From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 19:34:05 -0400
Subject: [refpolicy] [PATCH] rkhunter: add interfaces for var_run and
 lock dir access check
In-Reply-To: <20170910154803.8977-1-cgzones@googlemail.com>
References: <20170910154803.8977-1-cgzones@googlemail.com>
Message-ID: <c37edce6-0b13-7744-8a74-3b532b1ace43@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 11:48 AM, Christian G?ttsche via refpolicy wrote:
> ---
>   policy/modules/kernel/files.if | 37 +++++++++++++++++++++++++++++++++++++
>   1 file changed, 37 insertions(+)
> 
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 1b10d466..597801ad 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -5816,6 +5816,25 @@ interface(`files_list_locks',`
>   	list_dirs_pattern($1, var_t, var_lock_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Test write access on lock directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_check_write_lock_dirs',`
> +	gen_require(`
> +		type var_lock_t;
> +	')
> +
> +	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
> +	allow $1 var_lock_t:dir write;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Add entries in the /var/lock directories.
> @@ -6222,6 +6241,24 @@ interface(`files_create_pid_dirs',`
>   	allow $1 var_run_t:dir create_dir_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Check write access on /var/run directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_check_write_pid_dirs',`
> +	gen_require(`
> +		type var_run_t;
> +	')
> +
> +	allow $1 var_run_t:dir write;
> +')
> +

Merged.

-- 
Chris PeBenito