From: guido@trentalancia.com (Guido Trentalancia)
Date: Fri, 09 Jun 2017 17:43:36 +0200
Subject: [refpolicy] [PATCH] chkrootkit: add policy module
In-Reply-To: <20170609133907.8638-1-cgzones@googlemail.com>
References: <20170609133907.8638-1-cgzones@googlemail.com>
Message-ID: <1497023016.4707.4.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 09/06/2017 at 15.39 +0200, Christian G?ttsche via
refpolicy wrote:
> From: cgzones <cgzones@googlemail.com>
> 
> v2:
>  - remove bin_t fc
> ---
>  chkrootkit.fc |  5 ++++
>  chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
>  chkrootkit.te | 73
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  cron.if       | 20 ++++++++++++++++
>  4 files changed, 144 insertions(+)
>  create mode 100644 chkrootkit.fc
>  create mode 100644 chkrootkit.if
>  create mode 100644 chkrootkit.te
> 
> diff --git a/chkrootkit.fc b/chkrootkit.fc
> new file mode 100644
> index 00000000..fa780c34
> --- /dev/null
> +++ b/chkrootkit.fc
> @@ -0,0 +1,5 @@
> +/usr/bin/chkrootkit	--	gen_context(system_u:object_r:c
> hkrootkit_exec_t,s0)
> +
> +/usr/sbin/chkrootkit	--	gen_context(system_u:object_r:
> chkrootkit_exec_t,s0)
> +
> +/var/log/chkrootkit(/.*)?	gen_context(system_u:object_r:chkro
> otkit_log_t,s0)
> diff --git a/chkrootkit.if b/chkrootkit.if
> new file mode 100644
> index 00000000..12589bd9
> --- /dev/null
> +++ b/chkrootkit.if
> @@ -0,0 +1,46 @@
> +## <summary>chkrootkit - rootkit checker.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run chkrootkit.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`chkrootkit_domtrans',`
> +	gen_require(`
> +		type chkrootkit_t, chkrootkit_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute chkrootkit in the chkrootkit domain,
> +##	and allow the specified role
> +##	the chkrootkit domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`chkrootkit_run',`
> +	gen_require(`
> +		attribute_role chkrootkit_roles;
> +	')
> +
> +	chkrootkit_domtrans($1)
> +	roleattribute $2 chkrootkit_roles;
> +')
> diff --git a/chkrootkit.te b/chkrootkit.te
> new file mode 100644
> index 00000000..4bfbb787
> --- /dev/null
> +++ b/chkrootkit.te
> @@ -0,0 +1,73 @@
> +policy_module(chkrootkit, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role chkrootkit_roles;
> +
> +type chkrootkit_t;
> +type chkrootkit_exec_t;
> +application_domain(chkrootkit_t, chkrootkit_exec_t)
> +role chkrootkit_roles types chkrootkit_t;
> +
> +type chkrootkit_log_t;
> +logging_log_file(chkrootkit_log_t)
> +
> +########################################
> +#
> +# Application local policy
> +#
> +
> +allow chkrootkit_t self:capability { dac_override dac_read_search
> setuid sys_ptrace };
> +allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
> +allow chkrootkit_t self:udp_socket { create ioctl };
> +
> +kernel_read_all_sysctls(chkrootkit_t)
> +kernel_getattr_proc(chkrootkit_t)
> +kernel_read_network_state(chkrootkit_t)
> +kernel_getattr_message_if(chkrootkit_t)
> +
> +corecmd_exec_bin(chkrootkit_t)

Is the above needed to execute its own binary files located in
/usr/lib/chkrootkit ?

If yes, then it is probably safer if you assign a private executable
type to those files and add a permission here to execute those files
only instead of all generic binary files...

Just an idea...

> +corecmd_exec_shell(chkrootkit_t)
> +
> +dev_read_rand(chkrootkit_t)
> +dev_read_urand(chkrootkit_t)
> +dev_getattr_all_chr_files(chkrootkit_t)
> +
> +domain_read_all_domains_state(chkrootkit_t)
> +domain_use_interactive_fds(chkrootkit_t)
> +domain_getattr_all_sockets(chkrootkit_t)
> +domain_getattr_all_pipes(chkrootkit_t)
> +
> +files_read_non_auth_files(chkrootkit_t)
> +files_read_all_symlinks(chkrootkit_t)
> +files_read_all_chr_files(chkrootkit_t)
> +files_getattr_all_pipes(chkrootkit_t)
> +
> +init_signal(chkrootkit_t)
> +
> +logging_send_syslog_msg(chkrootkit_t)
> +
> +miscfiles_read_localization(chkrootkit_t)
> +
> +term_getattr_unallocated_ttys(chkrootkit_t)
> +
> +userdom_use_inherited_user_terminals(chkrootkit_t)
> +
> +usermanage_check_exec_passwd(chkrootkit_t)
> +
> +ifdef(`init_systemd',`
> +	# start as systemd timer
> +	init_system_domain(chkrootkit_t, chkrootkit_exec_t)
> +')
> +
> +optional_policy(`
> +	cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
> +	cron_exec_crontab(chkrootkit_t)
> +')
> +
> +optional_policy(`
> +	ssh_exec(chkrootkit_t)
> +')
> diff --git a/cron.if b/cron.if
> index 0e22bb86..23bd1417 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -896,6 +896,26 @@
> interface(`cron_dontaudit_write_system_job_tmp_files',`
>  
>  ########################################
>  ## <summary>
> +##	Execute crontab in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +## 	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cron_exec_crontab',`
> +	gen_require(`
> +		type crontab_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, crontab_exec_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	All of the rules required to
>  ##	administrate a cron environment.
>  ## </summary>

Regards,

Guido