[selinux-policy: 2652/3172] Clamav patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:55:48 UTC 2010 

commit 4804cd43a096e72196f9aa368d829e291463e1b1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 3 15:01:35 2010 -0400

    Clamav patch from Dan Walsh.

 policy/modules/services/clamav.if |    2 +-
 policy/modules/services/clamav.te |   18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index e5f35e8..ecb594c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -133,7 +133,7 @@ interface(`clamav_exec_clamscan',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an clamav environment
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index c48c85b..4e1f4a1 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,12 @@
 
-policy_module(clamav, 1.7.1)
+policy_module(clamav, 1.7.2)
+
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
+## </desc>
+gen_tunable(clamd_use_jit, false)
 
 ########################################
 #
@@ -57,6 +64,7 @@ logging_log_file(freshclam_var_log_t)
 #
 
 allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -189,6 +197,8 @@ files_read_etc_runtime_files(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)
 
+logging_send_syslog_msg(freshclam_t)
+
 miscfiles_read_localization(freshclam_t)
 
 clamav_stream_connect(freshclam_t)
@@ -246,6 +256,12 @@ clamav_stream_connect(clamscan_t)
 
 mta_send_mail(clamscan_t)
 
+tunable_policy(`clamd_use_jit',`
+	allow clamd_t self:process execmem;
+', `
+	dontaudit clamd_t self:process execmem;
+')
+
 optional_policy(`
 	amavis_read_spool_files(clamscan_t)
 ')

More information about the scm-commits mailing list