2017-06-08 14:15:32

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] rkhunter: add policy module

From: cgzones <[email protected]>

---
apt.te | 5 +++
cron.if | 18 +++++++++
exim.if | 19 +++++++++
rkhunter.fc | 5 +++
rkhunter.if | 46 ++++++++++++++++++++++
rkhunter.te | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 219 insertions(+)
create mode 100644 rkhunter.fc
create mode 100644 rkhunter.if
create mode 100644 rkhunter.te

diff --git a/apt.te b/apt.te
index 63b93257..d6d18a56 100644
--- a/apt.te
+++ b/apt.te
@@ -148,6 +148,11 @@ optional_policy(`
')

optional_policy(`
+ # rkhunter trigger
+ rkhunter_domtrans(apt_t)
+')
+
+optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
diff --git a/cron.if b/cron.if
index a98065fb..0e22bb86 100644
--- a/cron.if
+++ b/cron.if
@@ -859,6 +859,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`

########################################
## <summary>
+## Read and write to inherited system cron job temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write temporary
## system cron job files.
## </summary>
diff --git a/exim.if b/exim.if
index c75f5fa0..495adb85 100644
--- a/exim.if
+++ b/exim.if
@@ -2,6 +2,25 @@

########################################
## <summary>
+## Execute exim in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_exec',`
+ gen_require(`
+ type exim_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, exim_exec_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run exim.
## </summary>
## <param name="domain">
diff --git a/rkhunter.fc b/rkhunter.fc
new file mode 100644
index 00000000..d3c949c8
--- /dev/null
+++ b/rkhunter.fc
@@ -0,0 +1,5 @@
+/usr/bin/rkhunter -- gen_context(system_u:object_r:rkhunter_exec_t,s0)
+
+/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+
+/var/log/rkhunter\.log.* -- gen_context(system_u:object_r:rkhunter_log_t,s0)
diff --git a/rkhunter.if b/rkhunter.if
new file mode 100644
index 00000000..9537e1f5
--- /dev/null
+++ b/rkhunter.if
@@ -0,0 +1,46 @@
+## <summary>rkhunter - rootkit checker.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run rkhunter.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rkhunter_domtrans',`
+ gen_require(`
+ type rkhunter_t, rkhunter_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rkhunter_exec_t, rkhunter_t)
+')
+
+########################################
+## <summary>
+## Execute rkhunter in the rkhunter domain,
+## and allow the specified role
+## the rkhunter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`rkhunter_run',`
+ gen_require(`
+ attribute_role rkhunter_roles;
+ ')
+
+ rkhunter_domtrans($1)
+ roleattribute $2 rkhunter_roles;
+')
diff --git a/rkhunter.te b/rkhunter.te
new file mode 100644
index 00000000..a57c826b
--- /dev/null
+++ b/rkhunter.te
@@ -0,0 +1,126 @@
+policy_module(rkhunter, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether rkhunter can connect
+## to http ports. This is required by the
+## --update option.
+## </p>
+## </desc>
+gen_tunable(rkhunter_connect_http, false)
+
+attribute_role rkhunter_roles;
+
+type rkhunter_t;
+type rkhunter_exec_t;
+application_domain(rkhunter_t, rkhunter_exec_t)
+role rkhunter_roles types rkhunter_t;
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
+
+type rkhunter_log_t;
+logging_log_file(rkhunter_log_t)
+
+type rkhunter_tmpfs_t;
+files_tmpfs_file(rkhunter_tmpfs_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace };
+allow rkhunter_t self:process { getsched setsched signal };
+allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
+allow rkhunter_t self:tcp_socket { bind connect create listen read write };
+allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
+allow rkhunter_t self:fifo_file rw_fifo_file_perms;
+
+allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr };
+logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
+
+allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
+
+allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
+allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
+
+kernel_request_load_module(rkhunter_t)
+kernel_read_all_sysctls(rkhunter_t)
+kernel_read_network_state(rkhunter_t)
+kernel_getattr_message_if(rkhunter_t)
+kernel_get_sysvipc_info(rkhunter_t)
+
+auth_dontaudit_read_shadow(rkhunter_t)
+
+corecmd_exec_bin(rkhunter_t)
+corecmd_exec_shell(rkhunter_t)
+
+corenet_tcp_bind_all_ports(rkhunter_t)
+corenet_udp_bind_all_ports(rkhunter_t)
+corenet_tcp_bind_generic_node(rkhunter_t)
+corenet_udp_bind_generic_node(rkhunter_t)
+
+dev_read_urand(rkhunter_t)
+dev_getattr_all_chr_files(rkhunter_t)
+dev_getattr_all_blk_files(rkhunter_t)
+
+domain_read_all_domains_state(rkhunter_t)
+domain_use_interactive_fds(rkhunter_t)
+domain_getattr_all_sockets(rkhunter_t)
+domain_getattr_all_pipes(rkhunter_t)
+
+hostname_exec(rkhunter_t)
+
+files_read_non_auth_files(rkhunter_t)
+files_read_all_symlinks(rkhunter_t)
+files_read_all_chr_files(rkhunter_t)
+files_getattr_all_pipes(rkhunter_t)
+files_getattr_all_sockets(rkhunter_t)
+
+fs_getattr_tracefs(rkhunter_t)
+fs_getattr_tracefs_dirs(rkhunter_t)
+
+modutils_exec(rkhunter_t)
+
+logging_send_syslog_msg(rkhunter_t)
+
+sysnet_exec_ifconfig(rkhunter_t)
+
+userdom_use_inherited_user_terminals(rkhunter_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(rkhunter_t, rkhunter_exec_t)
+')
+
+tunable_policy(`rkhunter_connect_http',`
+ corenet_tcp_connect_http_port(rkhunter_t)
+')
+
+optional_policy(`
+ cron_system_entry(rkhunter_t, rkhunter_exec_t)
+ cron_rw_inherited_system_job_tmp_files(rkhunter_t)
+')
+
+optional_policy(`
+ # exim check
+ exim_exec(rkhunter_t)
+')
+
+optional_policy(`
+ # gpg check
+ gpg_exec(rkhunter_t)
+')
+
+optional_policy(`
+ # ssh check
+ ssh_exec_sshd(rkhunter_t)
+')
--
2.11.0


