1antivirus_selinux(8) SELinux Policy antivirus antivirus_selinux(8)
2
6 antivirus_selinux - Security Enhanced Linux Policy for the antivirus
7 processes
8
10 Security-Enhanced Linux secures the antivirus processes via flexible
11 mandatory access control.
12 The antivirus processes execute with the antivirus_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep antivirus_t
20
24 The antivirus_t SELinux type can be entered via the antivirus_exec_t
25 file type.
26 The default entrypoint paths for the antivirus_t domain are the follow‐
28 ing:
29 /usr/sbin/amavisd.*, /usr/sbin/amavi, /usr/sbin/clamd, /usr/bin/clam‐
31 scan, /usr/bin/clamdscan, /usr/bin/freshclam, /usr/sbin/clamav-milter,
32 /usr/lib/AntiVir/antivir
33
35 SELinux defines process types (domains) for each process running on the
36 system
37 You can see the context of a process using the -Z option to ps
39 Policy governs the access confined processes have to files. SELinux
41 antivirus policy is very flexible allowing users to setup their an‐
42 tivirus processes in as secure a method as possible.
43 The following process types are defined for antivirus:
45 antivirus_t
47 Note: semanage permissive -a antivirus_t can be used to make the
49 process type antivirus_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
55 SELinux policy is customizable based on least access required. an‐
56 tivirus policy is extremely flexible and has several booleans that al‐
57 low you to manipulate the policy and run antivirus with the tightest
58 access possible.
59 If you want to determine whether antivirus programs can use JIT com‐
63 piler, you must turn on the antivirus_use_jit boolean. Disabled by de‐
64 fault.
65 setsebool -P antivirus_use_jit 1
67 If you want to allow all domains to execute in fips_mode, you must turn
71 on the fips_mode boolean. Enabled by default.
72 setsebool -P fips_mode 1
74
78 If you want to allow users to resolve user passwd entries directly from
79 ldap rather then using a sssd server for the antivirus_t, you must turn
80 on the authlogin_nsswitch_use_ldap boolean.
81 setsebool -P authlogin_nsswitch_use_ldap 1
83 If you want to allow confined applications to run with kerberos for the
86 antivirus_t, you must turn on the kerberos_enabled boolean.
87 setsebool -P kerberos_enabled 1
89
92 The SELinux process type antivirus_t can manage files labeled with the
93 following file types. The paths listed are the default paths for these
94 file types. Note the processes UID still need to have DAC permissions.
95 antivirus_db_t
97 /var/amavis(/.*)?
99 /var/clamav(/.*)?
100 /var/lib/clamd.*
101 /var/lib/amavis(/.*)?
102 /var/lib/clamav(/.*)?
103 /var/virusmails(/.*)?
104 /var/opt/f-secure(/.*)?
105 /var/spool/amavisd(/.*)?
106 /var/lib/clamav-unofficial-sigs(/.*)?
107 antivirus_home_t
109 antivirus_log_t
112 /var/log/clamd.*
114 /var/log/clamav.*
115 /var/log/freshclam.*
116 /var/log/amavisd.log.*
117 /var/log/clamav/freshclam.*
118 antivirus_tmp_t
120 antivirus_var_run_t
123 /var/run/clamd.*
125 /var/run/clamav.*
126 /var/run/amavis(d)?(/.*)?
127 /var/run/amavis(d)?/clamd.pid
128 /var/run/amavisd-snmp-subagent.pid
129 cluster_conf_t
131 /etc/cluster(/.*)?
133 cluster_var_lib_t
135 /var/lib/pcsd(/.*)?
137 /var/lib/cluster(/.*)?
138 /var/lib/openais(/.*)?
139 /var/lib/pengine(/.*)?
140 /var/lib/corosync(/.*)?
141 /usr/lib/heartbeat(/.*)?
142 /var/lib/heartbeat(/.*)?
143 /var/lib/pacemaker(/.*)?
144 cluster_var_run_t
146 /var/run/crm(/.*)?
148 /var/run/cman_.*
149 /var/run/rsctmp(/.*)?
150 /var/run/aisexec.*
151 /var/run/heartbeat(/.*)?
152 /var/run/pcsd-ruby.socket
153 /var/run/corosync-qnetd(/.*)?
154 /var/run/corosync-qdevice(/.*)?
155 /var/run/corosync.pid
156 /var/run/cpglockd.pid
157 /var/run/rgmanager.pid
158 /var/run/cluster/rgmanager.sk
159 krb5_host_rcache_t
161 /var/tmp/krb5_0.rcache2
163 /var/cache/krb5rcache(/.*)?
164 /var/tmp/nfs_0
165 /var/tmp/DNS_25
166 /var/tmp/host_0
167 /var/tmp/imap_0
168 /var/tmp/HTTP_23
169 /var/tmp/HTTP_48
170 /var/tmp/ldap_55
171 /var/tmp/ldap_487
172 /var/tmp/ldapmap1_0
173 root_t
175 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
177 /
178 /initrd
179 snmpd_var_lib_t
181 /var/agentx(/.*)?
183 /var/net-snmp(/.*)
184 /var/lib/snmp(/.*)?
185 /var/net-snmp(/.*)?
186 /var/lib/net-snmp(/.*)?
187 /var/spool/snmptt(/.*)?
188 /usr/share/snmp/mibs/.index
189 systemd_passwd_var_run_t
191 /var/run/systemd/ask-password(/.*)?
193 /var/run/systemd/ask-password-block(/.*)?
