From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Thu,  8 Jun 2017 16:16:15 +0200
Subject: [refpolicy] [PATCH] rkhunter: add interfaces for rkhunter module
	and sysadm permit
Message-ID: <20170608141615.15522-1-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: cgzones <cgzones@googlemail.com>

---
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/roles/sysadm.te      |  4 ++++
 policy/modules/services/ssh.if      | 19 +++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 42ab95c09..0067031ac 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4769,6 +4769,24 @@ interface(`fs_getattr_tracefs',`
 
 ########################################
 ## <summary>
+##	Get attributes of dirs on tracefs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_tracefs_dirs',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##      search directories on a tracefs filesystem
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 54df43546..2c6e73af8 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -899,6 +899,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rkhunter_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	rngd_admin(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 3eca8306a..22642eb3c 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -601,6 +601,25 @@ interface(`ssh_tcp_connect',`
 
 ########################################
 ## <summary>
+##	Execute the ssh daemon in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_exec_sshd',`
+	gen_require(`
+		type sshd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, sshd_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute the ssh daemon sshd domain.
 ## </summary>
 ## <param name="domain">
-- 
2.11.0


