1antivirus_selinux(8) SELinux Policy antivirus antivirus_selinux(8)
2
3
4
6 antivirus_selinux - Security Enhanced Linux Policy for the antivirus
7 processes
8
10 Security-Enhanced Linux secures the antivirus processes via flexible
11 mandatory access control.
12
13 The antivirus processes execute with the antivirus_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep antivirus_t
20
21
22
24 The antivirus_t SELinux type can be entered via the antivirus_exec_t
25 file type.
26
27 The default entrypoint paths for the antivirus_t domain are the follow‐
28 ing:
29
30 /usr/sbin/amavisd.*, /usr/sbin/amavi, /usr/sbin/clamd, /usr/bin/clam‐
31 scan, /usr/bin/clamdscan, /usr/bin/freshclam, /usr/sbin/clamav-milter,
32 /usr/lib/AntiVir/antivir
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 antivirus policy is very flexible allowing users to setup their an‐
42 tivirus processes in as secure a method as possible.
43
44 The following process types are defined for antivirus:
45
46 antivirus_t
47
48 Note: semanage permissive -a antivirus_t can be used to make the
49 process type antivirus_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 SELinux policy is customizable based on least access required. an‐
56 tivirus policy is extremely flexible and has several booleans that al‐
57 low you to manipulate the policy and run antivirus with the tightest
58 access possible.
59
60
61
62 If you want to determine whether antivirus programs can use JIT com‐
63 piler, you must turn on the antivirus_use_jit boolean. Disabled by de‐
64 fault.
65
66 setsebool -P antivirus_use_jit 1
67
68
69
70 If you want to allow all domains to execute in fips_mode, you must turn
71 on the fips_mode boolean. Enabled by default.
72
73 setsebool -P fips_mode 1
74
75
76
78 If you want to allow users to resolve user passwd entries directly from
79 ldap rather then using a sssd server for the antivirus_t, you must turn
80 on the authlogin_nsswitch_use_ldap boolean.
81
82 setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85 If you want to allow confined applications to run with kerberos for the
86 antivirus_t, you must turn on the kerberos_enabled boolean.
87
88 setsebool -P kerberos_enabled 1
89
90
92 The SELinux process type antivirus_t can manage files labeled with the
93 following file types. The paths listed are the default paths for these
94 file types. Note the processes UID still need to have DAC permissions.
95
96 antivirus_db_t
97
98 /var/amavis(/.*)?
99 /var/clamav(/.*)?
100 /var/lib/clamd.*
101 /var/lib/amavis(/.*)?
102 /var/lib/clamav(/.*)?
103 /var/virusmails(/.*)?
104 /var/opt/f-secure(/.*)?
105 /var/spool/amavisd(/.*)?
106 /var/lib/clamav-unofficial-sigs(/.*)?
107
108 antivirus_home_t
109
110
111 antivirus_log_t
112
113 /var/log/clamd.*
114 /var/log/clamav.*
115 /var/log/freshclam.*
116 /var/log/amavisd.log.*
117 /var/log/clamav/freshclam.*
118
119 antivirus_tmp_t
120
121
122 antivirus_var_run_t
123
124 /var/run/clamd.*
125 /var/run/clamav.*
126 /var/run/amavis(d)?(/.*)?
127 /var/run/amavis(d)?/clamd.pid
128 /var/run/amavisd-snmp-subagent.pid
129
130 cluster_conf_t
131
132 /etc/cluster(/.*)?
133
134 cluster_var_lib_t
135
136 /var/lib/pcsd(/.*)?
137 /var/lib/cluster(/.*)?
138 /var/lib/openais(/.*)?
139 /var/lib/pengine(/.*)?
140 /var/lib/corosync(/.*)?
141 /usr/lib/heartbeat(/.*)?
142 /var/lib/heartbeat(/.*)?
143 /var/lib/pacemaker(/.*)?
144
145 cluster_var_run_t
146
147 /var/run/crm(/.*)?
148 /var/run/cman_.*
149 /var/run/rsctmp(/.*)?
150 /var/run/aisexec.*
151 /var/run/heartbeat(/.*)?
152 /var/run/pcsd-ruby.socket
153 /var/run/corosync-qnetd(/.*)?
154 /var/run/corosync-qdevice(/.*)?
155 /var/run/corosync.pid
156 /var/run/cpglockd.pid
157 /var/run/rgmanager.pid
158 /var/run/cluster/rgmanager.sk
159
160 krb5_host_rcache_t
161
162 /var/tmp/krb5_0.rcache2
163 /var/cache/krb5rcache(/.*)?
164 /var/tmp/nfs_0
165 /var/tmp/DNS_25
166 /var/tmp/host_0
167 /var/tmp/imap_0
168 /var/tmp/HTTP_23
169 /var/tmp/HTTP_48
170 /var/tmp/ldap_55
171 /var/tmp/ldap_487
172 /var/tmp/ldapmap1_0
173
174 root_t
175
176 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
177 /
178 /initrd
179
180 snmpd_var_lib_t
181
182 /var/agentx(/.*)?
183 /var/net-snmp(/.*)
184 /var/lib/snmp(/.*)?
185 /var/net-snmp(/.*)?
186 /var/lib/net-snmp(/.*)?
187 /var/spool/snmptt(/.*)?
188 /usr/share/snmp/mibs/.index
189
190 systemd_passwd_var_run_t
191
192 /var/run/systemd/ask-password(/.*)?
193 /var/run/systemd/ask-password-block(/.*)?
194
195
197 SELinux requires files to have an extended attribute to define the file
198 type.
