1antivirus_selinux(8) SELinux Policy antivirus antivirus_selinux(8)
2
6 antivirus_selinux - Security Enhanced Linux Policy for the antivirus
7 processes
8
10 Security-Enhanced Linux secures the antivirus processes via flexible
11 mandatory access control.
12 The antivirus processes execute with the antivirus_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep antivirus_t
20
24 The antivirus_t SELinux type can be entered via the antivirus_exec_t
25 file type.
26 The default entrypoint paths for the antivirus_t domain are the follow‐
28 ing:
29 /usr/sbin/amavisd.*, /usr/sbin/amavi, /usr/sbin/clamd, /usr/bin/clam‐
31 scan, /usr/bin/clamdscan, /usr/bin/freshclam, /usr/sbin/clamav-milter,
32 /usr/lib/AntiVir/antivir
33
35 SELinux defines process types (domains) for each process running on the
36 system
37 You can see the context of a process using the -Z option to ps
39 Policy governs the access confined processes have to files. SELinux
41 antivirus policy is very flexible allowing users to setup their an‐
42 tivirus processes in as secure a method as possible.
43 The following process types are defined for antivirus:
45 antivirus_t
47 Note: semanage permissive -a antivirus_t can be used to make the
49 process type antivirus_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
55 SELinux policy is customizable based on least access required. an‐
56 tivirus policy is extremely flexible and has several booleans that al‐
57 low you to manipulate the policy and run antivirus with the tightest
58 access possible.
59 If you want to determine whether antivirus programs can use JIT com‐
63 piler, you must turn on the antivirus_use_jit boolean. Disabled by de‐
64 fault.
65 setsebool -P antivirus_use_jit 1
67 If you want to dontaudit all daemons scheduling requests (setsched,
71 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
72 Enabled by default.
73 setsebool -P daemons_dontaudit_scheduling 1
75 If you want to allow all domains to execute in fips_mode, you must turn
79 on the fips_mode boolean. Enabled by default.
80 setsebool -P fips_mode 1
82 If you want to allow system to run with NIS, you must turn on the
86 nis_enabled boolean. Disabled by default.
87 setsebool -P nis_enabled 1
89
93 If you want to allow users to resolve user passwd entries directly from
94 ldap rather then using a sssd server for the antivirus_t, you must turn
95 on the authlogin_nsswitch_use_ldap boolean.
96 setsebool -P authlogin_nsswitch_use_ldap 1
98 If you want to allow confined applications to run with kerberos for the
101 antivirus_t, you must turn on the kerberos_enabled boolean.
102 setsebool -P kerberos_enabled 1
104
107 The SELinux process type antivirus_t can manage files labeled with the
108 following file types. The paths listed are the default paths for these
109 file types. Note the processes UID still need to have DAC permissions.
110 antivirus_db_t
112 /var/amavis(/.*)?
114 /var/clamav(/.*)?
115 /var/lib/clamd.*
116 /var/lib/amavis(/.*)?
117 /var/lib/clamav(/.*)?
118 /var/virusmails(/.*)?
119 /var/opt/f-secure(/.*)?
120 /var/spool/amavisd(/.*)?
121 /var/lib/clamav-unofficial-sigs(/.*)?
122 antivirus_home_t
124 antivirus_log_t
127 /var/log/clamd.*
129 /var/log/clamav.*
130 /var/log/freshclam.*
131 /var/log/amavisd.log.*
132 /var/log/clamav/freshclam.*
133 antivirus_tmp_t
135 antivirus_var_run_t
138 /var/run/clamd.*
140 /var/run/clamav.*
141 /var/run/amavis(d)?(/.*)?
142 /var/run/amavis(d)?/clamd.pid
143 /var/run/amavisd-snmp-subagent.pid
144 cluster_conf_t
146 /etc/cluster(/.*)?
148 cluster_var_lib_t
150 /var/lib/pcsd(/.*)?
152 /var/lib/cluster(/.*)?
153 /var/lib/openais(/.*)?
154 /var/lib/pengine(/.*)?
155 /var/lib/corosync(/.*)?
156 /usr/lib/heartbeat(/.*)?
157 /var/lib/heartbeat(/.*)?
158 /var/lib/pacemaker(/.*)?
159 cluster_var_run_t
161 /var/run/crm(/.*)?
163 /var/run/cman_.*
164 /var/run/rsctmp(/.*)?
165 /var/run/aisexec.*
166 /var/run/heartbeat(/.*)?
167 /var/run/pcsd-ruby.socket
168 /var/run/corosync-qnetd(/.*)?
169 /var/run/corosync-qdevice(/.*)?
170 /var/run/corosync.pid
171 /var/run/cpglockd.pid
172 /var/run/rgmanager.pid
173 /var/run/cluster/rgmanager.sk
174 krb5_host_rcache_t
176 /var/tmp/krb5_0.rcache2
178 /var/cache/krb5rcache(/.*)?
179 /var/tmp/nfs_0
180 /var/tmp/DNS_25
181 /var/tmp/host_0
182 /var/tmp/imap_0
183 /var/tmp/HTTP_23
184 /var/tmp/HTTP_48
185 /var/tmp/ldap_55
186 /var/tmp/ldap_487
187 /var/tmp/ldapmap1_0
188 root_t
190 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
192 /
193 /initrd
194 snmpd_var_lib_t
196 /var/agentx(/.*)?
198 /var/net-snmp(/.*)
199 /var/lib/snmp(/.*)?
200 /var/net-snmp(/.*)?
201 /var/lib/net-snmp(/.*)?
202 /var/spool/snmptt(/.*)?