194
197 SELinux requires files to have an extended attribute to define the file
198 type.
199 You can see the context of a file using the -Z option to ls
201 Policy governs the access confined processes have to these files.
203 SELinux antivirus policy is very flexible allowing users to setup their
204 antivirus processes in as secure a method as possible.
205 EQUIVALENCE DIRECTORIES
207 antivirus policy stores data with multiple different file context types
210 under the /var/lib/clamav directory. If you would like to store the
211 data in a different directory you can use the semanage command to cre‐
212 ate an equivalence mapping. If you wanted to store this data under the
213 /srv directory you would execute the following command:
214 semanage fcontext -a -e /var/lib/clamav /srv/clamav
216 restorecon -R -v /srv/clamav
217 antivirus policy stores data with multiple different file context types
219 under the /var/run/amavis(d)? directory. If you would like to store
220 the data in a different directory you can use the semanage command to
221 create an equivalence mapping. If you wanted to store this data under
222 the /srv directory you would execute the following command:
223 semanage fcontext -a -e /var/run/amavis(d)? /srv/amavis(d)?
225 restorecon -R -v /srv/amavis(d)?
226 STANDARD FILE CONTEXT
228 SELinux defines the file context types for the antivirus, if you wanted
230 to store files with these types in a diffent paths, you need to execute
231 the semanage command to sepecify alternate labeling and then use re‐
232 storecon to put the labels on disk.
233 semanage fcontext -a -t antivirus_tmp_t '/srv/myantivirus_con‐
235 tent(/.*)?'
236 restorecon -R -v /srv/myantivirus_content
237 Note: SELinux often uses regular expressions to specify labels that
239 match multiple files.
240 The following file types are defined for antivirus:
242 antivirus_conf_t
246 - Set files with the antivirus_conf_t type, if you want to treat the
248 files as antivirus configuration data, usually stored under the /etc
249 directory.
250 Paths:
253 /etc/amavis(d)?.conf, /etc/amavisd(/.*)?
254 antivirus_db_t
257 - Set files with the antivirus_db_t type, if you want to treat the
259 files as antivirus database content.
260 Paths:
263 /var/amavis(/.*)?, /var/clamav(/.*)?, /var/lib/clamd.*,
264 /var/lib/amavis(/.*)?, /var/lib/clamav(/.*)?, /var/virus‐
265 mails(/.*)?, /var/opt/f-secure(/.*)?, /var/spool/amavisd(/.*)?,
266 /var/lib/clamav-unofficial-sigs(/.*)?
267 antivirus_exec_t
270 - Set files with the antivirus_exec_t type, if you want to transition
272 an executable to the antivirus_t domain.
273 Paths:
276 /usr/sbin/amavisd.*, /usr/sbin/amavi, /usr/sbin/clamd,
277 /usr/bin/clamscan, /usr/bin/clamdscan, /usr/bin/freshclam,
278 /usr/sbin/clamav-milter, /usr/lib/AntiVir/antivir
279 antivirus_home_t
282 - Set files with the antivirus_home_t type, if you want to store an‐
284 tivirus files in the users home directory.
285 antivirus_initrc_exec_t
289 - Set files with the antivirus_initrc_exec_t type, if you want to tran‐
291 sition an executable to the antivirus_initrc_t domain.
292 Paths:
295 /etc/rc.d/init.d/clamd.*, /etc/rc.d/init.d/amavis,
296 /etc/rc.d/init.d/amavisd-snmp
297 antivirus_log_t
300 - Set files with the antivirus_log_t type, if you want to treat the
302 data as antivirus log data, usually stored under the /var/log direc‐
303 tory.
304 Paths:
307 /var/log/clamd.*, /var/log/clamav.*, /var/log/freshclam.*,
308 /var/log/amavisd.log.*, /var/log/clamav/freshclam.*
309 antivirus_tmp_t
312 - Set files with the antivirus_tmp_t type, if you want to store an‐
314 tivirus temporary files in the /tmp directories.
315 antivirus_unit_file_t
319 - Set files with the antivirus_unit_file_t type, if you want to treat
321 the files as antivirus unit content.
322 Paths:
325 /usr/lib/systemd/system/clamd.*, /usr/lib/systemd/system/amavisd.*
326 antivirus_var_run_t
329 - Set files with the antivirus_var_run_t type, if you want to store the
331 antivirus files under the /run or /var/run directory.
332 Paths:
335 /var/run/clamd.*, /var/run/clamav.*, /var/run/amavis(d)?(/.*)?,
336 /var/run/amavis(d)?/clamd.pid, /var/run/amavisd-snmp-subagent.pid
337 Note: File context can be temporarily modified with the chcon command.
340 If you want to permanently change the file context you need to use the
341 semanage fcontext command. This will modify the SELinux labeling data‐
342 base. You will need to use restorecon to apply the labels.
343
346 semanage fcontext can also be used to manipulate default file context
347 mappings.
348 semanage permissive can also be used to manipulate whether or not a
350 process type is permissive.
351 semanage module can also be used to enable/disable/install/remove pol‐
353 icy modules.
354 semanage boolean can also be used to manipulate the booleans
356 system-config-selinux is a GUI tool available to customize SELinux pol‐
359 icy settings.
360
363 This manual page was auto-generated using sepolicy manpage .
364
367 selinux(8), antivirus(8), semanage(8), restorecon(8), chcon(1), sepol‐
368 icy(8), setsebool(8)
369antivirus 21-06-09 antivirus_selinux(8)