From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 21 May 2010 09:35:53 -0400 Subject: [refpolicy] [ Implement ClamSMTPd policy. 3/5] Implement ClamSMTPd policy. In-Reply-To: <20100427115535.GA32761@localhost.localdomain> References: <20100427115535.GA32761@localhost.localdomain> Message-ID: <1274448953.8988.8.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-04-27 at 13:55 +0200, Dominick Grift wrote: > Signed-off-by: Dominick Grift > --- > :100644 100644 e8e9a21... b2c9403... M policy/modules/services/clamav.fc > :100644 100644 e5f35e8... d955113... M policy/modules/services/clamav.if > :100644 100644 c48c85b... 58f23ec... M policy/modules/services/clamav.te > policy/modules/services/clamav.fc | 5 ++- > policy/modules/services/clamav.if | 88 +++++++++++++++++++++++++++++++++++++ > policy/modules/services/clamav.te | 53 ++++++++++++++++++++++ > 3 files changed, 145 insertions(+), 1 deletions(-) I think this needs to go in its own module. > diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc > index e8e9a21..b2c9403 100644 > --- a/policy/modules/services/clamav.fc > +++ b/policy/modules/services/clamav.fc > @@ -1,5 +1,7 @@ > /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) > -/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) > +/etc/clamsmtpd.conf -- gen_context(system_u:object_r:clamsmtpd_etc_t,s0) > +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_initrc_exec_t,s0) > > /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) > /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) > @@ -7,6 +9,7 @@ > > /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) > /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) > +/usr/sbin/clamsmtpd -- gen_context(system_u:object_r:clamsmtpd_exec_t,s0) > > /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) > /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) > diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if > index e5f35e8..d955113 100644 > --- a/policy/modules/services/clamav.if > +++ b/policy/modules/services/clamav.if > @@ -20,6 +20,42 @@ interface(`clamav_domtrans',` > > ######################################## > ## > +## Execute a domain transition to run clamsmtpd. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`clamav_domtrans_clamsmtpd',` > + gen_require(` > + type clamsmtpd_t, clamsmtpd_exec_t; > + ') > + > + domtrans_pattern($1, clamsmtpd_exec_t, clamsmtpd_t) > +') > + > +######################################## > +## > +## Execute clamsmtpd server in the clamsmtpd domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`clamav_initrc_domtrans_clamsmtpd',` > + gen_require(` > + type clamsmtpd_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t) > +') > + > +######################################## > +## > ## Connect to run clamd. > ## > ## > @@ -78,6 +114,25 @@ interface(`clamav_read_config',` > > ######################################## > ## > +## Read clamsmtpd configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`clamav_read_clamsmtpd_config',` > + gen_require(` > + type clamsmtpd_etc_t; > + ') > + > + files_search_etc($1) > + allow $1 clamsmtpd_etc_t:file read_file_perms; > +') > + > +######################################## > +## > ## Search clamav libraries directories. > ## > ## > @@ -97,6 +152,25 @@ interface(`clamav_search_lib',` > > ######################################## > ## > +## Read clamsmtpd temporary files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`clamav_read_clamsmtpd_tmp_files',` > + gen_require(` > + type clamsmtpd_tmp_t; > + ') > + > + files_search_tmp($1) > + read_files_pattern($1, tmp_t, clamsmtpd_tmp_t) > +') > + > +######################################## > +## > ## Execute a domain transition to run clamscan. > ## > ## > @@ -155,6 +229,8 @@ interface(`clamav_admin',` > type clamd_var_run_t, clamscan_t, clamscan_tmp_t; > type clamd_initrc_exec_t; > type freshclam_t, freshclam_var_log_t; > + type clamsmtpd_t, clamsmtpd_initrc_exec_t; > + type clamsmtpd_etc_t, clamsmtpd_tmp_t; > ') > > allow $1 clamd_t:process { ptrace signal_perms }; > @@ -163,6 +239,9 @@ interface(`clamav_admin',` > allow $1 clamscan_t:process { ptrace signal_perms }; > ps_process_pattern($1, clamscan_t) > > + allow $1 clamsmtpd_t:process { ptrace signal_perms }; > + ps_process_pattern($1, clamsmtpd_t) > + > allow $1 freshclam_t:process { ptrace signal_perms }; > ps_process_pattern($1, freshclam_t) > > @@ -171,6 +250,11 @@ interface(`clamav_admin',` > role_transition $2 clamd_initrc_exec_t system_r; > allow $2 system_r; > > + init_labeled_script_domtrans($1, clamsmtpd_initrc_exec_t) > + domain_system_change_exemption($1) > + role_transition $2 clamsmtpd_initrc_exec_t system_r; > + allow $2 system_r; > + > files_list_etc($1) > admin_pattern($1, clamd_etc_t) > > @@ -188,5 +272,9 @@ interface(`clamav_admin',` > > admin_pattern($1, clamscan_tmp_t) > > + admin_pattern($1, clamsmtpd_etc_t) > + > + admin_pattern($1, clamsmtpd_tmp_t) > + > admin_pattern($1, freshclam_var_log_t) > ') > diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te > index c48c85b..58f23ec 100644 > --- a/policy/modules/services/clamav.te > +++ b/policy/modules/services/clamav.te > @@ -43,6 +43,19 @@ init_daemon_domain(clamscan_t, clamscan_exec_t) > type clamscan_tmp_t; > files_tmp_file(clamscan_tmp_t) > > +type clamsmtpd_t; > +type clamsmtpd_exec_t; > +init_daemon_domain(clamsmtpd_t, clamsmtpd_exec_t) > + > +type clamsmtpd_etc_t; > +files_config_file(clamsmtpd_etc_t) > + > +type clamsmtpd_initrc_exec_t; > +init_script_file(clamsmtpd_initrc_exec_t) > + > +type clamsmtpd_tmp_t; > +files_tmp_file(clamsmtpd_tmp_t) > + > type freshclam_t; > type freshclam_exec_t; > init_daemon_domain(freshclam_t, freshclam_exec_t) > @@ -121,6 +134,8 @@ logging_send_syslog_msg(clamd_t) > > miscfiles_read_localization(clamd_t) > > +clamav_read_clamsmtpd_tmp_files(clamd_t) > + > cron_use_fds(clamd_t) > cron_use_system_job_fds(clamd_t) > cron_rw_pipes(clamd_t) > @@ -141,6 +156,44 @@ optional_policy(` > > ######################################## > # > +# ClamSMTPd local policy > +# > + > +allow clamsmtpd_t self:capability { kill setgid setuid }; > +allow clamsmtpd_t self:process { fork signal }; > +allow clamsmtpd_t self:fifo_file rw_fifo_file_perms; > +allow clamsmtpd_t self:unix_stream_socket create_stream_socket_perms; > +allow clamsmtpd_t self:tcp_socket create_stream_socket_perms; > + > +manage_files_pattern(clamsmtpd_t, clamsmtpd_tmp_t, clamsmtpd_tmp_t) > +files_tmp_filetrans(clamsmtpd_t, clamsmtpd_tmp_t, file) > + > +corenet_all_recvfrom_unlabeled(clamsmtpd_t) > +corenet_all_recvfrom_netlabel(clamsmtpd_t) > +corenet_tcp_sendrecv_generic_if(clamsmtpd_t) > +corenet_tcp_sendrecv_generic_node(clamsmtpd_t) > +corenet_tcp_sendrecv_all_ports(clamsmtpd_t) > +corenet_tcp_bind_generic_node(clamsmtpd_t) > +corenet_tcp_bind_smtp_beforequeue_port(clamsmtpd_t) > +corenet_tcp_connect_smtp_afterqueue_port(clamsmtpd_t) > +corenet_sendrecv_smtp_afterqueue_client_packets(clamsmtpd_t) > +corenet_sendrecv_smtp_beforequeue_server_packets(clamsmtpd_t) > + > +auth_use_nsswitch(clamsmtpd_t) > + > +domain_use_interactive_fds(clamsmtpd_t) > + > +clamav_stream_connect(clamsmtpd_t) > +clamav_read_clamsmtpd_config(clamsmtpd_t) > + > +logging_send_syslog_msg(clamsmtpd_t) > + > +miscfiles_read_localization(clamsmtpd_t) > + > +sysnet_dns_name_resolve(clamsmtpd_t) > + > +######################################## > +# > # Freshclam local policy > # -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com