1antivirus_selinux(8)       SELinux Policy antivirus       antivirus_selinux(8)
2
3
4

NAME

6       antivirus_selinux  -  Security  Enhanced Linux Policy for the antivirus
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the antivirus  processes  via  flexible
11       mandatory access control.
12
13       The  antivirus processes execute with the antivirus_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep antivirus_t
20
21
22

ENTRYPOINTS

24       The  antivirus_t  SELinux  type can be entered via the antivirus_exec_t
25       file type.
26
27       The default entrypoint paths for the antivirus_t domain are the follow‐
28       ing:
29
30       /usr/sbin/amavisd.*,  /usr/sbin/amavi,  /usr/sbin/clamd, /usr/bin/clam‐
31       scan, /usr/bin/clamdscan, /usr/bin/freshclam,  /usr/sbin/clamav-milter,
32       /usr/lib/AntiVir/antivir
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       antivirus  policy  is  very  flexible allowing users to setup their an‐
42       tivirus processes in as secure a method as possible.
43
44       The following process types are defined for antivirus:
45
46       antivirus_t
47
48       Note: semanage permissive -a  antivirus_t  can  be  used  to  make  the
49       process  type  antivirus_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is  customizable  based on least access required.  an‐
56       tivirus policy is extremely flexible and has several booleans that  al‐
57       low  you  to  manipulate the policy and run antivirus with the tightest
58       access possible.
59
60
61
62       If you want to determine whether antivirus programs can  use  JIT  com‐
63       piler,  you must turn on the antivirus_use_jit boolean. Disabled by de‐
64       fault.
65
66       setsebool -P antivirus_use_jit 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76

NSSWITCH DOMAIN

78       If you want to allow users to resolve user passwd entries directly from
79       ldap rather then using a sssd server for the antivirus_t, you must turn
80       on the authlogin_nsswitch_use_ldap boolean.
81
82       setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85       If you want to allow confined applications to run with kerberos for the
86       antivirus_t, you must turn on the kerberos_enabled boolean.
87
88       setsebool -P kerberos_enabled 1
89
90

MANAGED FILES

92       The SELinux process type antivirus_t can manage files labeled with  the
93       following file types.  The paths listed are the default paths for these
94       file types.  Note the processes UID still need to have DAC permissions.
95
96       antivirus_db_t
97
98            /var/amavis(/.*)?
99            /var/clamav(/.*)?
100            /var/lib/clamd.*
101            /var/lib/amavis(/.*)?
102            /var/lib/clamav(/.*)?
103            /var/virusmails(/.*)?
104            /var/opt/f-secure(/.*)?
105            /var/spool/amavisd(/.*)?
106            /var/lib/clamav-unofficial-sigs(/.*)?
107
108       antivirus_home_t
109
110
111       antivirus_log_t
112
113            /var/log/clamd.*
114            /var/log/clamav.*
115            /var/log/freshclam.*
116            /var/log/amavisd.log.*
117            /var/log/clamav/freshclam.*
118
119       antivirus_tmp_t
120
121
122       antivirus_var_run_t
123
124            /var/run/clamd.*
125            /var/run/clamav.*
126            /var/run/amavis(d)?(/.*)?
127            /var/run/amavis(d)?/clamd.pid
128            /var/run/amavisd-snmp-subagent.pid
129
130       cluster_conf_t
131
132            /etc/cluster(/.*)?
133
134       cluster_var_lib_t
135
136            /var/lib/pcsd(/.*)?
137            /var/lib/cluster(/.*)?
138            /var/lib/openais(/.*)?
139            /var/lib/pengine(/.*)?
140            /var/lib/corosync(/.*)?
141            /usr/lib/heartbeat(/.*)?
142            /var/lib/heartbeat(/.*)?
143            /var/lib/pacemaker(/.*)?
144
145       cluster_var_run_t
146
147            /var/run/crm(/.*)?
148            /var/run/cman_.*
149            /var/run/rsctmp(/.*)?
150            /var/run/aisexec.*
151            /var/run/heartbeat(/.*)?
152            /var/run/pcsd-ruby.socket
153            /var/run/corosync-qnetd(/.*)?
154            /var/run/corosync-qdevice(/.*)?
155            /var/run/corosync.pid
156            /var/run/cpglockd.pid
157            /var/run/rgmanager.pid
158            /var/run/cluster/rgmanager.sk
159
160       krb5_host_rcache_t
161
162            /var/tmp/krb5_0.rcache2
163            /var/cache/krb5rcache(/.*)?
164            /var/tmp/nfs_0
165            /var/tmp/DNS_25
166            /var/tmp/host_0
167            /var/tmp/imap_0
168            /var/tmp/HTTP_23
169            /var/tmp/HTTP_48
170            /var/tmp/ldap_55
171            /var/tmp/ldap_487
172            /var/tmp/ldapmap1_0
173
174       root_t
175
176            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
177            /
178            /initrd
179
180       snmpd_var_lib_t
181
182            /var/agentx(/.*)?
183            /var/net-snmp(/.*)
184            /var/lib/snmp(/.*)?
185            /var/net-snmp(/.*)?
186            /var/lib/net-snmp(/.*)?
187            /var/spool/snmptt(/.*)?
188            /usr/share/snmp/mibs/.index
189
190       systemd_passwd_var_run_t
191
192            /var/run/systemd/ask-password(/.*)?
193            /var/run/systemd/ask-password-block(/.*)?
194
195

