commit: ff01f4a1c8a703bd6fee22d8071a348ad4dda49e
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jun 8 14:15:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff01f4a1
rkhunter: add policy module
policy/modules/contrib/apt.te | 5 ++
policy/modules/contrib/cron.if | 18 ++++++
policy/modules/contrib/exim.if | 19 ++++++
policy/modules/contrib/rkhunter.fc | 5 ++
policy/modules/contrib/rkhunter.if | 46 ++++++++++++++
policy/modules/contrib/rkhunter.te | 126 +++++++++++++++++++++++++++++++++++++
6 files changed, 219 insertions(+)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 63b93257..d6d18a56 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -148,6 +148,11 @@ optional_policy(`
')
optional_policy(`
+ # rkhunter trigger
+ rkhunter_domtrans(apt_t)
+')
+
+optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 5739d4f0..d5aff32a 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -856,6 +856,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
########################################
## <summary>
+## Read and write to inherited system cron job temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write temporary
## system cron job files.
## </summary>
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index c75f5fa0..495adb85 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Execute exim in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_exec',`
+ gen_require(`
+ type exim_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, exim_exec_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run exim.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/rkhunter.fc
b/policy/modules/contrib/rkhunter.fc
new file mode 100644
index 00000000..d3c949c8
--- /dev/null
+++ b/policy/modules/contrib/rkhunter.fc
@@ -0,0 +1,5 @@
+/usr/bin/rkhunter --
gen_context(system_u:object_r:rkhunter_exec_t,s0)
+
+/var/lib/rkhunter(/.*)?
gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+
+/var/log/rkhunter\.log.* --
gen_context(system_u:object_r:rkhunter_log_t,s0)
diff --git a/policy/modules/contrib/rkhunter.if
b/policy/modules/contrib/rkhunter.if
new file mode 100644
index 00000000..9537e1f5
--- /dev/null
+++ b/policy/modules/contrib/rkhunter.if
@@ -0,0 +1,46 @@
+## <summary>rkhunter - rootkit checker.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run rkhunter.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rkhunter_domtrans',`
+ gen_require(`
+ type rkhunter_t, rkhunter_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rkhunter_exec_t, rkhunter_t)
+')
+
+########################################
+## <summary>
+## Execute rkhunter in the rkhunter domain,
+## and allow the specified role
+## the rkhunter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`rkhunter_run',`
+ gen_require(`
+ attribute_role rkhunter_roles;
+ ')
+
+ rkhunter_domtrans($1)
+ roleattribute $2 rkhunter_roles;
+')
diff --git a/policy/modules/contrib/rkhunter.te
b/policy/modules/contrib/rkhunter.te
new file mode 100644
index 00000000..a57c826b
--- /dev/null
+++ b/policy/modules/contrib/rkhunter.te
@@ -0,0 +1,126 @@
+policy_module(rkhunter, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether rkhunter can connect
+## to http ports. This is required by the
+## --update option.
+## </p>
+## </desc>
+gen_tunable(rkhunter_connect_http, false)
+
+attribute_role rkhunter_roles;
+
+type rkhunter_t;
+type rkhunter_exec_t;
+application_domain(rkhunter_t, rkhunter_exec_t)
+role rkhunter_roles types rkhunter_t;
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
+
+type rkhunter_log_t;
+logging_log_file(rkhunter_log_t)
+
+type rkhunter_tmpfs_t;
+files_tmpfs_file(rkhunter_tmpfs_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow rkhunter_t self:capability { dac_override dac_read_search net_admin
setgid setuid sys_nice sys_ptrace };
+allow rkhunter_t self:process { getsched setsched signal };
+allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
+allow rkhunter_t self:tcp_socket { bind connect create listen read write };
+allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
+allow rkhunter_t self:fifo_file rw_fifo_file_perms;
+
+allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms
setattr };
+logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
+
+allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
+
+allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
+allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
+
+kernel_request_load_module(rkhunter_t)
+kernel_read_all_sysctls(rkhunter_t)
+kernel_read_network_state(rkhunter_t)
+kernel_getattr_message_if(rkhunter_t)
+kernel_get_sysvipc_info(rkhunter_t)
+
+auth_dontaudit_read_shadow(rkhunter_t)
+
+corecmd_exec_bin(rkhunter_t)
+corecmd_exec_shell(rkhunter_t)
+
+corenet_tcp_bind_all_ports(rkhunter_t)
+corenet_udp_bind_all_ports(rkhunter_t)
+corenet_tcp_bind_generic_node(rkhunter_t)
+corenet_udp_bind_generic_node(rkhunter_t)
+
+dev_read_urand(rkhunter_t)
+dev_getattr_all_chr_files(rkhunter_t)
+dev_getattr_all_blk_files(rkhunter_t)
+
+domain_read_all_domains_state(rkhunter_t)
+domain_use_interactive_fds(rkhunter_t)
+domain_getattr_all_sockets(rkhunter_t)
+domain_getattr_all_pipes(rkhunter_t)
+
+hostname_exec(rkhunter_t)
+
+files_read_non_auth_files(rkhunter_t)
+files_read_all_symlinks(rkhunter_t)
+files_read_all_chr_files(rkhunter_t)
+files_getattr_all_pipes(rkhunter_t)
+files_getattr_all_sockets(rkhunter_t)
+
+fs_getattr_tracefs(rkhunter_t)
+fs_getattr_tracefs_dirs(rkhunter_t)
+
+modutils_exec(rkhunter_t)
+
+logging_send_syslog_msg(rkhunter_t)
+
+sysnet_exec_ifconfig(rkhunter_t)
+
+userdom_use_inherited_user_terminals(rkhunter_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(rkhunter_t, rkhunter_exec_t)
+')
+
+tunable_policy(`rkhunter_connect_http',`
+ corenet_tcp_connect_http_port(rkhunter_t)
+')
+
+optional_policy(`
+ cron_system_entry(rkhunter_t, rkhunter_exec_t)
+ cron_rw_inherited_system_job_tmp_files(rkhunter_t)
+')
+
+optional_policy(`
+ # exim check
+ exim_exec(rkhunter_t)
+')
+
+optional_policy(`
+ # gpg check
+ gpg_exec(rkhunter_t)
+')
+
+optional_policy(`
+ # ssh check
+ ssh_exec_sshd(rkhunter_t)
+')
