[selinux-policy: 1259/3172] add amavis and clamav from Erich Schubert
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:53:56 UTC 2010
commit 8a0a994467e295972a2ff6647e4501a90bad5157
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Mar 7 21:15:24 2006 +0000
add amavis and clamav from Erich Schubert
refpolicy/Changelog | 2 +
refpolicy/policy/modules/services/amavis.fc | 11 ++
refpolicy/policy/modules/services/amavis.if | 106 +++++++++++
refpolicy/policy/modules/services/amavis.te | 148 ++++++++++++++++
refpolicy/policy/modules/services/clamav.fc | 12 ++
refpolicy/policy/modules/services/clamav.if | 63 +++++++
refpolicy/policy/modules/services/clamav.te | 195 +++++++++++++++++++++
refpolicy/policy/modules/services/cron.te | 6 +-
refpolicy/policy/modules/services/spamassassin.te | 6 +-
refpolicy/policy/modules/system/init.te | 11 +-
10 files changed, 557 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 62c0971..91054ea 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,4 +1,6 @@
- Added modules:
+ amavis (Erich Schubert)
+ clamav (Erich Schubert)
tor (Erich Schubert)
* Tue Mar 07 2006 Chris PeBenito <selinux at tresys.com> - 20060307
diff --git a/refpolicy/policy/modules/services/amavis.fc b/refpolicy/policy/modules/services/amavis.fc
new file mode 100644
index 0000000..b9b789d
--- /dev/null
+++ b/refpolicy/policy/modules/services/amavis.fc
@@ -0,0 +1,11 @@
+
+/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
+
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
+/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
+/var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/refpolicy/policy/modules/services/amavis.if b/refpolicy/policy/modules/services/amavis.if
new file mode 100644
index 0000000..65ca6a7
--- /dev/null
+++ b/refpolicy/policy/modules/services/amavis.if
@@ -0,0 +1,106 @@
+## <summary>
+## Daemon that interfaces mail transfer agents and content
+## checkers, such as virus scanners.
+## </summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run amavis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`amavis_domtrans',`
+ gen_require(`
+ type amavis_t, amavis_exec_t;
+ ')
+
+ domain_auto_trans($1,amavis_exec_t,amavis_t)
+
+ allow $1 amavis_t:fd use;
+ allow amavis_t $1:fd use;
+ allow amavis_t $1:fifo_file rw_file_perms;
+ allow amavis_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Search amavis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_search_lib',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_read_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:file r_file_perms;
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_manage_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:file manage_file_perms;
+ allow $1 amavis_var_lib_t:dir rw_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of amavis pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_setattr_pid_files',`
+ gen_require(`
+ type amavis_var_run_t;
+ ')
+
+ allow $1 amavis_var_run_t:file setattr;
+ files_search_pids($1)
+')
diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te
new file mode 100644
index 0000000..6455fd6
--- /dev/null
+++ b/refpolicy/policy/modules/services/amavis.te
@@ -0,0 +1,148 @@
+
+policy_module(amavis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type amavis_t;
+type amavis_exec_t;
+domain_type(amavis_t)
+init_daemon_domain(amavis_t, amavis_exec_t)
+
+# configuration files
+type amavis_etc_t;
+files_type(amavis_etc_t)
+
+# pid files
+type amavis_var_run_t;
+files_pid_file(amavis_var_run_t)
+
+# var/lib files
+type amavis_var_lib_t;
+files_type(amavis_var_lib_t)
+
+# log files
+type amavis_var_log_t;
+logging_log_file(amavis_var_log_t)
+
+# tmp files
+type amavis_tmp_t;
+files_tmp_file(amavis_tmp_t)
+
+# virus quarantine
+type amavis_quarantine_t;
+files_type(amavis_quarantine_t)
+
+########################################
+#
+# amavis local policy
+#
+