FILE CONTEXTS

197       SELinux requires files to have an extended attribute to define the file
198       type.
199
200       You can see the context of a file using the -Z option to ls
201
202       Policy  governs  the  access  confined  processes  have to these files.
203       SELinux antivirus policy is very flexible allowing users to setup their
204       antivirus processes in as secure a method as possible.
205
206       EQUIVALENCE DIRECTORIES
207
208
209       antivirus policy stores data with multiple different file context types
210       under the /var/lib/clamav directory.  If you would like  to  store  the
211       data  in a different directory you can use the semanage command to cre‐
212       ate an equivalence mapping.  If you wanted to store this data under the
213       /srv directory you would execute the following command:
214
215       semanage fcontext -a -e /var/lib/clamav /srv/clamav
216       restorecon -R -v /srv/clamav
217
218       antivirus policy stores data with multiple different file context types
219       under the /var/run/amavis(d)? directory.  If you would  like  to  store
220       the  data  in a different directory you can use the semanage command to
221       create an equivalence mapping.  If you wanted to store this data  under
222       the /srv directory you would execute the following command:
223
224       semanage fcontext -a -e /var/run/amavis(d)? /srv/amavis(d)?
225       restorecon -R -v /srv/amavis(d)?
226
227       STANDARD FILE CONTEXT
228
229       SELinux defines the file context types for the antivirus, if you wanted
230       to store files with these types in a diffent paths, you need to execute
231       the  semanage  command  to  specify alternate labeling and then use re‐
232       storecon to put the labels on disk.
233
234       semanage  fcontext   -a   -t   antivirus_tmp_t   '/srv/myantivirus_con‐
235       tent(/.*)?'
236       restorecon -R -v /srv/myantivirus_content
237
238       Note:  SELinux  often  uses  regular expressions to specify labels that
239       match multiple files.
240
241       The following file types are defined for antivirus:
242
243
244
245       antivirus_conf_t
246
247       - Set files with the antivirus_conf_t type, if you want  to  treat  the
248       files  as  antivirus  configuration data, usually stored under the /etc
249       directory.
250
251
252       Paths:
253            /etc/amavis(d)?.conf, /etc/amavisd(/.*)?
254
255
256       antivirus_db_t
257
258       - Set files with the antivirus_db_t type, if  you  want  to  treat  the
259       files as antivirus database content.
260
261
262       Paths:
263            /var/amavis(/.*)?,       /var/clamav(/.*)?,      /var/lib/clamd.*,
264            /var/lib/amavis(/.*)?,     /var/lib/clamav(/.*)?,      /var/virus‐
265            mails(/.*)?,   /var/opt/f-secure(/.*)?,  /var/spool/amavisd(/.*)?,
266            /var/lib/clamav-unofficial-sigs(/.*)?
267
268
269       antivirus_exec_t
270
271       - Set files with the antivirus_exec_t type, if you want  to  transition
272       an executable to the antivirus_t domain.
273
274
275       Paths:
