From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=) Date: Fri, 9 Jun 2017 15:37:16 +0200 Subject: [refpolicy] [PATCH] chkrootkit: add interfaces and sysadm permit Message-ID: <20170609133716.8128-1-cgzones@googlemail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: cgzones v2: - add bin_t fc to corecommands --- policy/modules/kernel/corecommands.fc | 1 + policy/modules/roles/sysadm.te | 4 ++++ policy/modules/system/init.if | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 1033a9738..d30445437 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -416,6 +416,7 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/chkrootkit/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index c4158c507..fa6b166d2 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -236,6 +236,10 @@ optional_policy(` ') optional_policy(` + chkrootkit_run(sysadm_t, sysadm_r) +') + +optional_policy(` chronyd_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 942845362..11531cfb2 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -679,6 +679,24 @@ interface(`init_getpgid',` ######################################## ## +## Send init a generic signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_signal',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process signal; +') + +######################################## +## ## Send init a null signal. ## ## -- 2.11.0