HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/share/selinux/devel/include/services/
Upload Files
File: //usr/share/selinux/devel/include/services/clamav.if
## <summary>ClamAV Virus Scanner.</summary>

########################################
## <summary>
##	Execute a domain transition to run clamd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`clamav_domtrans',`
	gen_require(`
		type clamd_t, clamd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, clamd_exec_t, clamd_t)
')

########################################
## <summary>
##	Execute clamd programs in the clamd
##	domain and allow the specified role
##	the clamd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
#
interface(`clamav_run',`
	gen_require(`
		type clamd_t;
	')

	clamav_domtrans($1)
	role $2 types clamd_t;
')

########################################
## <summary>
##	Connect to clamd using a unix
##	domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_stream_connect',`
	gen_require(`
		type clamd_t, clamd_runtime_t;
	')

	allow clamd_t $1:fd use;

	files_search_runtime($1)
	stream_connect_pattern($1, clamd_runtime_t, clamd_runtime_t, clamd_t)
')

########################################
## <summary>
##	Append clamav log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_append_log',`
	gen_require(`
		type clamd_var_log_t;
	')

	logging_search_logs($1)
	allow $1 clamd_var_log_t:dir list_dir_perms;
	append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	clamav pid content.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_manage_pid_content',`
	refpolicywarn(`$0($*) has been deprecated.')
')

########################################
## <summary>
##	Read clamav configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_read_config',`
	gen_require(`
		type clamd_etc_t;
	')

	files_search_etc($1)
	allow $1 clamd_etc_t:file read_file_perms;
')

########################################
## <summary>
##	Search clamav library directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_search_lib',`
	gen_require(`
		type clamd_var_lib_t;
	')

	files_search_var_lib($1)
	allow $1 clamd_var_lib_t:dir search_dir_perms;
')

########################################
## <summary>
##	Execute a domain transition to run clamscan.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`clamav_domtrans_clamscan',`
	gen_require(`
		type clamscan_t, clamscan_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')

########################################
## <summary>
##	Execute clamscan in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_exec_clamscan',`
	gen_require(`
		type clamscan_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, clamscan_exec_t)
')

#######################################
## <summary>
##	Read clamd process state files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_read_state_clamd',`
	gen_require(`
		type clamd_t;
	')

	kernel_search_proc($1)
	allow $1 clamd_t:dir list_dir_perms;
	read_files_pattern($1, clamd_t, clamd_t)
	read_lnk_files_pattern($1, clamd_t, clamd_t)
')

#######################################
## <summary>
##	Read clam virus signature files
## </summary>
## <desc>
##	<p>
##	Useful for when using things like 'sigtool'
##	which provides useful information about
##	ClamAV signature files.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_read_signatures',`
	gen_require(`
		type clamd_var_lib_t;
	')

	clamav_search_lib($1)
	allow $1 clamd_var_lib_t:dir list_dir_perms;
	read_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
	read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
')

#######################################
## <summary>
##	Denote a particular type to be scanned by ClamAV
## </summary>
## <param name="domain">
##	<summary>
##	Type that clamd_t and clamscan_t can read.
##	</summary>
## </param>
#
interface(`clamav_scannable_files',`
	gen_require(`
		attribute clam_scannable_type;
	')

	typeattribute $1 clam_scannable_type;
')

########################################
## <summary>
##	Execute a domain transition to run freshclam.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`clamav_domtrans_freshclam',`
	gen_require(`
		type freshclam_t, freshclam_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, freshclam_exec_t, freshclam_t)
')

########################################
## <summary>
##	Execute freshclam in the freshclam domain, and
##	allow the specified role the freshclam domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`clamav_run_freshclam',`
	gen_require(`
		type freshclam_t;
	')

	clamav_domtrans_freshclam($1)
	role $2 types freshclam_t;
')

########################################
## <summary>
##	Execute freshclam in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_exec_freshclam',`
	gen_require(`
		type freshclam_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, freshclam_exec_t)
')

########################################
## <summary>
##	Allow specified domain to enable clamd units
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_enabledisable_clamd',`
	gen_require(`
		type clamd_unit_t;
		class service { enable disable };
	')

	allow $1 clamd_unit_t:service { enable disable };
')

########################################
## <summary>
##	Allow specified domain to start clamd units
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_startstop_clamd',`
	gen_require(`
		type clamd_unit_t;
		class service { start stop };
	')

	allow $1 clamd_unit_t:service { start stop };
')

########################################
## <summary>
##	Allow specified domain to get status of clamd
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_status_clamd',`
	gen_require(`
		type clamd_unit_t;
		class service status;
	')

	allow $1 clamd_unit_t:service status;
')

########################################
## <summary>
##	Allow specified domain reload of clamd
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_reload_clamd',`
	gen_require(`
		type clamd_unit_t;
		class service reload;
	')

	allow $1 clamd_unit_t:service reload;
')

########################################
## <summary>
##	All of the rules required to
##	administrate an clamav environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`clamav_admin',`
	gen_require(`
		type clamd_t, clamd_etc_t, clamd_tmp_t;
		type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
		type clamd_runtime_t, clamscan_t, clamscan_tmp_t;
		type freshclam_t, freshclam_var_log_t;
	')

	allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
	ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })

	init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t)

	files_list_etc($1)
	admin_pattern($1, clamd_etc_t)

	files_list_var_lib($1)
	admin_pattern($1, clamd_var_lib_t)

	logging_list_logs($1)
	admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })

	files_list_runtime($1)
	admin_pattern($1, clamd_runtime_t)

	files_list_tmp($1)
	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')

########################################
## <summary>
##	specified domain creates /var/log/clamav/freshclam.log with correct type
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_filetrans_log',`
	gen_require(`
		type clamd_var_log_t, freshclam_var_log_t;
	')

	filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
')

########################################
## <summary>
##	specified domain creates /run/clamav with correct type
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`clamav_filetrans_runtime_dir',`
	gen_require(`
		type clamd_runtime_t;
	')

	files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
')
@ Telegram