From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 12 Jun 2017 18:35:41 -0400 Subject: [refpolicy] [PATCH] chkrootkit: add policy module In-Reply-To: <20170609133907.8638-1-cgzones@googlemail.com> References: <20170609133907.8638-1-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/09/2017 09:39 AM, Christian G?ttsche via refpolicy wrote: > From: cgzones > > v2: > - remove bin_t fc > --- > chkrootkit.fc | 5 ++++ > chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++ > chkrootkit.te | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > cron.if | 20 ++++++++++++++++ > 4 files changed, 144 insertions(+) > create mode 100644 chkrootkit.fc > create mode 100644 chkrootkit.if > create mode 100644 chkrootkit.te > > diff --git a/chkrootkit.fc b/chkrootkit.fc > new file mode 100644 > index 00000000..fa780c34 > --- /dev/null > +++ b/chkrootkit.fc > @@ -0,0 +1,5 @@ > +/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0) > + > +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0) > + > +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0) > diff --git a/chkrootkit.if b/chkrootkit.if > new file mode 100644 > index 00000000..12589bd9 > --- /dev/null > +++ b/chkrootkit.if > @@ -0,0 +1,46 @@ > +## chkrootkit - rootkit checker. > + > +######################################## > +## > +## Execute a domain transition to run chkrootkit. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`chkrootkit_domtrans',` > + gen_require(` > + type chkrootkit_t, chkrootkit_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t) > +') > + > +######################################## > +## > +## Execute chkrootkit in the chkrootkit domain, > +## and allow the specified role > +## the chkrootkit domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +# > +interface(`chkrootkit_run',` > + gen_require(` > + attribute_role chkrootkit_roles; > + ') > + > + chkrootkit_domtrans($1) > + roleattribute $2 chkrootkit_roles; > +') > diff --git a/chkrootkit.te b/chkrootkit.te > new file mode 100644 > index 00000000..4bfbb787 > --- /dev/null > +++ b/chkrootkit.te > @@ -0,0 +1,73 @@ > +policy_module(chkrootkit, 0.0.1) > + > +######################################## > +# > +# Declarations > +# > + > +attribute_role chkrootkit_roles; > + > +type chkrootkit_t; > +type chkrootkit_exec_t; > +application_domain(chkrootkit_t, chkrootkit_exec_t) > +role chkrootkit_roles types chkrootkit_t; > + > +type chkrootkit_log_t; > +logging_log_file(chkrootkit_log_t) > + > +######################################## > +# > +# Application local policy > +# > + > +allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace }; > +allow chkrootkit_t self:fifo_file rw_fifo_file_perms; > +allow chkrootkit_t self:udp_socket { create ioctl }; > + > +kernel_read_all_sysctls(chkrootkit_t) > +kernel_getattr_proc(chkrootkit_t) > +kernel_read_network_state(chkrootkit_t) > +kernel_getattr_message_if(chkrootkit_t) > + > +corecmd_exec_bin(chkrootkit_t) > +corecmd_exec_shell(chkrootkit_t) > + > +dev_read_rand(chkrootkit_t) > +dev_read_urand(chkrootkit_t) > +dev_getattr_all_chr_files(chkrootkit_t) > + > +domain_read_all_domains_state(chkrootkit_t) > +domain_use_interactive_fds(chkrootkit_t) > +domain_getattr_all_sockets(chkrootkit_t) > +domain_getattr_all_pipes(chkrootkit_t) > + > +files_read_non_auth_files(chkrootkit_t) > +files_read_all_symlinks(chkrootkit_t) > +files_read_all_chr_files(chkrootkit_t) > +files_getattr_all_pipes(chkrootkit_t) > + > +init_signal(chkrootkit_t) > + > +logging_send_syslog_msg(chkrootkit_t) > + > +miscfiles_read_localization(chkrootkit_t) > + > +term_getattr_unallocated_ttys(chkrootkit_t) > + > +userdom_use_inherited_user_terminals(chkrootkit_t) > + > +usermanage_check_exec_passwd(chkrootkit_t) > + > +ifdef(`init_systemd',` > + # start as systemd timer > + init_system_domain(chkrootkit_t, chkrootkit_exec_t) > +') > + > +optional_policy(` > + cron_system_entry(chkrootkit_t, chkrootkit_exec_t) > + cron_exec_crontab(chkrootkit_t) > +') > + > +optional_policy(` > + ssh_exec(chkrootkit_t) > +') > diff --git a/cron.if b/cron.if > index 0e22bb86..23bd1417 100644 > --- a/cron.if > +++ b/cron.if > @@ -896,6 +896,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` > > ######################################## > ## > +## Execute crontab in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`cron_exec_crontab',` > + gen_require(` > + type crontab_exec_t; > + ') > + > + corecmd_search_bin($1) > + can_exec($1, crontab_exec_t) > +') Merged. -- Chris PeBenito