199
200 You can see the context of a file using the -Z option to ls
201
202 Policy governs the access confined processes have to these files.
203 SELinux antivirus policy is very flexible allowing users to setup their
204 antivirus processes in as secure a method as possible.
205
206 EQUIVALENCE DIRECTORIES
207
208
209 antivirus policy stores data with multiple different file context types
210 under the /var/lib/clamav directory. If you would like to store the
211 data in a different directory you can use the semanage command to cre‐
212 ate an equivalence mapping. If you wanted to store this data under the
213 /srv directory you would execute the following command:
214
215 semanage fcontext -a -e /var/lib/clamav /srv/clamav
216 restorecon -R -v /srv/clamav
217
218 antivirus policy stores data with multiple different file context types
219 under the /var/run/amavis(d)? directory. If you would like to store
220 the data in a different directory you can use the semanage command to
221 create an equivalence mapping. If you wanted to store this data under
222 the /srv directory you would execute the following command:
223
224 semanage fcontext -a -e /var/run/amavis(d)? /srv/amavis(d)?
225 restorecon -R -v /srv/amavis(d)?
226
227 STANDARD FILE CONTEXT
228
229 SELinux defines the file context types for the antivirus, if you wanted
230 to store files with these types in a diffent paths, you need to execute
231 the semanage command to specify alternate labeling and then use re‐
232 storecon to put the labels on disk.
233
234 semanage fcontext -a -t antivirus_tmp_t '/srv/myantivirus_con‐
235 tent(/.*)?'
236 restorecon -R -v /srv/myantivirus_content
237
238 Note: SELinux often uses regular expressions to specify labels that
239 match multiple files.
240
241 The following file types are defined for antivirus:
242
243
244
245 antivirus_conf_t
246
247 - Set files with the antivirus_conf_t type, if you want to treat the
248 files as antivirus configuration data, usually stored under the /etc
249 directory.
250
251
252 Paths:
253 /etc/amavis(d)?.conf, /etc/amavisd(/.*)?
254
255
256 antivirus_db_t
257
258 - Set files with the antivirus_db_t type, if you want to treat the
259 files as antivirus database content.
260
261
262 Paths:
263 /var/amavis(/.*)?, /var/clamav(/.*)?, /var/lib/clamd.*,
264 /var/lib/amavis(/.*)?, /var/lib/clamav(/.*)?, /var/virus‐
265 mails(/.*)?, /var/opt/f-secure(/.*)?, /var/spool/amavisd(/.*)?,
266 /var/lib/clamav-unofficial-sigs(/.*)?
267
268
269 antivirus_exec_t
270
271 - Set files with the antivirus_exec_t type, if you want to transition
272 an executable to the antivirus_t domain.
273
274
275 Paths:
276 /usr/sbin/amavisd.*, /usr/sbin/amavi, /usr/sbin/clamd,
277 /usr/bin/clamscan, /usr/bin/clamdscan, /usr/bin/freshclam,
278 /usr/sbin/clamav-milter, /usr/lib/AntiVir/antivir
279
280
281 antivirus_home_t
282
283 - Set files with the antivirus_home_t type, if you want to store an‐
284 tivirus files in the users home directory.
285
286
287
288 antivirus_initrc_exec_t
289
290 - Set files with the antivirus_initrc_exec_t type, if you want to tran‐
291 sition an executable to the antivirus_initrc_t domain.
292
293
294 Paths:
295 /etc/rc.d/init.d/clamd.*, /etc/rc.d/init.d/amavis,
296 /etc/rc.d/init.d/amavisd-snmp
297
298
299 antivirus_log_t
300
301 - Set files with the antivirus_log_t type, if you want to treat the
302 data as antivirus log data, usually stored under the /var/log direc‐
303 tory.
304
305
306 Paths:
307 /var/log/clamd.*, /var/log/clamav.*, /var/log/freshclam.*,
308 /var/log/amavisd.log.*, /var/log/clamav/freshclam.*
309
310
311 antivirus_tmp_t
312
313 - Set files with the antivirus_tmp_t type, if you want to store an‐
314 tivirus temporary files in the /tmp directories.
315
316
317
318 antivirus_unit_file_t
319
320 - Set files with the antivirus_unit_file_t type, if you want to treat
321 the files as antivirus unit content.
322
323
324 Paths:
325 /usr/lib/systemd/system/clamd.*, /usr/lib/systemd/system/amavisd.*
326
327
328 antivirus_var_run_t
329
330 - Set files with the antivirus_var_run_t type, if you want to store the
331 antivirus files under the /run or /var/run directory.
332
333
334 Paths:
335 /var/run/clamd.*, /var/run/clamav.*, /var/run/amavis(d)?(/.*)?,
336 /var/run/amavis(d)?/clamd.pid, /var/run/amavisd-snmp-subagent.pid
337
338
339 Note: File context can be temporarily modified with the chcon command.
340 If you want to permanently change the file context you need to use the
341 semanage fcontext command. This will modify the SELinux labeling data‐
342 base. You will need to use restorecon to apply the labels.
343
344
346 semanage fcontext can also be used to manipulate default file context
347 mappings.
348
349 semanage permissive can also be used to manipulate whether or not a
350 process type is permissive.
351
352 semanage module can also be used to enable/disable/install/remove pol‐
353 icy modules.
354
355 semanage boolean can also be used to manipulate the booleans
356
357
358 system-config-selinux is a GUI tool available to customize SELinux pol‐
359 icy settings.
360
361
363 This manual page was auto-generated using sepolicy manpage .
364
365
367 selinux(8), antivirus(8), semanage(8), restorecon(8), chcon(1), sepol‐
368 icy(8), setsebool(8)
369
370
371
372antivirus 23-02-03 antivirus_selinux(8)