From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Fri, 9 Jun 2017 15:57:22 +0200 Subject: [refpolicy] [PATCH] chkrootkit: add policy module In-Reply-To: <1497023016.4707.4.camel@trentalancia.com> References: <20170609133907.8638-1-cgzones@googlemail.com> <1497023016.4707.4.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-06-09 17:43 GMT+02:00 Guido Trentalancia via refpolicy : > On Fri, 09/06/2017 at 15.39 +0200, Christian G?ttsche via > refpolicy wrote: >> From: cgzones >> >> v2: >> - remove bin_t fc >> --- >> chkrootkit.fc | 5 ++++ >> chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++ >> chkrootkit.te | 73 >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> cron.if | 20 ++++++++++++++++ >> 4 files changed, 144 insertions(+) >> create mode 100644 chkrootkit.fc >> create mode 100644 chkrootkit.if >> create mode 100644 chkrootkit.te >> >> diff --git a/chkrootkit.fc b/chkrootkit.fc >> new file mode 100644 >> index 00000000..fa780c34 >> --- /dev/null >> +++ b/chkrootkit.fc >> @@ -0,0 +1,5 @@ >> +/usr/bin/chkrootkit -- gen_context(system_u:object_r:c >> hkrootkit_exec_t,s0) >> + >> +/usr/sbin/chkrootkit -- gen_context(system_u:object_r: >> chkrootkit_exec_t,s0) >> + >> +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkro >> otkit_log_t,s0) >> diff --git a/chkrootkit.if b/chkrootkit.if >> new file mode 100644 >> index 00000000..12589bd9 >> --- /dev/null >> +++ b/chkrootkit.if >> @@ -0,0 +1,46 @@ >> +## chkrootkit - rootkit checker. >> + >> +######################################## >> +## >> +## Execute a domain transition to run chkrootkit. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +# >> +interface(`chkrootkit_domtrans',` >> + gen_require(` >> + type chkrootkit_t, chkrootkit_exec_t; >> + ') >> + >> + corecmd_search_bin($1) >> + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t) >> +') >> + >> +######################################## >> +## >> +## Execute chkrootkit in the chkrootkit domain, >> +## and allow the specified role >> +## the chkrootkit domain. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +## >> +## >> +## Role allowed access. >> +## >> +## >> +# >> +interface(`chkrootkit_run',` >> + gen_require(` >> + attribute_role chkrootkit_roles; >> + ') >> + >> + chkrootkit_domtrans($1) >> + roleattribute $2 chkrootkit_roles; >> +') >> diff --git a/chkrootkit.te b/chkrootkit.te >> new file mode 100644 >> index 00000000..4bfbb787 >> --- /dev/null >> +++ b/chkrootkit.te >> @@ -0,0 +1,73 @@ >> +policy_module(chkrootkit, 0.0.1) >> + >> +######################################## >> +# >> +# Declarations >> +# >> + >> +attribute_role chkrootkit_roles; >> + >> +type chkrootkit_t; >> +type chkrootkit_exec_t; >> +application_domain(chkrootkit_t, chkrootkit_exec_t) >> +role chkrootkit_roles types chkrootkit_t; >> + >> +type chkrootkit_log_t; >> +logging_log_file(chkrootkit_log_t) >> + >> +######################################## >> +# >> +# Application local policy >> +# >> + >> +allow chkrootkit_t self:capability { dac_override dac_read_search >> setuid sys_ptrace }; >> +allow chkrootkit_t self:fifo_file rw_fifo_file_perms; >> +allow chkrootkit_t self:udp_socket { create ioctl }; >> + >> +kernel_read_all_sysctls(chkrootkit_t) >> +kernel_getattr_proc(chkrootkit_t) >> +kernel_read_network_state(chkrootkit_t) >> +kernel_getattr_message_if(chkrootkit_t) >> + >> +corecmd_exec_bin(chkrootkit_t) > > Is the above needed to execute its own binary files located in > /usr/lib/chkrootkit ? > > If yes, then it is probably safer if you assign a private executable > type to those files and add a permission here to execute those files > only instead of all generic binary files... > > Just an idea... No, chkrootkit also executes (e)grep, find, netstat, strings and probably others too > >> +corecmd_exec_shell(chkrootkit_t) >> + >> +dev_read_rand(chkrootkit_t) >> +dev_read_urand(chkrootkit_t) >> +dev_getattr_all_chr_files(chkrootkit_t) >> + >> +domain_read_all_domains_state(chkrootkit_t) >> +domain_use_interactive_fds(chkrootkit_t) >> +domain_getattr_all_sockets(chkrootkit_t) >> +domain_getattr_all_pipes(chkrootkit_t) >> + >> +files_read_non_auth_files(chkrootkit_t) >> +files_read_all_symlinks(chkrootkit_t) >> +files_read_all_chr_files(chkrootkit_t) >> +files_getattr_all_pipes(chkrootkit_t) >> + >> +init_signal(chkrootkit_t) >> + >> +logging_send_syslog_msg(chkrootkit_t) >> + >> +miscfiles_read_localization(chkrootkit_t) >> + >> +term_getattr_unallocated_ttys(chkrootkit_t) >> + >> +userdom_use_inherited_user_terminals(chkrootkit_t) >> + >> +usermanage_check_exec_passwd(chkrootkit_t) >> + >> +ifdef(`init_systemd',` >> + # start as systemd timer >> + init_system_domain(chkrootkit_t, chkrootkit_exec_t) >> +') >> + >> +optional_policy(` >> + cron_system_entry(chkrootkit_t, chkrootkit_exec_t) >> + cron_exec_crontab(chkrootkit_t) >> +') >> + >> +optional_policy(` >> + ssh_exec(chkrootkit_t) >> +') >> diff --git a/cron.if b/cron.if >> index 0e22bb86..23bd1417 100644 >> --- a/cron.if >> +++ b/cron.if >> @@ -896,6 +896,26 @@ >> interface(`cron_dontaudit_write_system_job_tmp_files',` >> >> ######################################## >> ## >> +## Execute crontab in the caller domain. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +## >> +# >> +interface(`cron_exec_crontab',` >> + gen_require(` >> + type crontab_exec_t; >> + ') >> + >> + corecmd_search_bin($1) >> + can_exec($1, crontab_exec_t) >> +') >> + >> +######################################## >> +## >> ## All of the rules required to >> ## administrate a cron environment. >> ## > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy