Add interfaces to run freshclam

Currently freshclam can only be started from cron or init. This adds the option of starting from a different process and optionally transitioning or staying in the callers domain. Signed-off-by: Dave Sugar <dsugar@tresys.com> Signed-off-by: Jason Zaman <jason@perfinion.com>
author: Sugar, David <dsugar@tresys.com> 2019-02-25 23:37:45 +0000
committer: Jason Zaman <jason@perfinion.com> 2019-03-25 18:05:25 +0800
commit: 92055c2129169b8de7b02f388ba2e854ba63d244 (patch)
tree: ceb91373203f38bfab9d20032db1e45cb0ae1e2d /policy
parent: Allow freshclam to read sysctl_crypto_t (diff)
download: hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.tar.gz
hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.tar.bz2
hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.zip
1 files changed, 64 insertions, 0 deletions
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 0dc1e23c9..30d0b814d 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -253,6 +253,70 @@ interface(`clamav_scannable_files',`
 
 ########################################
 ## <summary>
+##	Execute a domain transition to run freshclam.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clamav_domtrans_freshclam',`
+	gen_require(`
+		type freshclam_t, freshclam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, freshclam_exec_t, freshclam_t)
+')
+
+########################################
+## <summary>
+##	Execute freshclam in the freshclam domain, and
+##	allow the specified role the freshclam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_run_freshclam',`
+	gen_require(`
+		type freshclam_t;
+	')
+
+	clamav_domtrans_freshclam($1)
+	role $2 types freshclam_t;
+')
+
+########################################
+## <summary>
+##	Execute freshclam in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_exec_freshclam',`
+	gen_require(`
+		type freshclam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, freshclam_exec_t)
+')
+
+########################################
+## <summary>
 ##	Allow specified domain to enable clamd units
 ## </summary>
 ## <param name="domain">
author	Sugar, David <dsugar@tresys.com>	2019-02-25 23:37:45 +0000
committer	Jason Zaman <jason@perfinion.com>	2019-03-25 18:05:25 +0800
commit	92055c2129169b8de7b02f388ba2e854ba63d244 (patch)
tree	ceb91373203f38bfab9d20032db1e45cb0ae1e2d /policy
parent	Allow freshclam to read sysctl_crypto_t (diff)
download	hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.tar.gz hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.tar.bz2 hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.zip