+allow amavis_t self:capability { chown dac_override setgid setuid };
+dontaudit amavis_t self:capability sys_tty_config;
+allow amavis_t self:process { signal sigchld signull };
+allow amavis_t self:fifo_file rw_file_perms;
+allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+allow amavis_t self:unix_dgram_socket create_socket_perms;
+allow amavis_t self:tcp_socket { listen accept };
+
+# configuration files
+allow amavis_t amavis_etc_t:dir r_dir_perms;
+allow amavis_t amavis_etc_t:file r_file_perms;
+allow amavis_t amavis_etc_t:lnk_file { getattr read };
+
+# mail quarantine
+allow amavis_t amavis_quarantine_t:file create_file_perms;
+allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
+allow amavis_t amavis_quarantine_t:dir create_dir_perms;
+
+# tmp files
+allow amavis_t amavis_tmp_t:file create_file_perms;
+allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
+files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
+
+# var/lib files for amavis
+allow amavis_t amavis_var_lib_t:file create_file_perms;
+allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
+allow amavis_t amavis_var_lib_t:dir create_dir_perms;
+files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
+
+# log files
+allow amavis_t amavis_var_log_t:file create_file_perms;
+allow amavis_t amavis_var_log_t:sock_file create_file_perms;
+allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })
+
+# pid file
+allow amavis_t amavis_var_run_t:file manage_file_perms;
+allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
+allow amavis_t amavis_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
+
+# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+kernel_dontaudit_list_proc(amavis_t)
+
+# find perl
+corecmd_exec_bin(amavis_t)
+corecmd_search_sbin(amavis_t)
+
+corenet_non_ipsec_sendrecv(amavis_t)
+corenet_tcp_sendrecv_all_if(amavis_t)
+corenet_tcp_sendrecv_all_nodes(amavis_t)
+# amavis uses well-defined ports
+corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
+corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
+# just the other side not. ;-)
+corenet_tcp_sendrecv_all_ports(amavis_t)
+# connect to backchannel port
+corenet_tcp_connect_amavisd_send_port(amavis_t)
+# bind to incoming port
+corenet_tcp_bind_amavisd_recv_port(amavis_t)
+
+dev_read_rand(amavis_t)
+dev_read_urand(amavis_t)
+
+domain_use_interactive_fds(amavis_t)
+
+files_read_etc_files(amavis_t)
+files_read_etc_runtime_files(amavis_t)
+files_read_usr_files(amavis_t)
+
+auth_dontaudit_read_shadow(amavis_t)
+
+init_use_fds(amavis_t)
+init_use_script_ptys(amavis_t)
+
+libs_use_ld_so(amavis_t)
+libs_use_shared_libs(amavis_t)
+
+logging_send_syslog_msg(amavis_t)
+
+miscfiles_read_localization(amavis_t)
+
+sysnet_dns_name_resolve(amavis_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
+
+# Cron handling
+cron_use_fds(amavis_t)
+cron_use_system_job_fds(amavis_t)
+cron_rw_pipes(amavis_t)
+
+mta_read_config(amavis_t)
+
+optional_policy(`clamav',`
+ clamav_stream_connect(amavis_t)
+')
+
+optional_policy(`ldap',`
+ ldap_use(amavis_t)
+')
+
+optional_policy(`spamassassin',`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
+')
diff --git a/refpolicy/policy/modules/services/clamav.fc b/refpolicy/policy/modules/services/clamav.fc
new file mode 100644
index 0000000..c4ec71e
--- /dev/null
+++ b/refpolicy/policy/modules/services/clamav.fc
@@ -0,0 +1,12 @@
+/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+
+/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
+/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if
new file mode 100644
index 0000000..aef1c03
--- /dev/null
+++ b/refpolicy/policy/modules/services/clamav.if
@@ -0,0 +1,63 @@
+## <summary>ClamAV Virus Scanner</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run clamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans',`
+ gen_require(`
+ type clamd_t, clamd_exec_t;
+ ')
+
+ domain_auto_trans($1,clamd_exec_t,clamd_t)
