From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-955232-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 7E25B139694
	for <garchives@archives.gentoo.org>; Tue, 13 Jun 2017 08:25:55 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0424021C1BF;
	Tue, 13 Jun 2017 08:25:46 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C798C21C1BF
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:45 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id B194C34194F
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:44 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 301367492
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:40 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1497341003.083c41d2616bd88fa7014fe87e863570b7ccb439.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/chkrootkit.fc policy/modules/contrib/chkrootkit.if policy/modules/contrib/chkrootkit.te policy/modules/contrib/cron.if
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 083c41d2616bd88fa7014fe87e863570b7ccb439
X-VCS-Branch: master
Date: Tue, 13 Jun 2017 08:25:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: ad5b379a-b0e6-4319-b97c-f12046908dfb
X-Archives-Hash: 1e6962e32dc8e914b900f7c761dd5d6c

commit:     083c41d2616bd88fa7014fe87e863570b7ccb439
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun  9 13:39:07 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=083c41d2

chkrootkit: add policy module

v2:
 - remove bin_t fc

 policy/modules/contrib/chkrootkit.fc |  5 +++
 policy/modules/contrib/chkrootkit.if | 46 +++++++++++++++++++++++
 policy/modules/contrib/chkrootkit.te | 73 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/cron.if       | 20 ++++++++++
 4 files changed, 144 insertions(+)

diff --git a/policy/modules/contrib/chkrootkit.fc b/policy/modules/contrib/chkrootkit.fc
new file mode 100644
index 00000000..fa780c34
--- /dev/null
+++ b/policy/modules/contrib/chkrootkit.fc
@@ -0,0 +1,5 @@
+/usr/bin/chkrootkit	--	gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/usr/sbin/chkrootkit	--	gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/var/log/chkrootkit(/.*)?	gen_context(system_u:object_r:chkrootkit_log_t,s0)

diff --git a/policy/modules/contrib/chkrootkit.if b/policy/modules/contrib/chkrootkit.if
new file mode 100644
index 00000000..12589bd9
--- /dev/null
+++ b/policy/modules/contrib/chkrootkit.if
@@ -0,0 +1,46 @@
+## <summary>chkrootkit - rootkit checker.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run chkrootkit.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chkrootkit_domtrans',`
+	gen_require(`
+		type chkrootkit_t, chkrootkit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
+')
+
+########################################
+## <summary>
+##	Execute chkrootkit in the chkrootkit domain,
+##	and allow the specified role
+##	the chkrootkit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`chkrootkit_run',`
+	gen_require(`
+		attribute_role chkrootkit_roles;
+	')
+
+	chkrootkit_domtrans($1)
+	roleattribute $2 chkrootkit_roles;
+')

diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te
new file mode 100644
index 00000000..4bfbb787
--- /dev/null
+++ b/policy/modules/contrib/chkrootkit.te
@@ -0,0 +1,73 @@
+policy_module(chkrootkit, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role chkrootkit_roles;
+
+type chkrootkit_t;
+type chkrootkit_exec_t;
+application_domain(chkrootkit_t, chkrootkit_exec_t)
+role chkrootkit_roles types chkrootkit_t;
+
+type chkrootkit_log_t;
+logging_log_file(chkrootkit_log_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
+allow chkrootkit_t self:udp_socket { create ioctl };
+
+kernel_read_all_sysctls(chkrootkit_t)
+kernel_getattr_proc(chkrootkit_t)
+kernel_read_network_state(chkrootkit_t)
+kernel_getattr_message_if(chkrootkit_t)
+
+corecmd_exec_bin(chkrootkit_t)
+corecmd_exec_shell(chkrootkit_t)
+
+dev_read_rand(chkrootkit_t)
+dev_read_urand(chkrootkit_t)
+dev_getattr_all_chr_files(chkrootkit_t)
+
+domain_read_all_domains_state(chkrootkit_t)
+domain_use_interactive_fds(chkrootkit_t)
+domain_getattr_all_sockets(chkrootkit_t)
+domain_getattr_all_pipes(chkrootkit_t)
+
+files_read_non_auth_files(chkrootkit_t)
+files_read_all_symlinks(chkrootkit_t)
+files_read_all_chr_files(chkrootkit_t)
+files_getattr_all_pipes(chkrootkit_t)
+
+init_signal(chkrootkit_t)
+
+logging_send_syslog_msg(chkrootkit_t)
+
+miscfiles_read_localization(chkrootkit_t)
+
+term_getattr_unallocated_ttys(chkrootkit_t)
+
+userdom_use_inherited_user_terminals(chkrootkit_t)
+
+usermanage_check_exec_passwd(chkrootkit_t)
+
+ifdef(`init_systemd',`
+	# start as systemd timer
+	init_system_domain(chkrootkit_t, chkrootkit_exec_t)
+')
+
+optional_policy(`
+	cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
+	cron_exec_crontab(chkrootkit_t)
+')
+
+optional_policy(`
+	ssh_exec(chkrootkit_t)
+')

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index d5aff32a..7bb5d6e6 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -893,6 +893,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
 
 ########################################
 ## <summary>
+##	Execute crontab in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_exec_crontab',`
+	gen_require(`
+		type crontab_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, crontab_exec_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate a cron environment.
 ## </summary>