2017-06-08 22:22:20

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] rkhunter: add policy module

On 06/08/2017 10:15 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> ---
> apt.te | 5 +++
> cron.if | 18 +++++++++
> exim.if | 19 +++++++++
> rkhunter.fc | 5 +++
> rkhunter.if | 46 ++++++++++++++++++++++
> rkhunter.te | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 6 files changed, 219 insertions(+)
> create mode 100644 rkhunter.fc
> create mode 100644 rkhunter.if
> create mode 100644 rkhunter.te
>
> diff --git a/apt.te b/apt.te
> index 63b93257..d6d18a56 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -148,6 +148,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # rkhunter trigger
> + rkhunter_domtrans(apt_t)
> +')
> +
> +optional_policy(`
> rpm_read_db(apt_t)
> rpm_domtrans(apt_t)
> ')
> diff --git a/cron.if b/cron.if
> index a98065fb..0e22bb86 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -859,6 +859,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
>
> ########################################
> ## <summary>
> +## Read and write to inherited system cron job temporary files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_rw_inherited_system_job_tmp_files',`
> + gen_require(`
> + type system_cronjob_tmp_t;
> + ')
> +
> + allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write temporary
> ## system cron job files.
> ## </summary>
> diff --git a/exim.if b/exim.if
> index c75f5fa0..495adb85 100644
> --- a/exim.if
> +++ b/exim.if
> @@ -2,6 +2,25 @@
>
> ########################################
> ## <summary>
> +## Execute exim in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`exim_exec',`
> + gen_require(`
> + type exim_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, exim_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Execute a domain transition to run exim.
> ## </summary>
> ## <param name="domain">
> diff --git a/rkhunter.fc b/rkhunter.fc
> new file mode 100644
> index 00000000..d3c949c8
> --- /dev/null
> +++ b/rkhunter.fc
> @@ -0,0 +1,5 @@
> +/usr/bin/rkhunter -- gen_context(system_u:object_r:rkhunter_exec_t,s0)
> +
> +/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
> +
> +/var/log/rkhunter\.log.* -- gen_context(system_u:object_r:rkhunter_log_t,s0)
> diff --git a/rkhunter.if b/rkhunter.if
> new file mode 100644
> index 00000000..9537e1f5
> --- /dev/null
> +++ b/rkhunter.if
> @@ -0,0 +1,46 @@
> +## <summary>rkhunter - rootkit checker.</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run rkhunter.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`rkhunter_domtrans',`
> + gen_require(`
> + type rkhunter_t, rkhunter_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, rkhunter_exec_t, rkhunter_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute rkhunter in the rkhunter domain,
> +## and allow the specified role
> +## the rkhunter domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`rkhunter_run',`
> + gen_require(`
> + attribute_role rkhunter_roles;
> + ')
> +
> + rkhunter_domtrans($1)
> + roleattribute $2 rkhunter_roles;
> +')
> diff --git a/rkhunter.te b/rkhunter.te
> new file mode 100644
> index 00000000..a57c826b
> --- /dev/null
> +++ b/rkhunter.te
> @@ -0,0 +1,126 @@
> +policy_module(rkhunter, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether rkhunter can connect
> +## to http ports. This is required by the
> +## --update option.
> +## </p>
> +## </desc>
> +gen_tunable(rkhunter_connect_http, false)
> +
> +attribute_role rkhunter_roles;
> +
> +type rkhunter_t;
> +type rkhunter_exec_t;
> +application_domain(rkhunter_t, rkhunter_exec_t)
> +role rkhunter_roles types rkhunter_t;
> +
> +type rkhunter_var_lib_t;
> +files_type(rkhunter_var_lib_t)
> +
> +type rkhunter_log_t;
> +logging_log_file(rkhunter_log_t)
> +
> +type rkhunter_tmpfs_t;
> +files_tmpfs_file(rkhunter_tmpfs_t)
> +
> +########################################
> +#
> +# Application local policy
> +#
> +
> +allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace };
> +allow rkhunter_t self:process { getsched setsched signal };
> +allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
> +allow rkhunter_t self:tcp_socket { bind connect create listen read write };
> +allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
> +allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
> +allow rkhunter_t self:fifo_file rw_fifo_file_perms;
> +
> +allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr };
> +logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
> +
> +allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
> +fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
> +
> +allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
> +allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
> +
> +kernel_request_load_module(rkhunter_t)
> +kernel_read_all_sysctls(rkhunter_t)
> +kernel_read_network_state(rkhunter_t)
> +kernel_getattr_message_if(rkhunter_t)
> +kernel_get_sysvipc_info(rkhunter_t)
> +
> +auth_dontaudit_read_shadow(rkhunter_t)
> +
> +corecmd_exec_bin(rkhunter_t)
> +corecmd_exec_shell(rkhunter_t)
> +
> +corenet_tcp_bind_all_ports(rkhunter_t)
> +corenet_udp_bind_all_ports(rkhunter_t)
> +corenet_tcp_bind_generic_node(rkhunter_t)
> +corenet_udp_bind_generic_node(rkhunter_t)
> +
> +dev_read_urand(rkhunter_t)
> +dev_getattr_all_chr_files(rkhunter_t)
> +dev_getattr_all_blk_files(rkhunter_t)
> +
> +domain_read_all_domains_state(rkhunter_t)
> +domain_use_interactive_fds(rkhunter_t)
> +domain_getattr_all_sockets(rkhunter_t)
> +domain_getattr_all_pipes(rkhunter_t)
> +
> +hostname_exec(rkhunter_t)
> +
> +files_read_non_auth_files(rkhunter_t)
> +files_read_all_symlinks(rkhunter_t)
> +files_read_all_chr_files(rkhunter_t)
> +files_getattr_all_pipes(rkhunter_t)
> +files_getattr_all_sockets(rkhunter_t)
> +
> +fs_getattr_tracefs(rkhunter_t)
> +fs_getattr_tracefs_dirs(rkhunter_t)
> +
> +modutils_exec(rkhunter_t)
> +
> +logging_send_syslog_msg(rkhunter_t)
> +
> +sysnet_exec_ifconfig(rkhunter_t)
> +
> +userdom_use_inherited_user_terminals(rkhunter_t)
> +
> +ifdef(`init_systemd',`
> + # start as systemd timer
> + init_system_domain(rkhunter_t, rkhunter_exec_t)
> +')
> +
> +tunable_policy(`rkhunter_connect_http',`
> + corenet_tcp_connect_http_port(rkhunter_t)
> +')
> +
> +optional_policy(`
> + cron_system_entry(rkhunter_t, rkhunter_exec_t)
> + cron_rw_inherited_system_job_tmp_files(rkhunter_t)
> +')
> +
> +optional_policy(`
> + # exim check
> + exim_exec(rkhunter_t)
> +')
> +
> +optional_policy(`
> + # gpg check
> + gpg_exec(rkhunter_t)
> +')
> +
> +optional_policy(`
> + # ssh check
> + ssh_exec_sshd(rkhunter_t)
> +')

Merged.

--
Chris PeBenito