+
+ allow $1 clamd_t:fd use;
+ allow clamd_t $1:fd use;
+ allow clamd_t $1:fifo_file rw_file_perms;
+ allow clamd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Connect to run clamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`clamav_stream_connect',`
+ gen_require(`
+ type clamd_t, clamd_sock_t, clamd_var_run_t;
+ ')
+
+ allow $1 clamd_var_run_t:dir search;
+ allow $1 clamd_sock_t:sock_file write;
+ allow $1 clamd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read clamav configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_read_config',`
+ gen_require(`
+ type clamd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 clamd_etc_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te
new file mode 100644
index 0000000..b02af07
--- /dev/null
+++ b/refpolicy/policy/modules/services/clamav.te
@@ -0,0 +1,195 @@
+
+policy_module(clamav,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# Main clamd domain
+type clamd_t;
+type clamd_exec_t;
+init_daemon_domain(clamd_t, clamd_exec_t)
+
+# configuration files
+type clamd_etc_t;
+files_type(clamd_etc_t)
+
+# named socket type
+type clamd_sock_t;
+files_type(clamd_sock_t)
+
+# tmp files
+type clamd_tmp_t;
+files_tmp_file(clamd_tmp_t)
+
+# log files
+type clamd_var_log_t;
+logging_log_file(clamd_var_log_t)
+
+# var/lib files
+type clamd_var_lib_t;
+files_type(clamd_var_lib_t)
+
+# pid files
+type clamd_var_run_t;
+files_pid_file(clamd_var_run_t)
+
+type freshclam_t;
+type freshclam_exec_t;
+init_daemon_domain(freshclam_t, freshclam_exec_t)
+
+# log files
+type freshclam_var_log_t;
+logging_log_file(freshclam_var_log_t)
+
+########################################
+#
+# clamd local policy
+#
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:fifo_file rw_file_perms;
+allow clamd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamd_t self:unix_dgram_socket create_socket_perms;
+allow clamd_t self:tcp_socket { listen accept };
+
+# configuration files
+allow clamd_t clamd_etc_t:dir r_dir_perms;
+allow clamd_t clamd_etc_t:file r_file_perms;
+allow clamd_t clamd_etc_t:lnk_file { getattr read };
+
+# socket file
+allow clamd_t clamd_sock_t:file manage_file_perms;
+allow clamd_t clamd_sock_t:sock_file manage_file_perms;
+allow clamd_t clamd_sock_t:dir rw_dir_perms;
+files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
+
+# tmp files
+allow clamd_t clamd_tmp_t:file create_file_perms;
+allow clamd_t clamd_tmp_t:dir create_dir_perms;
+files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
+
+# var/lib files for clamd
+allow clamd_t clamd_var_lib_t:file create_file_perms;
+allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
+allow clamd_t clamd_var_lib_t:dir create_dir_perms;
+files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
+
+# log files
+allow clamd_t clamd_var_log_t:file create_file_perms;
+allow clamd_t clamd_var_log_t:sock_file create_file_perms;
+allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(clamd_t,clamd_var_log_t,file)
+
+# pid file
+allow clamd_t clamd_var_run_t:file manage_file_perms;
+allow clamd_t clamd_var_run_t:sock_file manage_file_perms;
+allow clamd_t clamd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(clamd_t,clamd_var_run_t,file)
+
+kernel_dontaudit_list_proc(clamd_t)
+
+corenet_tcp_sendrecv_all_if(clamd_t)
+corenet_tcp_sendrecv_all_nodes(clamd_t)
+corenet_tcp_sendrecv_all_ports(clamd_t)
+corenet_tcp_sendrecv_clamd_port(clamd_t)
+corenet_non_ipsec_sendrecv(clamd_t)
+corenet_tcp_bind_clamd_port(clamd_t)
+corenet_tcp_bind_all_nodes(clamd_t)
+
+dev_read_rand(clamd_t)
+dev_read_urand(clamd_t)
+
+domain_use_interactive_fds(clamd_t)
+
+files_read_etc_files(clamd_t)
+files_read_etc_runtime_files(clamd_t)
+
+init_use_fds(clamd_t)
+init_use_script_ptys(clamd_t)
+
+libs_use_ld_so(clamd_t)
+libs_use_shared_libs(clamd_t)
+
+miscfiles_read_localization(clamd_t)
+
+sysnet_dns_name_resolve(clamd_t)
+
