From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 00537138334 for ; Sun, 11 Nov 2018 23:29:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D5BE6E0D55; Sun, 11 Nov 2018 23:29:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 94EBDE0D36 for ; Sun, 11 Nov 2018 23:29:38 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9E579335D01 for ; Sun, 11 Nov 2018 23:29:37 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 37A20474 for ; Sun, 11 Nov 2018 23:29:33 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1541978251.80fc619afbb4265a9158c776b0fb917bd5633f54.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/amavis.te policy/modules/services/apache.te policy/modules/services/clamav.if policy/modules/services/clamav.te policy/modules/services/exim.te policy/modules/services/mta.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 80fc619afbb4265a9158c776b0fb917bd5633f54 X-VCS-Branch: master Date: Sun, 11 Nov 2018 23:29:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c96519d8-e039-41c3-bc11-dd56cf872513 X-Archives-Hash: 1c33c6beeac75d051a4177f9008ef147 commit: 80fc619afbb4265a9158c776b0fb917bd5633f54 Author: David Sugar tresys com> AuthorDate: Fri Nov 2 00:39:58 2018 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80fc619a Interface to add domain allowed to be read by ClamAV for scanning. Create an attribute for types that clamd_t and clamscan_t can read (for scanning purposes) rather than require clamav.te to be modified. Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/services/amavis.te | 1 + policy/modules/services/apache.te | 1 + policy/modules/services/clamav.if | 18 ++++++++++++++++++ policy/modules/services/clamav.te | 23 +++++++++-------------- policy/modules/services/exim.te | 1 + policy/modules/services/mta.te | 1 + 6 files changed, 31 insertions(+), 14 deletions(-) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index 9517486e..59d87259 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',` ') optional_policy(` + clamav_scannable_files(amavis_spool_t) clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) clamav_read_state_clamd(amavis_t) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 341dd150..f45cf73b 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) + clamav_scannable_files(httpd_sys_content_t) ') optional_policy(` diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 80ac5c1e..d1296fcc 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -205,6 +205,24 @@ interface(`clamav_read_signatures',` read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t) ') +####################################### +## +## Denote a particular type to be scanned by ClamAV +## +## +## +## Type that clamd_t and clamscan_t can read. +## +## +# +interface(`clamav_scannable_files',` + gen_require(` + attribute clam_scannable_type; + ') + + typeattribute $1 clam_scannable_type; +') + ######################################## ## ## All of the rules required to diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index b55bac56..1de8b4cb 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false) # # Declarations # +attribute clam_scannable_type; type clamd_t; type clamd_exec_t; @@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file }) +read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type) +read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type) +list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type) + kernel_dontaudit_list_proc(clamd_t) kernel_read_crypto_sysctls(clamd_t) kernel_read_sysctl(clamd_t) @@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',` optional_policy(` amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) amavis_create_pid_files(clamd_t) ') @@ -163,10 +167,6 @@ optional_policy(` cron_rw_pipes(clamd_t) ') -optional_policy(` - exim_read_spool_files(clamd_t) -') - optional_policy(` mta_read_config(clamd_t) mta_send_mail(clamd_t) @@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file }) +read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type) +read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type) +list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type) + allow clamscan_t clamd_var_lib_t:dir list_dir_perms; manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) @@ -320,17 +324,8 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',` files_getattr_all_sockets(clamscan_t) ') -optional_policy(` - amavis_read_spool_files(clamscan_t) -') - -optional_policy(` - apache_read_sys_content(clamscan_t) -') - optional_policy(` mta_send_mail(clamscan_t) - mta_read_queue(clamscan_t) ') ifdef(`distro_gentoo',` diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 693ac491..6430aee8 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',` optional_policy(` clamav_domtrans_clamscan(exim_t) + clamav_scannable_files(exim_spool_t) clamav_stream_connect(exim_t) ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 3b389d02..a7133c2b 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -233,6 +233,7 @@ optional_policy(` ') optional_policy(` + clamav_scannable_files(mqueue_spool_t) clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ')