2017-06-09 13:39:07

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add policy module

From: cgzones <[email protected]>

v2:
- remove bin_t fc
---
chkrootkit.fc | 5 ++++
chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
chkrootkit.te | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cron.if | 20 ++++++++++++++++
4 files changed, 144 insertions(+)
create mode 100644 chkrootkit.fc
create mode 100644 chkrootkit.if
create mode 100644 chkrootkit.te

diff --git a/chkrootkit.fc b/chkrootkit.fc
new file mode 100644
index 00000000..fa780c34
--- /dev/null
+++ b/chkrootkit.fc
@@ -0,0 +1,5 @@
+/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0)
diff --git a/chkrootkit.if b/chkrootkit.if
new file mode 100644
index 00000000..12589bd9
--- /dev/null
+++ b/chkrootkit.if
@@ -0,0 +1,46 @@
+## <summary>chkrootkit - rootkit checker.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chkrootkit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chkrootkit_domtrans',`
+ gen_require(`
+ type chkrootkit_t, chkrootkit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
+')
+
+########################################
+## <summary>
+## Execute chkrootkit in the chkrootkit domain,
+## and allow the specified role
+## the chkrootkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`chkrootkit_run',`
+ gen_require(`
+ attribute_role chkrootkit_roles;
+ ')
+
+ chkrootkit_domtrans($1)
+ roleattribute $2 chkrootkit_roles;
+')
diff --git a/chkrootkit.te b/chkrootkit.te
new file mode 100644
index 00000000..4bfbb787
--- /dev/null
+++ b/chkrootkit.te
@@ -0,0 +1,73 @@
+policy_module(chkrootkit, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role chkrootkit_roles;
+
+type chkrootkit_t;
+type chkrootkit_exec_t;
+application_domain(chkrootkit_t, chkrootkit_exec_t)
+role chkrootkit_roles types chkrootkit_t;
+
+type chkrootkit_log_t;
+logging_log_file(chkrootkit_log_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
+allow chkrootkit_t self:udp_socket { create ioctl };
+
+kernel_read_all_sysctls(chkrootkit_t)
+kernel_getattr_proc(chkrootkit_t)
+kernel_read_network_state(chkrootkit_t)
+kernel_getattr_message_if(chkrootkit_t)
+
+corecmd_exec_bin(chkrootkit_t)
+corecmd_exec_shell(chkrootkit_t)
+
+dev_read_rand(chkrootkit_t)
+dev_read_urand(chkrootkit_t)
+dev_getattr_all_chr_files(chkrootkit_t)
+
+domain_read_all_domains_state(chkrootkit_t)
+domain_use_interactive_fds(chkrootkit_t)
+domain_getattr_all_sockets(chkrootkit_t)
+domain_getattr_all_pipes(chkrootkit_t)
+
+files_read_non_auth_files(chkrootkit_t)
+files_read_all_symlinks(chkrootkit_t)
+files_read_all_chr_files(chkrootkit_t)
+files_getattr_all_pipes(chkrootkit_t)
+
+init_signal(chkrootkit_t)
+
+logging_send_syslog_msg(chkrootkit_t)
+
+miscfiles_read_localization(chkrootkit_t)
+
+term_getattr_unallocated_ttys(chkrootkit_t)
+
+userdom_use_inherited_user_terminals(chkrootkit_t)
+
+usermanage_check_exec_passwd(chkrootkit_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(chkrootkit_t, chkrootkit_exec_t)
+')
+
+optional_policy(`
+ cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
+ cron_exec_crontab(chkrootkit_t)
+')
+
+optional_policy(`
+ ssh_exec(chkrootkit_t)
+')
diff --git a/cron.if b/cron.if
index 0e22bb86..23bd1417 100644
--- a/cron.if
+++ b/cron.if
@@ -896,6 +896,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`

########################################
## <summary>
+## Execute crontab in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_exec_crontab',`
+ gen_require(`
+ type crontab_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, crontab_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate a cron environment.
## </summary>
--
2.11.0


2017-06-09 15:43:36

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add policy module

On Fri, 09/06/2017 at 15.39 +0200, Christian G?ttsche via
refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - remove bin_t fc
> ---
> chkrootkit.fc | 5 ++++
> chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
> chkrootkit.te | 73
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> cron.if | 20 ++++++++++++++++
> 4 files changed, 144 insertions(+)
> create mode 100644 chkrootkit.fc
> create mode 100644 chkrootkit.if
> create mode 100644 chkrootkit.te
>
> diff --git a/chkrootkit.fc b/chkrootkit.fc
> new file mode 100644
> index 00000000..fa780c34
> --- /dev/null
> +++ b/chkrootkit.fc
> @@ -0,0 +1,5 @@
> +/usr/bin/chkrootkit -- gen_context(system_u:object_r:c
> hkrootkit_exec_t,s0)
> +
> +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:
> chkrootkit_exec_t,s0)
> +
> +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkro
> otkit_log_t,s0)
> diff --git a/chkrootkit.if b/chkrootkit.if
> new file mode 100644
> index 00000000..12589bd9
> --- /dev/null
> +++ b/chkrootkit.if
> @@ -0,0 +1,46 @@
> +## <summary>chkrootkit - rootkit checker.</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run chkrootkit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`chkrootkit_domtrans',`
> + gen_require(`
> + type chkrootkit_t, chkrootkit_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute chkrootkit in the chkrootkit domain,
> +## and allow the specified role
> +## the chkrootkit domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`chkrootkit_run',`
> + gen_require(`
> + attribute_role chkrootkit_roles;
> + ')
> +
> + chkrootkit_domtrans($1)
> + roleattribute $2 chkrootkit_roles;
> +')
> diff --git a/chkrootkit.te b/chkrootkit.te
> new file mode 100644
> index 00000000..4bfbb787
> --- /dev/null
> +++ b/chkrootkit.te
> @@ -0,0 +1,73 @@
> +policy_module(chkrootkit, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role chkrootkit_roles;
> +
> +type chkrootkit_t;
> +type chkrootkit_exec_t;
> +application_domain(chkrootkit_t, chkrootkit_exec_t)
> +role chkrootkit_roles types chkrootkit_t;
> +
> +type chkrootkit_log_t;
> +logging_log_file(chkrootkit_log_t)
> +
> +########################################
> +#
> +# Application local policy
> +#
> +
> +allow chkrootkit_t self:capability { dac_override dac_read_search
> setuid sys_ptrace };
> +allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
> +allow chkrootkit_t self:udp_socket { create ioctl };
> +
> +kernel_read_all_sysctls(chkrootkit_t)
> +kernel_getattr_proc(chkrootkit_t)
> +kernel_read_network_state(chkrootkit_t)
> +kernel_getattr_message_if(chkrootkit_t)
> +
> +corecmd_exec_bin(chkrootkit_t)

Is the above needed to execute its own binary files located in
/usr/lib/chkrootkit ?

If yes, then it is probably safer if you assign a private executable
type to those files and add a permission here to execute those files
only instead of all generic binary files...

Just an idea...

> +corecmd_exec_shell(chkrootkit_t)
> +
> +dev_read_rand(chkrootkit_t)
> +dev_read_urand(chkrootkit_t)
> +dev_getattr_all_chr_files(chkrootkit_t)
> +
> +domain_read_all_domains_state(chkrootkit_t)
> +domain_use_interactive_fds(chkrootkit_t)
> +domain_getattr_all_sockets(chkrootkit_t)
> +domain_getattr_all_pipes(chkrootkit_t)
> +
> +files_read_non_auth_files(chkrootkit_t)
> +files_read_all_symlinks(chkrootkit_t)
> +files_read_all_chr_files(chkrootkit_t)
> +files_getattr_all_pipes(chkrootkit_t)
> +
> +init_signal(chkrootkit_t)
> +
> +logging_send_syslog_msg(chkrootkit_t)
> +
> +miscfiles_read_localization(chkrootkit_t)
> +
> +term_getattr_unallocated_ttys(chkrootkit_t)
> +
> +userdom_use_inherited_user_terminals(chkrootkit_t)
> +
> +usermanage_check_exec_passwd(chkrootkit_t)
> +
> +ifdef(`init_systemd',`
> + # start as systemd timer
> + init_system_domain(chkrootkit_t, chkrootkit_exec_t)
> +')
> +
> +optional_policy(`
> + cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
> + cron_exec_crontab(chkrootkit_t)
> +')
> +
> +optional_policy(`
> + ssh_exec(chkrootkit_t)
> +')
> diff --git a/cron.if b/cron.if
> index 0e22bb86..23bd1417 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -896,6 +896,26 @@
> interface(`cron_dontaudit_write_system_job_tmp_files',`
>
> ########################################
> ## <summary>
> +## Execute crontab in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cron_exec_crontab',`
> + gen_require(`
> + type crontab_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, crontab_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## All of the rules required to
> ## administrate a cron environment.
> ## </summary>

Regards,

Guido

2017-06-09 13:57:22

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add policy module

2017-06-09 17:43 GMT+02:00 Guido Trentalancia via refpolicy
<[email protected]>:
> On Fri, 09/06/2017 at 15.39 +0200, Christian G?ttsche via
> refpolicy wrote:
>> From: cgzones <[email protected]>
>>
>> v2:
>> - remove bin_t fc
>> ---
>> chkrootkit.fc | 5 ++++
>> chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
>> chkrootkit.te | 73
>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> cron.if | 20 ++++++++++++++++
>> 4 files changed, 144 insertions(+)
>> create mode 100644 chkrootkit.fc
>> create mode 100644 chkrootkit.if
>> create mode 100644 chkrootkit.te
>>
>> diff --git a/chkrootkit.fc b/chkrootkit.fc
>> new file mode 100644
>> index 00000000..fa780c34
>> --- /dev/null
>> +++ b/chkrootkit.fc
>> @@ -0,0 +1,5 @@
>> +/usr/bin/chkrootkit -- gen_context(system_u:object_r:c
>> hkrootkit_exec_t,s0)
>> +
>> +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:
>> chkrootkit_exec_t,s0)
>> +
>> +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkro
>> otkit_log_t,s0)
>> diff --git a/chkrootkit.if b/chkrootkit.if
>> new file mode 100644
>> index 00000000..12589bd9
>> --- /dev/null
>> +++ b/chkrootkit.if
>> @@ -0,0 +1,46 @@
>> +## <summary>chkrootkit - rootkit checker.</summary>
>> +
>> +########################################
>> +## <summary>
>> +## Execute a domain transition to run chkrootkit.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`chkrootkit_domtrans',`
>> + gen_require(`
>> + type chkrootkit_t, chkrootkit_exec_t;
>> + ')
>> +
>> + corecmd_search_bin($1)
>> + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Execute chkrootkit in the chkrootkit domain,
>> +## and allow the specified role
>> +## the chkrootkit domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +## <param name="role">
>> +## <summary>
>> +## Role allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`chkrootkit_run',`
>> + gen_require(`
>> + attribute_role chkrootkit_roles;
>> + ')
>> +
>> + chkrootkit_domtrans($1)
>> + roleattribute $2 chkrootkit_roles;
>> +')
>> diff --git a/chkrootkit.te b/chkrootkit.te
>> new file mode 100644
>> index 00000000..4bfbb787
>> --- /dev/null
>> +++ b/chkrootkit.te
>> @@ -0,0 +1,73 @@
>> +policy_module(chkrootkit, 0.0.1)
>> +
>> +########################################
>> +#
>> +# Declarations
>> +#
>> +
>> +attribute_role chkrootkit_roles;
>> +
>> +type chkrootkit_t;
>> +type chkrootkit_exec_t;
>> +application_domain(chkrootkit_t, chkrootkit_exec_t)
>> +role chkrootkit_roles types chkrootkit_t;
>> +
>> +type chkrootkit_log_t;
>> +logging_log_file(chkrootkit_log_t)
>> +
>> +########################################
>> +#
>> +# Application local policy
>> +#
>> +
>> +allow chkrootkit_t self:capability { dac_override dac_read_search
>> setuid sys_ptrace };
>> +allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
>> +allow chkrootkit_t self:udp_socket { create ioctl };
>> +
>> +kernel_read_all_sysctls(chkrootkit_t)
>> +kernel_getattr_proc(chkrootkit_t)
>> +kernel_read_network_state(chkrootkit_t)
>> +kernel_getattr_message_if(chkrootkit_t)
>> +
>> +corecmd_exec_bin(chkrootkit_t)
>
> Is the above needed to execute its own binary files located in
> /usr/lib/chkrootkit ?
>
> If yes, then it is probably safer if you assign a private executable
> type to those files and add a permission here to execute those files
> only instead of all generic binary files...
>
> Just an idea...

No, chkrootkit also executes (e)grep, find, netstat, strings and
probably others too

>
>> +corecmd_exec_shell(chkrootkit_t)
>> +
>> +dev_read_rand(chkrootkit_t)
>> +dev_read_urand(chkrootkit_t)
>> +dev_getattr_all_chr_files(chkrootkit_t)
>> +
>> +domain_read_all_domains_state(chkrootkit_t)
>> +domain_use_interactive_fds(chkrootkit_t)
>> +domain_getattr_all_sockets(chkrootkit_t)
>> +domain_getattr_all_pipes(chkrootkit_t)
>> +
>> +files_read_non_auth_files(chkrootkit_t)
>> +files_read_all_symlinks(chkrootkit_t)
>> +files_read_all_chr_files(chkrootkit_t)
>> +files_getattr_all_pipes(chkrootkit_t)
>> +
>> +init_signal(chkrootkit_t)
>> +
>> +logging_send_syslog_msg(chkrootkit_t)
>> +
>> +miscfiles_read_localization(chkrootkit_t)
>> +
>> +term_getattr_unallocated_ttys(chkrootkit_t)
>> +
>> +userdom_use_inherited_user_terminals(chkrootkit_t)
>> +
>> +usermanage_check_exec_passwd(chkrootkit_t)
>> +
>> +ifdef(`init_systemd',`
>> + # start as systemd timer
>> + init_system_domain(chkrootkit_t, chkrootkit_exec_t)
>> +')
>> +
>> +optional_policy(`
>> + cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
>> + cron_exec_crontab(chkrootkit_t)
>> +')
>> +
>> +optional_policy(`
>> + ssh_exec(chkrootkit_t)
>> +')
>> diff --git a/cron.if b/cron.if
>> index 0e22bb86..23bd1417 100644
>> --- a/cron.if
>> +++ b/cron.if
>> @@ -896,6 +896,26 @@
>> interface(`cron_dontaudit_write_system_job_tmp_files',`
>>
>> ########################################
>> ## <summary>
>> +## Execute crontab in the caller domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`cron_exec_crontab',`
>> + gen_require(`
>> + type crontab_exec_t;
>> + ')
>> +
>> + corecmd_search_bin($1)
>> + can_exec($1, crontab_exec_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## All of the rules required to
>> ## administrate a cron environment.
>> ## </summary>
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-06-12 22:35:41

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] chkrootkit: add policy module

On 06/09/2017 09:39 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - remove bin_t fc
> ---
> chkrootkit.fc | 5 ++++
> chkrootkit.if | 46 +++++++++++++++++++++++++++++++++++++
> chkrootkit.te | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> cron.if | 20 ++++++++++++++++
> 4 files changed, 144 insertions(+)
> create mode 100644 chkrootkit.fc
> create mode 100644 chkrootkit.if
> create mode 100644 chkrootkit.te
>
> diff --git a/chkrootkit.fc b/chkrootkit.fc
> new file mode 100644
> index 00000000..fa780c34
> --- /dev/null
> +++ b/chkrootkit.fc
> @@ -0,0 +1,5 @@
> +/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
> +
> +/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
> +
> +/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0)
> diff --git a/chkrootkit.if b/chkrootkit.if
> new file mode 100644
> index 00000000..12589bd9
> --- /dev/null
> +++ b/chkrootkit.if
> @@ -0,0 +1,46 @@
> +## <summary>chkrootkit - rootkit checker.</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run chkrootkit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`chkrootkit_domtrans',`
> + gen_require(`
> + type chkrootkit_t, chkrootkit_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute chkrootkit in the chkrootkit domain,
> +## and allow the specified role
> +## the chkrootkit domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`chkrootkit_run',`
> + gen_require(`
> + attribute_role chkrootkit_roles;
> + ')
> +
> + chkrootkit_domtrans($1)
> + roleattribute $2 chkrootkit_roles;
> +')
> diff --git a/chkrootkit.te b/chkrootkit.te
> new file mode 100644
> index 00000000..4bfbb787
> --- /dev/null
> +++ b/chkrootkit.te
> @@ -0,0 +1,73 @@
> +policy_module(chkrootkit, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role chkrootkit_roles;
> +
> +type chkrootkit_t;
> +type chkrootkit_exec_t;
> +application_domain(chkrootkit_t, chkrootkit_exec_t)
> +role chkrootkit_roles types chkrootkit_t;
> +
> +type chkrootkit_log_t;
> +logging_log_file(chkrootkit_log_t)
> +
> +########################################
> +#
> +# Application local policy
> +#
> +
> +allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
> +allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
> +allow chkrootkit_t self:udp_socket { create ioctl };
> +
> +kernel_read_all_sysctls(chkrootkit_t)
> +kernel_getattr_proc(chkrootkit_t)
> +kernel_read_network_state(chkrootkit_t)
> +kernel_getattr_message_if(chkrootkit_t)
> +
> +corecmd_exec_bin(chkrootkit_t)
> +corecmd_exec_shell(chkrootkit_t)
> +
> +dev_read_rand(chkrootkit_t)
> +dev_read_urand(chkrootkit_t)
> +dev_getattr_all_chr_files(chkrootkit_t)
> +
> +domain_read_all_domains_state(chkrootkit_t)
> +domain_use_interactive_fds(chkrootkit_t)
> +domain_getattr_all_sockets(chkrootkit_t)
> +domain_getattr_all_pipes(chkrootkit_t)
> +
> +files_read_non_auth_files(chkrootkit_t)
> +files_read_all_symlinks(chkrootkit_t)
> +files_read_all_chr_files(chkrootkit_t)
> +files_getattr_all_pipes(chkrootkit_t)
> +
> +init_signal(chkrootkit_t)
> +
> +logging_send_syslog_msg(chkrootkit_t)
> +
> +miscfiles_read_localization(chkrootkit_t)
> +
> +term_getattr_unallocated_ttys(chkrootkit_t)
> +
> +userdom_use_inherited_user_terminals(chkrootkit_t)
> +
> +usermanage_check_exec_passwd(chkrootkit_t)
> +
> +ifdef(`init_systemd',`
> + # start as systemd timer
> + init_system_domain(chkrootkit_t, chkrootkit_exec_t)
> +')
> +
> +optional_policy(`
> + cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
> + cron_exec_crontab(chkrootkit_t)
> +')
> +
> +optional_policy(`
> + ssh_exec(chkrootkit_t)
> +')
> diff --git a/cron.if b/cron.if
> index 0e22bb86..23bd1417 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -896,6 +896,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
>
> ########################################
> ## <summary>
> +## Execute crontab in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cron_exec_crontab',`
> + gen_require(`
> + type crontab_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, crontab_exec_t)
> +')

Merged.

--
Chris PeBenito