276            /usr/sbin/amavisd.*,       /usr/sbin/amavi,       /usr/sbin/clamd,
277            /usr/bin/clamscan,     /usr/bin/clamdscan,     /usr/bin/freshclam,
278            /usr/sbin/clamav-milter, /usr/lib/AntiVir/antivir
279
280
281       antivirus_home_t
282
283       -  Set  files  with the antivirus_home_t type, if you want to store an‐
284       tivirus files in the users home directory.
285
286
287
288       antivirus_initrc_exec_t
289
290       - Set files with the antivirus_initrc_exec_t type, if you want to tran‐
291       sition an executable to the antivirus_initrc_t domain.
292
293
294       Paths:
295            /etc/rc.d/init.d/clamd.*,                 /etc/rc.d/init.d/amavis,
296            /etc/rc.d/init.d/amavisd-snmp
297
298
299       antivirus_log_t
300
301       - Set files with the antivirus_log_t type, if you  want  to  treat  the
302       data  as  antivirus  log data, usually stored under the /var/log direc‐
303       tory.
304
305
306       Paths:
307            /var/log/clamd.*,     /var/log/clamav.*,     /var/log/freshclam.*,
308            /var/log/amavisd.log.*, /var/log/clamav/freshclam.*
309
310
311       antivirus_tmp_t
312
313       -  Set  files  with  the antivirus_tmp_t type, if you want to store an‐
314       tivirus temporary files in the /tmp directories.
315
316
317
318       antivirus_unit_file_t
319
320       - Set files with the antivirus_unit_file_t type, if you want  to  treat
321       the files as antivirus unit content.
322
323
324       Paths:
325            /usr/lib/systemd/system/clamd.*, /usr/lib/systemd/system/amavisd.*
326
327
328       antivirus_var_run_t
329
330       - Set files with the antivirus_var_run_t type, if you want to store the
331       antivirus files under the /run or /var/run directory.
332
333
334       Paths:
335            /var/run/clamd.*,  /var/run/clamav.*,   /var/run/amavis(d)?(/.*)?,
336            /var/run/amavis(d)?/clamd.pid, /var/run/amavisd-snmp-subagent.pid
337
338
339       Note:  File context can be temporarily modified with the chcon command.
340       If you want to permanently change the file context you need to use  the
341       semanage fcontext command.  This will modify the SELinux labeling data‐
342       base.  You will need to use restorecon to apply the labels.
343
344

COMMANDS

346       semanage fcontext can also be used to manipulate default  file  context
347       mappings.
348
349       semanage  permissive  can  also  be used to manipulate whether or not a
350       process type is permissive.
351
352       semanage module can also be used to enable/disable/install/remove  pol‐
353       icy modules.
354
355       semanage boolean can also be used to manipulate the booleans
356
357
358       system-config-selinux is a GUI tool available to customize SELinux pol‐
359       icy settings.
360
361

AUTHOR

363       This manual page was auto-generated using sepolicy manpage .
364
365

SEE ALSO

367       selinux(8), antivirus(8), semanage(8), restorecon(8), chcon(1),  sepol‐
368       icy(8), setsebool(8)
369
370
371
372antivirus                          21-11-19               antivirus_selinux(8)
Impressum