From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 12 Jun 2017 18:34:05 -0400
Subject: [refpolicy] [PATCH] chkrootkit: add interfaces and sysadm permit
In-Reply-To: <20170609133716.8128-1-cgzones@googlemail.com>
References: <20170609133716.8128-1-cgzones@googlemail.com>
Message-ID: <0b5ce2b2-b8e8-86d3-9b64-1287314ba262@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/09/2017 09:37 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <cgzones@googlemail.com>
>
> v2:
>  - add bin_t fc to corecommands
> ---
>  policy/modules/kernel/corecommands.fc |  1 +
>  policy/modules/roles/sysadm.te        |  4 ++++
>  policy/modules/system/init.if         | 18 ++++++++++++++++++
>  3 files changed, 23 insertions(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 1033a9738..d30445437 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -416,6 +416,7 @@ ifdef(`distro_suse', `
>  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>
>  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/chkrootkit/.*		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
>
>  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index c4158c507..fa6b166d2 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -236,6 +236,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	chkrootkit_run(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
>  	chronyd_admin(sysadm_t, sysadm_r)
>  ')
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 942845362..11531cfb2 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -679,6 +679,24 @@ interface(`init_getpgid',`
>
>  ########################################
>  ## <summary>
> +##	Send init a generic signal.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_signal',`
> +	gen_require(`
> +		type init_t;
> +	')
> +
> +	allow $1 init_t:process signal;
> +')

Merged.

-- 
Chris PeBenito