diff options
author | Sugar, David <dsugar@tresys.com> | 2019-02-25 23:37:45 +0000 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2019-03-25 18:05:25 +0800 |
commit | 92055c2129169b8de7b02f388ba2e854ba63d244 (patch) | |
tree | ceb91373203f38bfab9d20032db1e45cb0ae1e2d /policy | |
parent | Allow freshclam to read sysctl_crypto_t (diff) | |
download | hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.tar.gz hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.tar.bz2 hardened-refpolicy-92055c2129169b8de7b02f388ba2e854ba63d244.zip |
Add interfaces to run freshclam
Currently freshclam can only be started from cron or init. This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/services/clamav.if | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 0dc1e23c9..30d0b814d 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -253,6 +253,70 @@ interface(`clamav_scannable_files',` ######################################## ## <summary> +## Execute a domain transition to run freshclam. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`clamav_domtrans_freshclam',` + gen_require(` + type freshclam_t, freshclam_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, freshclam_exec_t, freshclam_t) +') + +######################################## +## <summary> +## Execute freshclam in the freshclam domain, and +## allow the specified role the freshclam domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`clamav_run_freshclam',` + gen_require(` + type freshclam_t; + ') + + clamav_domtrans_freshclam($1) + role $2 types freshclam_t; +') + +######################################## +## <summary> +## Execute freshclam in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_exec_freshclam',` + gen_require(` + type freshclam_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, freshclam_exec_t) +') + +######################################## +## <summary> ## Allow specified domain to enable clamd units ## </summary> ## <param name="domain"> |