+cron_use_fds(clamd_t)
+cron_use_system_job_fds(clamd_t)
+cron_rw_pipes(clamd_t)
+
+optional_policy(`amavis',`
+ amavis_read_lib_files(clamd_t)
+')
+
+########################################
+#
+# Freshclam local policy
+#
+
+allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:fifo_file rw_file_perms;
+allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
+allow freshclam_t self:unix_dgram_socket create_socket_perms;
+allow freshclam_t self:tcp_socket { listen accept };
+
+# configuration files
+allow freshclam_t clamd_etc_t:dir r_dir_perms;
+allow freshclam_t clamd_etc_t:file r_file_perms;
+allow freshclam_t clamd_etc_t:lnk_file { getattr read };
+
+# var/lib files together with clamd
+allow freshclam_t clamd_var_lib_t:file create_file_perms;
+allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
+allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
+files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
+
+# pidfiles- var/run together with clamd
+allow freshclam_t clamd_var_run_t:file manage_file_perms;
+allow freshclam_t clamd_var_run_t:sock_file manage_file_perms;
+allow freshclam_t clamd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
+
+# log files (own logfiles only)
+allow freshclam_t freshclam_var_log_t:file create_file_perms;
+allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
+allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
+allow freshclam_t clamd_var_log_t:dir search;
+logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
+
+corenet_tcp_sendrecv_all_if(freshclam_t)
+corenet_tcp_sendrecv_all_nodes(freshclam_t)
+corenet_tcp_sendrecv_all_ports(freshclam_t)
+corenet_tcp_sendrecv_clamd_port(freshclam_t)
+corenet_non_ipsec_sendrecv(freshclam_t)
+corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_bind_all_ports(freshclam_t)
+corenet_tcp_bind_all_nodes(freshclam_t)
+
+dev_read_rand(freshclam_t)
+dev_read_urand(freshclam_t)
+
+domain_use_interactive_fds(freshclam_t)
+
+files_read_etc_files(freshclam_t)
+files_read_etc_runtime_files(freshclam_t)
+
+init_use_fds(freshclam_t)
+init_use_script_ptys(freshclam_t)
+
+libs_use_ld_so(freshclam_t)
+libs_use_shared_libs(freshclam_t)
+
+miscfiles_read_localization(freshclam_t)
+
+sysnet_dns_name_resolve(freshclam_t)
+
+clamav_stream_connect(freshclam_t)
+
+cron_use_fds(freshclam_t)
+cron_use_system_job_fds(freshclam_t)
+cron_rw_pipes(freshclam_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 973c0ad..42f4006 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.3.0)
+policy_module(cron,1.3.1)
gen_require(`
class passwd rootok;
@@ -178,6 +178,10 @@ tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms;
')
+optional_policy(`amavis',`
+ amavis_search_lib(crond_t)
+')
+
optional_policy(`hal',`
hal_dbus_send(crond_t)
')
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 3a0028c..35f1513 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.3.0)
+policy_module(spamassassin,1.3.1)
########################################
#
@@ -142,6 +142,10 @@ optional_policy(`cron',`
cron_system_entry(spamd_t,spamd_exec_t)
')
+optional_policy(`amavis',`
+ amavis_manage_lib_files(spamd_t)
+')
+
optional_policy(`daemontools',`
daemontools_service_domain(spamd_t,spamd_exec_t)
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index dfa4881..ea78ffd 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.0)
+policy_module(init,1.3.1)
gen_require(`
class passwd rootok;
@@ -491,6 +491,11 @@ ifdef(`targeted_policy',`
# ')
')
+optional_policy(`amavis',`
+ amavis_search_lib(initrc_t)
+ amavis_setattr_pid_files(initrc_t)
+')
+
optional_policy(`apm',`
dev_rw_apm_bios(initrc_t)
')
@@ -516,6 +521,10 @@ optional_policy(`bluetooth',`
bluetooth_read_config(initrc_t)
')
+optional_policy(`clamav',`
+ clamav_read_config(initrc_t)
+')
+
optional_policy(`cpucontrol',`
cpucontrol_stub(initrc_t)
dev_getattr_cpu_dev(initrc_t)
More information about the scm-commits
mailing list