203 /usr/share/snmp/mibs/.index
204 systemd_passwd_var_run_t
206 /var/run/systemd/ask-password(/.*)?
208 /var/run/systemd/ask-password-block(/.*)?
209
212 SELinux requires files to have an extended attribute to define the file
213 type.
214 You can see the context of a file using the -Z option to ls
216 Policy governs the access confined processes have to these files.
218 SELinux antivirus policy is very flexible allowing users to setup their
219 antivirus processes in as secure a method as possible.
220 EQUIVALENCE DIRECTORIES
222 antivirus policy stores data with multiple different file context types
225 under the /var/lib/clamav directory. If you would like to store the
226 data in a different directory you can use the semanage command to cre‐
227 ate an equivalence mapping. If you wanted to store this data under the
228 /srv directory you would execute the following command:
229 semanage fcontext -a -e /var/lib/clamav /srv/clamav
231 restorecon -R -v /srv/clamav
232 antivirus policy stores data with multiple different file context types
234 under the /var/run/amavis(d)? directory. If you would like to store
235 the data in a different directory you can use the semanage command to
236 create an equivalence mapping. If you wanted to store this data under
237 the /srv directory you would execute the following command:
238 semanage fcontext -a -e /var/run/amavis(d)? /srv/amavis(d)?
240 restorecon -R -v /srv/amavis(d)?
241 STANDARD FILE CONTEXT
243 SELinux defines the file context types for the antivirus, if you wanted
245 to store files with these types in a different paths, you need to exe‐
246 cute the semanage command to specify alternate labeling and then use
247 restorecon to put the labels on disk.
248 semanage fcontext -a -t antivirus_exec_t '/srv/antivirus/content(/.*)?'
250 restorecon -R -v /srv/myantivirus_content
251 Note: SELinux often uses regular expressions to specify labels that
253 match multiple files.
254 The following file types are defined for antivirus:
256 antivirus_conf_t
260 - Set files with the antivirus_conf_t type, if you want to treat the
262 files as antivirus configuration data, usually stored under the /etc
263 directory.
264 Paths:
267 /etc/amavis(d)?.conf, /etc/amavisd(/.*)?
268 antivirus_db_t
271 - Set files with the antivirus_db_t type, if you want to treat the
273 files as antivirus database content.
274 Paths:
277 /var/amavis(/.*)?, /var/clamav(/.*)?, /var/lib/clamd.*,
278 /var/lib/amavis(/.*)?, /var/lib/clamav(/.*)?, /var/virus‐
279 mails(/.*)?, /var/opt/f-secure(/.*)?, /var/spool/amavisd(/.*)?,
280 /var/lib/clamav-unofficial-sigs(/.*)?
281 antivirus_exec_t
284 - Set files with the antivirus_exec_t type, if you want to transition
286 an executable to the antivirus_t domain.
287 Paths:
290 /usr/sbin/amavisd.*, /usr/sbin/amavi, /usr/sbin/clamd,
291 /usr/bin/clamscan, /usr/bin/clamdscan, /usr/bin/freshclam,
292 /usr/sbin/clamav-milter, /usr/lib/AntiVir/antivir
293 antivirus_home_t
296 - Set files with the antivirus_home_t type, if you want to store an‐
298 tivirus files in the users home directory.
299 antivirus_initrc_exec_t
303 - Set files with the antivirus_initrc_exec_t type, if you want to tran‐
305 sition an executable to the antivirus_initrc_t domain.
306 Paths:
309 /etc/rc.d/init.d/clamd.*, /etc/rc.d/init.d/amavis,
310 /etc/rc.d/init.d/amavisd-snmp
311 antivirus_log_t
314 - Set files with the antivirus_log_t type, if you want to treat the
316 data as antivirus log data, usually stored under the /var/log direc‐
317 tory.
318 Paths:
321 /var/log/clamd.*, /var/log/clamav.*, /var/log/freshclam.*,
322 /var/log/amavisd.log.*, /var/log/clamav/freshclam.*
323 antivirus_tmp_t
326 - Set files with the antivirus_tmp_t type, if you want to store an‐
328 tivirus temporary files in the /tmp directories.
329 antivirus_unit_file_t
333 - Set files with the antivirus_unit_file_t type, if you want to treat
335 the files as antivirus unit content.
336 Paths:
339 /usr/lib/systemd/system/clamd.*, /usr/lib/systemd/system/amav‐
340 isd.*, /usr/lib/systemd/system/mimedefang.service
341 antivirus_var_run_t
344 - Set files with the antivirus_var_run_t type, if you want to store the
346 antivirus files under the /run or /var/run directory.
347 Paths:
350 /var/run/clamd.*, /var/run/clamav.*, /var/run/amavis(d)?(/.*)?,
351 /var/run/amavis(d)?/clamd.pid, /var/run/amavisd-snmp-subagent.pid
352 Note: File context can be temporarily modified with the chcon command.
355 If you want to permanently change the file context you need to use the
356 semanage fcontext command. This will modify the SELinux labeling data‐
357 base. You will need to use restorecon to apply the labels.
358
361 semanage fcontext can also be used to manipulate default file context
362 mappings.
363 semanage permissive can also be used to manipulate whether or not a
365 process type is permissive.
366 semanage module can also be used to enable/disable/install/remove pol‐
368 icy modules.
369 semanage boolean can also be used to manipulate the booleans
371 system-config-selinux is a GUI tool available to customize SELinux pol‐
374 icy settings.
375
378 This manual page was auto-generated using sepolicy manpage .
379
382 selinux(8), antivirus(8), semanage(8), restorecon(8), chcon(1), sepol‐
383 icy(8), setsebool(8)
384antivirus 23-10-20 antivirus_selinux(8)