2017-06-08 17:15:27

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add policy module

From: cgzones <[email protected]>

---
chkrootkit.fc | 7 ++++++
chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
chkrootkit.te | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cron.if | 20 ++++++++++++++++
4 files changed, 146 insertions(+)
create mode 100644 chkrootkit.fc
create mode 100644 chkrootkit.if
create mode 100644 chkrootkit.te

diff --git a/chkrootkit.fc b/chkrootkit.fc
new file mode 100644
index 00000000..861df6df
--- /dev/null
+++ b/chkrootkit.fc
@@ -0,0 +1,7 @@
+/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/usr/lib/chkrootkit/.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0)
diff --git a/chkrootkit.if b/chkrootkit.if
new file mode 100644
index 00000000..12589bd9
--- /dev/null
+++ b/chkrootkit.if
@@ -0,0 +1,46 @@
+## <summary>chkrootkit - rootkit checker.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chkrootkit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chkrootkit_domtrans',`
+ gen_require(`
+ type chkrootkit_t, chkrootkit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
+')
+
+########################################
+## <summary>
+## Execute chkrootkit in the chkrootkit domain,
+## and allow the specified role
+## the chkrootkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`chkrootkit_run',`
+ gen_require(`
+ attribute_role chkrootkit_roles;
+ ')
+
+ chkrootkit_domtrans($1)
+ roleattribute $2 chkrootkit_roles;
+')
diff --git a/chkrootkit.te b/chkrootkit.te
new file mode 100644
index 00000000..4bfbb787
--- /dev/null
+++ b/chkrootkit.te
@@ -0,0 +1,73 @@
+policy_module(chkrootkit, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role chkrootkit_roles;
+
+type chkrootkit_t;
+type chkrootkit_exec_t;
+application_domain(chkrootkit_t, chkrootkit_exec_t)
+role chkrootkit_roles types chkrootkit_t;
+
+type chkrootkit_log_t;
+logging_log_file(chkrootkit_log_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
+allow chkrootkit_t self:udp_socket { create ioctl };
+
+kernel_read_all_sysctls(chkrootkit_t)
+kernel_getattr_proc(chkrootkit_t)
+kernel_read_network_state(chkrootkit_t)
+kernel_getattr_message_if(chkrootkit_t)
+
+corecmd_exec_bin(chkrootkit_t)
+corecmd_exec_shell(chkrootkit_t)
+
+dev_read_rand(chkrootkit_t)
+dev_read_urand(chkrootkit_t)
+dev_getattr_all_chr_files(chkrootkit_t)
+
+domain_read_all_domains_state(chkrootkit_t)
+domain_use_interactive_fds(chkrootkit_t)
+domain_getattr_all_sockets(chkrootkit_t)
+domain_getattr_all_pipes(chkrootkit_t)
+
+files_read_non_auth_files(chkrootkit_t)
+files_read_all_symlinks(chkrootkit_t)
+files_read_all_chr_files(chkrootkit_t)
+files_getattr_all_pipes(chkrootkit_t)
+
+init_signal(chkrootkit_t)
+
+logging_send_syslog_msg(chkrootkit_t)
+
+miscfiles_read_localization(chkrootkit_t)
+
+term_getattr_unallocated_ttys(chkrootkit_t)
+
+userdom_use_inherited_user_terminals(chkrootkit_t)
+
+usermanage_check_exec_passwd(chkrootkit_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(chkrootkit_t, chkrootkit_exec_t)
+')
+
+optional_policy(`
+ cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
+ cron_exec_crontab(chkrootkit_t)
+')
+
+optional_policy(`
+ ssh_exec(chkrootkit_t)
+')
diff --git a/cron.if b/cron.if
index a98065fb..06d4f9ea 100644
--- a/cron.if
+++ b/cron.if
@@ -878,6 +878,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`

########################################
## <summary>
+## Execute crontab in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_exec_crontab',`
+ gen_require(`
+ type crontab_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, crontab_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate a cron environment.
## </summary>
--
2.11.0


2017-06-08 22:38:57

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add policy module

On 06/08/2017 01:15 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> ---
> chkrootkit.fc | 7 ++++++
> chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
> chkrootkit.te | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> cron.if | 20 ++++++++++++++++
> 4 files changed, 146 insertions(+)
> create mode 100644 chkrootkit.fc
> create mode 100644 chkrootkit.if
> create mode 100644 chkrootkit.te
>
> diff --git a/chkrootkit.fc b/chkrootkit.fc
> new file mode 100644
> index 00000000..861df6df
> --- /dev/null
> +++ b/chkrootkit.fc
> @@ -0,0 +1,7 @@
> +/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
> +
> +/usr/lib/chkrootkit/.* -- gen_context(system_u:object_r:bin_t,s0)

Wrong module for this fc entry.


