to run clamscan. ## ## @@ -155,6 +229,8 @@ interface(`clamav_admin',` type clamd_var_run_t, clamscan_t, clamscan_tmp_t; type clamd_initrc_exec_t; type freshclam_t, freshclam_var_log_t; + type clamsmtpd_t, clamsmtpd_initrc_exec_t; + type clamsmtpd_etc_t, clamsmtpd_tmp_t; ') allow $1 clamd_t:process { ptrace signal_perms }; @@ -163,6 +239,9 @@ interface(`clamav_admin',` allow $1 clamscan_t:process { ptrace signal_perms }; ps_process_pattern($1, clamscan_t) + allow $1 clamsmtpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, clamsmtpd_t) + allow $1 freshclam_t:process { ptrace signal_perms }; ps_process_pattern($1, freshclam_t) @@ -171,6 +250,11 @@ interface(`clamav_admin',` role_transition $2 clamd_initrc_exec_t system_r; allow $2 system_r; + init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 clamsmtpd_initrc_exec_t system_r; + allow $2 system_r; + files_list_etc($1) admin_pattern($1, clamd_etc_t) @@ -188,5 +272,9 @@ interface(`clamav_admin',` admin_pattern($1, clamscan_tmp_t) + admin_pattern($1, clamsmtpd_etc_t) + + admin_pattern($1, clamsmtpd_tmp_t) + admin_pattern($1, freshclam_var_log_t) ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index c48c85b..58f23ec 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -43,6 +43,19 @@ init_daemon_domain(clamscan_t, clamscan_exec_t) type clamscan_tmp_t; files_tmp_file(clamscan_tmp_t) +type clamsmtpd_t; +type clamsmtpd_exec_t; +init_daemon_domain(clamsmtpd_t, clamsmtpd_exec_t) + +type clamsmtpd_etc_t; +files_config_file(clamsmtpd_etc_t) + +type clamsmtpd_initrc_exec_t; +init_script_file(clamsmtpd_initrc_exec_t) + +type clamsmtpd_tmp_t; +files_tmp_file(clamsmtpd_tmp_t) + type freshclam_t; type freshclam_exec_t; init_daemon_domain(freshclam_t, freshclam_exec_t) @@ -121,6 +134,8 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) +clamav_read_clamsmtpd_tmp_files(clamd_t) + cron_use_fds(clamd_t) cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) @@ -141,6 +156,44 @@ optional_policy(` ######################################## # +# ClamSMTPd local policy +# + +allow clamsmtpd_t self:capability { kill setgid setuid }; +allow clamsmtpd_t self:process { fork signal }; +allow clamsmtpd_t self:fifo_file rw_fifo_file_perms; +allow clamsmtpd_t self:unix_stream_socket create_stream_socket_perms; +allow clamsmtpd_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(clamsmtpd_t, clamsmtpd_tmp_t, clamsmtpd_tmp_t) +files_tmp_filetrans(clamsmtpd_t, clamsmtpd_tmp_t, file) + +corenet_all_recvfrom_unlabeled(clamsmtpd_t) +corenet_all_recvfrom_netlabel(clamsmtpd_t) +corenet_tcp_sendrecv_generic_if(clamsmtpd_t) +corenet_tcp_sendrecv_generic_node(clamsmtpd_t) +corenet_tcp_sendrecv_all_ports(clamsmtpd_t) +corenet_tcp_bind_generic_node(clamsmtpd_t) +corenet_tcp_bind_smtp_beforequeue_port(clamsmtpd_t) +corenet_tcp_connect_smtp_afterqueue_port(clamsmtpd_t) +corenet_sendrecv_smtp_afterqueue_client_packets(clamsmtpd_t) +corenet_sendrecv_smtp_beforequeue_server_packets(clamsmtpd_t) + +auth_use_nsswitch(clamsmtpd_t) + +domain_use_interactive_fds(clamsmtpd_t) + +clamav_stream_connect(clamsmtpd_t) +clamav_read_clamsmtpd_config(clamsmtpd_t) + +logging_send_syslog_msg(clamsmtpd_t) + +miscfiles_read_localization(clamsmtpd_t) + +sysnet_dns_name_resolve(clamsmtpd_t) + +######################################## +# # Freshclam local policy # -- 1.7.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100427/fc32f782/attachment-0001.bin