From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Thu,  8 Jun 2017 16:15:32 +0200
Subject: [refpolicy] [PATCH] rkhunter: add policy module
Message-ID: <20170608141532.15340-1-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: cgzones <cgzones@googlemail.com>

---
 apt.te      |   5 +++
 cron.if     |  18 +++++++++
 exim.if     |  19 +++++++++
 rkhunter.fc |   5 +++
 rkhunter.if |  46 ++++++++++++++++++++++
 rkhunter.te | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 219 insertions(+)
 create mode 100644 rkhunter.fc
 create mode 100644 rkhunter.if
 create mode 100644 rkhunter.te

diff --git a/apt.te b/apt.te
index 63b93257..d6d18a56 100644
--- a/apt.te
+++ b/apt.te
@@ -148,6 +148,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# rkhunter trigger
+	rkhunter_domtrans(apt_t)
+')
+
+optional_policy(`
 	rpm_read_db(apt_t)
 	rpm_domtrans(apt_t)
 ')
diff --git a/cron.if b/cron.if
index a98065fb..0e22bb86 100644
--- a/cron.if
+++ b/cron.if
@@ -859,6 +859,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 
 ########################################
 ## <summary>
+##	Read and write to inherited system cron job temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_inherited_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write temporary
 ##	system cron job files.
 ## </summary>
diff --git a/exim.if b/exim.if
index c75f5fa0..495adb85 100644
--- a/exim.if
+++ b/exim.if
@@ -2,6 +2,25 @@
 
 ########################################
 ## <summary>
+##	Execute exim in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_exec',`
+	gen_require(`
+		type exim_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, exim_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute a domain transition to run exim.
 ## </summary>
 ## <param name="domain">
diff --git a/rkhunter.fc b/rkhunter.fc
new file mode 100644
index 00000000..d3c949c8
--- /dev/null
+++ b/rkhunter.fc
@@ -0,0 +1,5 @@
+/usr/bin/rkhunter		--	gen_context(system_u:object_r:rkhunter_exec_t,s0)
+
+/var/lib/rkhunter(/.*)?			gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+
+/var/log/rkhunter\.log.*	--	gen_context(system_u:object_r:rkhunter_log_t,s0)
diff --git a/rkhunter.if b/rkhunter.if
new file mode 100644
index 00000000..9537e1f5
--- /dev/null
+++ b/rkhunter.if
@@ -0,0 +1,46 @@
+## <summary>rkhunter - rootkit checker.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run rkhunter.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rkhunter_domtrans',`
+	gen_require(`
+		type rkhunter_t, rkhunter_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rkhunter_exec_t, rkhunter_t)
+')
+
+########################################
+## <summary>
+##	Execute rkhunter in the rkhunter domain,
+##	and allow the specified role
+##	the rkhunter domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`rkhunter_run',`
+	gen_require(`
+		attribute_role rkhunter_roles;
+	')
+
+	rkhunter_domtrans($1)
+	roleattribute $2 rkhunter_roles;
+')
diff --git a/rkhunter.te b/rkhunter.te
new file mode 100644
index 00000000..a57c826b
--- /dev/null
+++ b/rkhunter.te
@@ -0,0 +1,126 @@
+policy_module(rkhunter, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether rkhunter can connect
+##	to http ports. This is required by the
+##	--update option.
+##	</p>
+## </desc>
+gen_tunable(rkhunter_connect_http, false)
+
+attribute_role rkhunter_roles;
+
+type rkhunter_t;
+type rkhunter_exec_t;
+application_domain(rkhunter_t, rkhunter_exec_t)
+role rkhunter_roles types rkhunter_t;
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
+
+type rkhunter_log_t;
+logging_log_file(rkhunter_log_t)
+
+type rkhunter_tmpfs_t;
+files_tmpfs_file(rkhunter_tmpfs_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace };
+allow rkhunter_t self:process { getsched setsched signal };
+allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
+allow rkhunter_t self:tcp_socket { bind connect create listen read write };
+allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
+allow rkhunter_t self:fifo_file rw_fifo_file_perms;
+
+allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr };
+logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
+
+allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
+
+allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
+allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
+
+kernel_request_load_module(rkhunter_t)
+kernel_read_all_sysctls(rkhunter_t)
+kernel_read_network_state(rkhunter_t)
+kernel_getattr_message_if(rkhunter_t)
+kernel_get_sysvipc_info(rkhunter_t)
+
+auth_dontaudit_read_shadow(rkhunter_t)
+
+corecmd_exec_bin(rkhunter_t)
+corecmd_exec_shell(rkhunter_t)
+
+corenet_tcp_bind_all_ports(rkhunter_t)
+corenet_udp_bind_all_ports(rkhunter_t)
+corenet_tcp_bind_generic_node(rkhunter_t)
+corenet_udp_bind_generic_node(rkhunter_t)
+
+dev_read_urand(rkhunter_t)
+dev_getattr_all_chr_files(rkhunter_t)
+dev_getattr_all_blk_files(rkhunter_t)
+
+domain_read_all_domains_state(rkhunter_t)
+domain_use_interactive_fds(rkhunter_t)
+domain_getattr_all_sockets(rkhunter_t)
+domain_getattr_all_pipes(rkhunter_t)
+
+hostname_exec(rkhunter_t)
+
+files_read_non_auth_files(rkhunter_t)
+files_read_all_symlinks(rkhunter_t)
+files_read_all_chr_files(rkhunter_t)
+files_getattr_all_pipes(rkhunter_t)
+files_getattr_all_sockets(rkhunter_t)
+
+fs_getattr_tracefs(rkhunter_t)
+fs_getattr_tracefs_dirs(rkhunter_t)
+
+modutils_exec(rkhunter_t)
+
+logging_send_syslog_msg(rkhunter_t)
+
+sysnet_exec_ifconfig(rkhunter_t)
+
+userdom_use_inherited_user_terminals(rkhunter_t)
+
+ifdef(`init_systemd',`
+	# start as systemd timer
+	init_system_domain(rkhunter_t, rkhunter_exec_t)
+')
+
+tunable_policy(`rkhunter_connect_http',`
+	corenet_tcp_connect_http_port(rkhunter_t)
+')
+
+optional_policy(`
+	cron_system_entry(rkhunter_t, rkhunter_exec_t)
+	cron_rw_inherited_system_job_tmp_files(rkhunter_t)
+')
+
+optional_policy(`
+	# exim check
+	exim_exec(rkhunter_t)
+')
+
+optional_policy(`
+	# gpg check
+	gpg_exec(rkhunter_t)
+')
+
+optional_policy(`
+	# ssh check
+	ssh_exec_sshd(rkhunter_t)
+')
-- 
2.11.0