← Back to branch summary

~ubuntu-branches/ubuntu/natty/refpolicy-ubuntu/natty

« back to all changes in this revision

Viewing changes to policy/modules/services/clamav.te

  • Committer: Bazaar Package Importer
  • Author(s): Caleb Case
  • Date: 2009-10-19 01:48:39 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20091019014839-0rpi67ygkrjya30k
Tags: 0.2.20090730-0ubuntu1
https://launchpad.net/bugs/434084
* Updated to upstream release 2.20090730
* Handle Upstart direct execution of daemons.
* Pre-depend on selinux to ensure that the trigger is handled (LP: #434084).

Show diffs side-by-side

added added

removed removed

Lines of Context:
policy/modules/services/clamav.te
1
1
 
2
 
policy_module(clamav, 1.6.2)
 
2
policy_module(clamav, 1.6.3)
3
3
 
4
4
########################################
5
5
#
13
13
 
14
14
# configuration files
15
15
type clamd_etc_t;
16
 
files_type(clamd_etc_t)
 
16
files_config_file(clamd_etc_t)
 
17
 
 
18
type clamd_initrc_exec_t;
 
19
init_script_file(clamd_initrc_exec_t)
17
20
 
18
21
# tmp files
19
22
type clamd_tmp_t;
55
58
 
56
59
allow clamd_t self:capability { kill setgid setuid dac_override };
57
60
allow clamd_t self:fifo_file rw_fifo_file_perms;
58
 
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
 
61
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
59
62
allow clamd_t self:unix_dgram_socket create_socket_perms;
60
63
allow clamd_t self:tcp_socket { listen accept };
61
64
 
87
90
kernel_dontaudit_list_proc(clamd_t)
88
91
kernel_read_sysctl(clamd_t)
89
92
kernel_read_kernel_sysctls(clamd_t)
 
93
kernel_read_system_state(clamd_t)
 
94
 
 
95
corecmd_exec_shell(clamd_t)
90
96
 
91
97
corenet_all_recvfrom_unlabeled(clamd_t)
92
98
corenet_all_recvfrom_netlabel(clamd_t)
96
102
corenet_tcp_sendrecv_clamd_port(clamd_t)
97
103
corenet_tcp_bind_generic_node(clamd_t)
98
104
corenet_tcp_bind_clamd_port(clamd_t)
 
105
corenet_tcp_bind_generic_port(clamd_t)
 
106
corenet_tcp_connect_generic_port(clamd_t)
99
107
corenet_sendrecv_clamd_server_packets(clamd_t)
100
108
 
101
109
dev_read_rand(clamd_t)
117
125
cron_use_system_job_fds(clamd_t)
118
126
cron_rw_pipes(clamd_t)
119
127
 
 
128
mta_read_config(clamd_t)
 
129
mta_send_mail(clamd_t)
 
130
 
120
131
optional_policy(`
121
132
        amavis_read_lib_files(clamd_t)
122
133
        amavis_read_spool_files(clamd_t)
123
 
        amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
 
134
        amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
124
135
        amavis_create_pid_files(clamd_t)
125
136
')
126
137
 
 
138
optional_policy(`
 
139
        exim_read_spool_files(clamd_t)
 
140
')
 
141
 
127
142
########################################
128
143
#
129
144
# Freshclam local policy
191
206
allow clamscan_t self:fifo_file rw_file_perms;
192
207
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
193
208
allow clamscan_t self:unix_dgram_socket create_socket_perms;
194
 
allow clamscan_t self:tcp_socket { listen accept };
 
209
allow clamscan_t self:tcp_socket create_stream_socket_perms;
195
210
 
196
211
# configuration files
197
212
allow clamscan_t clamd_etc_t:dir list_dir_perms;
207
222
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
208
223
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
209
224
 
 
225
corenet_all_recvfrom_unlabeled(clamscan_t)
 
226
corenet_all_recvfrom_netlabel(clamscan_t)
 
227
corenet_tcp_sendrecv_generic_if(clamscan_t)
 
228
corenet_tcp_sendrecv_generic_node(clamscan_t)
 
229
corenet_tcp_sendrecv_all_ports(clamscan_t)
 
230
corenet_tcp_sendrecv_clamd_port(clamscan_t)
 
231
corenet_tcp_connect_clamd_port(clamscan_t)
 
232
 
210
233
kernel_read_kernel_sysctls(clamscan_t)
211
234
 
212
235
files_read_etc_files(clamscan_t)
221
244
 
222
245
clamav_stream_connect(clamscan_t)
223
246
 
 
247
mta_send_mail(clamscan_t)
 
248
 
224
249
optional_policy(`
225
250
        apache_read_sys_content(clamscan_t)
226
251
')