From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 8 Jun 2017 18:22:20 -0400
Subject: [refpolicy] [PATCH] rkhunter: add policy module
In-Reply-To: <20170608141532.15340-1-cgzones@googlemail.com>
References: <20170608141532.15340-1-cgzones@googlemail.com>
Message-ID: <a4e96fb5-07d8-6fed-147e-ab379b62cc01@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/08/2017 10:15 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <cgzones@googlemail.com>
>
> ---
>  apt.te      |   5 +++
>  cron.if     |  18 +++++++++
>  exim.if     |  19 +++++++++
>  rkhunter.fc |   5 +++
>  rkhunter.if |  46 ++++++++++++++++++++++
>  rkhunter.te | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  6 files changed, 219 insertions(+)
>  create mode 100644 rkhunter.fc
>  create mode 100644 rkhunter.if
>  create mode 100644 rkhunter.te
>
> diff --git a/apt.te b/apt.te
> index 63b93257..d6d18a56 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -148,6 +148,11 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	# rkhunter trigger
> +	rkhunter_domtrans(apt_t)
> +')
> +
> +optional_policy(`
>  	rpm_read_db(apt_t)
>  	rpm_domtrans(apt_t)
>  ')
> diff --git a/cron.if b/cron.if
> index a98065fb..0e22bb86 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -859,6 +859,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
>
>  ########################################
>  ## <summary>
> +##	Read and write to inherited system cron job temporary files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`cron_rw_inherited_system_job_tmp_files',`
> +	gen_require(`
> +		type system_cronjob_tmp_t;
> +	')
> +
> +	allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit attempts to write temporary
>  ##	system cron job files.
>  ## </summary>
> diff --git a/exim.if b/exim.if
> index c75f5fa0..495adb85 100644
> --- a/exim.if
> +++ b/exim.if
> @@ -2,6 +2,25 @@
>
>  ########################################
>  ## <summary>
> +##	Execute exim in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`exim_exec',`
> +	gen_require(`
> +		type exim_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, exim_exec_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute a domain transition to run exim.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/rkhunter.fc b/rkhunter.fc
> new file mode 100644
> index 00000000..d3c949c8
> --- /dev/null
> +++ b/rkhunter.fc
> @@ -0,0 +1,5 @@
> +/usr/bin/rkhunter		--	gen_context(system_u:object_r:rkhunter_exec_t,s0)
> +
> +/var/lib/rkhunter(/.*)?			gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
> +
> +/var/log/rkhunter\.log.*	--	gen_context(system_u:object_r:rkhunter_log_t,s0)
> diff --git a/rkhunter.if b/rkhunter.if
> new file mode 100644
> index 00000000..9537e1f5
> --- /dev/null
> +++ b/rkhunter.if
> @@ -0,0 +1,46 @@
> +## <summary>rkhunter - rootkit checker.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run rkhunter.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`rkhunter_domtrans',`
> +	gen_require(`
> +		type rkhunter_t, rkhunter_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, rkhunter_exec_t, rkhunter_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute rkhunter in the rkhunter domain,
> +##	and allow the specified role
> +##	the rkhunter domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`rkhunter_run',`
> +	gen_require(`
> +		attribute_role rkhunter_roles;
> +	')
> +
> +	rkhunter_domtrans($1)
> +	roleattribute $2 rkhunter_roles;
> +')
> diff --git a/rkhunter.te b/rkhunter.te
> new file mode 100644
> index 00000000..a57c826b
> --- /dev/null
> +++ b/rkhunter.te
> @@ -0,0 +1,126 @@
> +policy_module(rkhunter, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +##	<p>
> +##	Determine whether rkhunter can connect
> +##	to http ports. This is required by the
> +##	--update option.
> +##	</p>
> +## </desc>
> +gen_tunable(rkhunter_connect_http, false)
> +
> +attribute_role rkhunter_roles;
> +
> +type rkhunter_t;
> +type rkhunter_exec_t;
> +application_domain(rkhunter_t, rkhunter_exec_t)
> +role rkhunter_roles types rkhunter_t;
> +
> +type rkhunter_var_lib_t;
> +files_type(rkhunter_var_lib_t)
> +
> +type rkhunter_log_t;
> +logging_log_file(rkhunter_log_t)
> +
> +type rkhunter_tmpfs_t;
> +files_tmpfs_file(rkhunter_tmpfs_t)
> +
> +########################################
> +#
> +# Application local policy
> +#
> +
> +allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace };
> +allow rkhunter_t self:process { getsched setsched signal };
> +allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
> +allow rkhunter_t self:tcp_socket { bind connect create listen read write };
> +allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
> +allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
> +allow rkhunter_t self:fifo_file rw_fifo_file_perms;
> +
> +allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr };
> +logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
> +
> +allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
> +fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
> +
> +allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
> +allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
> +
> +kernel_request_load_module(rkhunter_t)
> +kernel_read_all_sysctls(rkhunter_t)
> +kernel_read_network_state(rkhunter_t)
> +kernel_getattr_message_if(rkhunter_t)
> +kernel_get_sysvipc_info(rkhunter_t)
> +
> +auth_dontaudit_read_shadow(rkhunter_t)
> +
> +corecmd_exec_bin(rkhunter_t)
> +corecmd_exec_shell(rkhunter_t)
> +
> +corenet_tcp_bind_all_ports(rkhunter_t)
> +corenet_udp_bind_all_ports(rkhunter_t)
> +corenet_tcp_bind_generic_node(rkhunter_t)
> +corenet_udp_bind_generic_node(rkhunter_t)
> +
> +dev_read_urand(rkhunter_t)
> +dev_getattr_all_chr_files(rkhunter_t)
> +dev_getattr_all_blk_files(rkhunter_t)
> +
> +domain_read_all_domains_state(rkhunter_t)
> +domain_use_interactive_fds(rkhunter_t)
> +domain_getattr_all_sockets(rkhunter_t)
> +domain_getattr_all_pipes(rkhunter_t)
> +
> +hostname_exec(rkhunter_t)
> +
> +files_read_non_auth_files(rkhunter_t)
> +files_read_all_symlinks(rkhunter_t)
> +files_read_all_chr_files(rkhunter_t)
> +files_getattr_all_pipes(rkhunter_t)
> +files_getattr_all_sockets(rkhunter_t)
> +
> +fs_getattr_tracefs(rkhunter_t)
> +fs_getattr_tracefs_dirs(rkhunter_t)
> +
> +modutils_exec(rkhunter_t)
> +
> +logging_send_syslog_msg(rkhunter_t)
> +
> +sysnet_exec_ifconfig(rkhunter_t)
> +
> +userdom_use_inherited_user_terminals(rkhunter_t)
> +
> +ifdef(`init_systemd',`
> +	# start as systemd timer
> +	init_system_domain(rkhunter_t, rkhunter_exec_t)
> +')
> +
> +tunable_policy(`rkhunter_connect_http',`
> +	corenet_tcp_connect_http_port(rkhunter_t)
> +')
> +
> +optional_policy(`
> +	cron_system_entry(rkhunter_t, rkhunter_exec_t)
> +	cron_rw_inherited_system_job_tmp_files(rkhunter_t)
> +')
> +
> +optional_policy(`
> +	# exim check
> +	exim_exec(rkhunter_t)
> +')
> +
> +optional_policy(`
> +	# gpg check
> +	gpg_exec(rkhunter_t)
> +')
> +
> +optional_policy(`
> +	# ssh check
> +	ssh_exec_sshd(rkhunter_t)
> +')

Merged.

-- 
Chris PeBenito