[selinux-policy: 2652/3172] Clamav patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:55:48 UTC 2010
commit 4804cd43a096e72196f9aa368d829e291463e1b1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 3 15:01:35 2010 -0400
Clamav patch from Dan Walsh.
policy/modules/services/clamav.if | 2 +-
policy/modules/services/clamav.te | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index e5f35e8..ecb594c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -133,7 +133,7 @@ interface(`clamav_exec_clamscan',`
########################################
## <summary>
-## All of the rules required to administrate
+## All of the rules required to administrate
## an clamav environment
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index c48c85b..4e1f4a1 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,12 @@
-policy_module(clamav, 1.7.1)
+policy_module(clamav, 1.7.2)
+
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
+## </desc>
+gen_tunable(clamd_use_jit, false)
########################################
#
@@ -57,6 +64,7 @@ logging_log_file(freshclam_var_log_t)
#
allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -189,6 +197,8 @@ files_read_etc_runtime_files(freshclam_t)
auth_use_nsswitch(freshclam_t)
+logging_send_syslog_msg(freshclam_t)
+
miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -246,6 +256,12 @@ clamav_stream_connect(clamscan_t)
mta_send_mail(clamscan_t)
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+', `
+ dontaudit clamd_t self:process execmem;
+')
+
optional_policy(`
amavis_read_spool_files(clamscan_t)
')
More information about the scm-commits
mailing list