2017-06-09 13:37:16

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add interfaces and sysadm permit

From: cgzones <[email protected]>

v2:
- add bin_t fc to corecommands
---
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/system/init.if | 18 ++++++++++++++++++
3 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 1033a9738..d30445437 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -416,6 +416,7 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)

/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chkrootkit/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)

/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c4158c507..fa6b166d2 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -236,6 +236,10 @@ optional_policy(`
')

optional_policy(`
+ chkrootkit_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
chronyd_admin(sysadm_t, sysadm_r)
')

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 942845362..11531cfb2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -679,6 +679,24 @@ interface(`init_getpgid',`

########################################
## <summary>
+## Send init a generic signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signal',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process signal;
+')
+
+########################################
+## <summary>
## Send init a null signal.
## </summary>
## <param name="domain">
--
2.11.0


2017-06-12 22:34:05

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add interfaces and sysadm permit

On 06/09/2017 09:37 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - add bin_t fc to corecommands
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/init.if | 18 ++++++++++++++++++
> 3 files changed, 23 insertions(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 1033a9738..d30445437 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -416,6 +416,7 @@ ifdef(`distro_suse', `
> /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/chkrootkit/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
>
> /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index c4158c507..fa6b166d2 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -236,6 +236,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + chkrootkit_run(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> chronyd_admin(sysadm_t, sysadm_r)
> ')
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 942845362..11531cfb2 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -679,6 +679,24 @@ interface(`init_getpgid',`
>
> ########################################
> ## <summary>
> +## Send init a generic signal.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_signal',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process signal;
> +')

Merged.

--
Chris PeBenito