From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=) Date: Fri, 9 Jun 2017 15:39:07 +0200 Subject: [refpolicy] [PATCH] chkrootkit: add policy module Message-ID: <20170609133907.8638-1-cgzones@googlemail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: cgzones v2: - remove bin_t fc --- chkrootkit.fc | 5 ++++ chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++ chkrootkit.te | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ cron.if | 20 ++++++++++++++++ 4 files changed, 144 insertions(+) create mode 100644 chkrootkit.fc create mode 100644 chkrootkit.if create mode 100644 chkrootkit.te diff --git a/chkrootkit.fc b/chkrootkit.fc new file mode 100644 index 00000000..fa780c34 --- /dev/null +++ b/chkrootkit.fc @@ -0,0 +1,5 @@ +/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0) + +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0) + +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0) diff --git a/chkrootkit.if b/chkrootkit.if new file mode 100644 index 00000000..12589bd9 --- /dev/null +++ b/chkrootkit.if @@ -0,0 +1,46 @@ +## chkrootkit - rootkit checker. + +######################################## +## +## Execute a domain transition to run chkrootkit. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`chkrootkit_domtrans',` + gen_require(` + type chkrootkit_t, chkrootkit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t) +') + +######################################## +## +## Execute chkrootkit in the chkrootkit domain, +## and allow the specified role +## the chkrootkit domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`chkrootkit_run',` + gen_require(` + attribute_role chkrootkit_roles; + ') + + chkrootkit_domtrans($1) + roleattribute $2 chkrootkit_roles; +') diff --git a/chkrootkit.te b/chkrootkit.te new file mode 100644 index 00000000..4bfbb787 --- /dev/null +++ b/chkrootkit.te @@ -0,0 +1,73 @@ +policy_module(chkrootkit, 0.0.1) + +######################################## +# +# Declarations +# + +attribute_role chkrootkit_roles; + +type chkrootkit_t; +type chkrootkit_exec_t; +application_domain(chkrootkit_t, chkrootkit_exec_t) +role chkrootkit_roles types chkrootkit_t; + +type chkrootkit_log_t; +logging_log_file(chkrootkit_log_t) + +######################################## +# +# Application local policy +# + +allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace }; +allow chkrootkit_t self:fifo_file rw_fifo_file_perms; +allow chkrootkit_t self:udp_socket { create ioctl }; + +kernel_read_all_sysctls(chkrootkit_t) +kernel_getattr_proc(chkrootkit_t) +kernel_read_network_state(chkrootkit_t) +kernel_getattr_message_if(chkrootkit_t) + +corecmd_exec_bin(chkrootkit_t) +corecmd_exec_shell(chkrootkit_t) + +dev_read_rand(chkrootkit_t) +dev_read_urand(chkrootkit_t) +dev_getattr_all_chr_files(chkrootkit_t) + +domain_read_all_domains_state(chkrootkit_t) +domain_use_interactive_fds(chkrootkit_t) +domain_getattr_all_sockets(chkrootkit_t) +domain_getattr_all_pipes(chkrootkit_t) + +files_read_non_auth_files(chkrootkit_t) +files_read_all_symlinks(chkrootkit_t) +files_read_all_chr_files(chkrootkit_t) +files_getattr_all_pipes(chkrootkit_t) + +init_signal(chkrootkit_t) + +logging_send_syslog_msg(chkrootkit_t) + +miscfiles_read_localization(chkrootkit_t) + +term_getattr_unallocated_ttys(chkrootkit_t) + +userdom_use_inherited_user_terminals(chkrootkit_t) + +usermanage_check_exec_passwd(chkrootkit_t) + +ifdef(`init_systemd',` + # start as systemd timer + init_system_domain(chkrootkit_t, chkrootkit_exec_t) +') + +optional_policy(` + cron_system_entry(chkrootkit_t, chkrootkit_exec_t) + cron_exec_crontab(chkrootkit_t) +') + +optional_policy(` + ssh_exec(chkrootkit_t) +') diff --git a/cron.if b/cron.if index 0e22bb86..23bd1417 100644 --- a/cron.if +++ b/cron.if @@ -896,6 +896,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` ######################################## ## +## Execute crontab in the caller domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`cron_exec_crontab',` + gen_require(` + type crontab_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, crontab_exec_t) +') + +######################################## +## ## All of the rules required to ## administrate a cron environment. ## -- 2.11.0