> +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
> +
> +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0)
> diff --git a/chkrootkit.if b/chkrootkit.if
> new file mode 100644
> index 00000000..12589bd9
> --- /dev/null
> +++ b/chkrootkit.if
> @@ -0,0 +1,46 @@
> +## <summary>chkrootkit - rootkit checker.</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run chkrootkit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`chkrootkit_domtrans',`
> + gen_require(`
> + type chkrootkit_t, chkrootkit_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute chkrootkit in the chkrootkit domain,
> +## and allow the specified role
> +## the chkrootkit domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`chkrootkit_run',`
> + gen_require(`
> + attribute_role chkrootkit_roles;
> + ')
> +
> + chkrootkit_domtrans($1)
> + roleattribute $2 chkrootkit_roles;
> +')
> diff --git a/chkrootkit.te b/chkrootkit.te
> new file mode 100644
> index 00000000..4bfbb787
> --- /dev/null
> +++ b/chkrootkit.te
> @@ -0,0 +1,73 @@
> +policy_module(chkrootkit, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role chkrootkit_roles;
> +
> +type chkrootkit_t;
> +type chkrootkit_exec_t;
> +application_domain(chkrootkit_t, chkrootkit_exec_t)
> +role chkrootkit_roles types chkrootkit_t;
> +
> +type chkrootkit_log_t;
> +logging_log_file(chkrootkit_log_t)
> +
> +########################################
> +#
> +# Application local policy
> +#
> +
> +allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
> +allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
> +allow chkrootkit_t self:udp_socket { create ioctl };
> +
> +kernel_read_all_sysctls(chkrootkit_t)
> +kernel_getattr_proc(chkrootkit_t)
> +kernel_read_network_state(chkrootkit_t)
> +kernel_getattr_message_if(chkrootkit_t)
> +
> +corecmd_exec_bin(chkrootkit_t)
> +corecmd_exec_shell(chkrootkit_t)
> +
> +dev_read_rand(chkrootkit_t)
> +dev_read_urand(chkrootkit_t)
> +dev_getattr_all_chr_files(chkrootkit_t)
> +
> +domain_read_all_domains_state(chkrootkit_t)
> +domain_use_interactive_fds(chkrootkit_t)
> +domain_getattr_all_sockets(chkrootkit_t)
> +domain_getattr_all_pipes(chkrootkit_t)
> +
> +files_read_non_auth_files(chkrootkit_t)
> +files_read_all_symlinks(chkrootkit_t)
> +files_read_all_chr_files(chkrootkit_t)
> +files_getattr_all_pipes(chkrootkit_t)
> +
> +init_signal(chkrootkit_t)
> +
> +logging_send_syslog_msg(chkrootkit_t)
> +
> +miscfiles_read_localization(chkrootkit_t)
> +
> +term_getattr_unallocated_ttys(chkrootkit_t)
> +
> +userdom_use_inherited_user_terminals(chkrootkit_t)
> +
> +usermanage_check_exec_passwd(chkrootkit_t)
> +
> +ifdef(`init_systemd',`
> + # start as systemd timer
> + init_system_domain(chkrootkit_t, chkrootkit_exec_t)
> +')
> +
> +optional_policy(`
> + cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
> + cron_exec_crontab(chkrootkit_t)
> +')
> +
> +optional_policy(`
> + ssh_exec(chkrootkit_t)
> +')
> diff --git a/cron.if b/cron.if
> index a98065fb..06d4f9ea 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -878,6 +878,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
>
> ########################################
> ## <summary>
> +## Execute crontab in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cron_exec_crontab',`
> + gen_require(`
> + type crontab_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, crontab_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## All of the rules required to
> ## administrate a cron environment.
> ## </summary>
>


--
Chris PeBenito