From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D40ED139694 for ; Tue, 13 Jun 2017 08:25:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E739621C1D6; Tue, 13 Jun 2017 08:25:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A743721C1BE for ; Tue, 13 Jun 2017 08:25:45 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9BCA03418CC for ; Tue, 13 Jun 2017 08:25:44 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D6833748E for ; Tue, 13 Jun 2017 08:25:39 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1497341003.ff01f4a1c8a703bd6fee22d8071a348ad4dda49e.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/apt.te policy/modules/contrib/cron.if policy/modules/contrib/exim.if policy/modules/contrib/rkhunter.fc policy/modules/contrib/rkhunter.if policy/modules/contrib/rkhunter.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: ff01f4a1c8a703bd6fee22d8071a348ad4dda49e X-VCS-Branch: master Date: Tue, 13 Jun 2017 08:25:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 957d8599-5a25-438b-bd0c-bcd19719d993 X-Archives-Hash: 740d58f26521e444d66b3a48797d21bf commit: ff01f4a1c8a703bd6fee22d8071a348ad4dda49e Author: cgzones googlemail com> AuthorDate: Thu Jun 8 14:15:32 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Jun 13 08:03:23 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff01f4a1 rkhunter: add policy module policy/modules/contrib/apt.te | 5 ++ policy/modules/contrib/cron.if | 18 ++++++ policy/modules/contrib/exim.if | 19 ++++++ policy/modules/contrib/rkhunter.fc | 5 ++ policy/modules/contrib/rkhunter.if | 46 ++++++++++++++ policy/modules/contrib/rkhunter.te | 126 +++++++++++++++++++++++++++++++++++++ 6 files changed, 219 insertions(+) diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te index 63b93257..d6d18a56 100644 --- a/policy/modules/contrib/apt.te +++ b/policy/modules/contrib/apt.te @@ -148,6 +148,11 @@ optional_policy(` ') optional_policy(` + # rkhunter trigger + rkhunter_domtrans(apt_t) +') + +optional_policy(` rpm_read_db(apt_t) rpm_domtrans(apt_t) ') diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index 5739d4f0..d5aff32a 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -856,6 +856,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` ######################################## ## +## Read and write to inherited system cron job temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms; +') + +######################################## +## ## Do not audit attempts to write temporary ## system cron job files. ## diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if index c75f5fa0..495adb85 100644 --- a/policy/modules/contrib/exim.if +++ b/policy/modules/contrib/exim.if @@ -2,6 +2,25 @@ ######################################## ## +## Execute exim in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_exec',` + gen_require(` + type exim_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, exim_exec_t) +') + +######################################## +## ## Execute a domain transition to run exim. ## ## diff --git a/policy/modules/contrib/rkhunter.fc b/policy/modules/contrib/rkhunter.fc new file mode 100644 index 00000000..d3c949c8 --- /dev/null +++ b/policy/modules/contrib/rkhunter.fc @@ -0,0 +1,5 @@ +/usr/bin/rkhunter -- gen_context(system_u:object_r:rkhunter_exec_t,s0) + +/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0) + +/var/log/rkhunter\.log.* -- gen_context(system_u:object_r:rkhunter_log_t,s0) diff --git a/policy/modules/contrib/rkhunter.if b/policy/modules/contrib/rkhunter.if new file mode 100644 index 00000000..9537e1f5 --- /dev/null +++ b/policy/modules/contrib/rkhunter.if @@ -0,0 +1,46 @@ +## rkhunter - rootkit checker. + +######################################## +## +## Execute a domain transition to run rkhunter. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`rkhunter_domtrans',` + gen_require(` + type rkhunter_t, rkhunter_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rkhunter_exec_t, rkhunter_t) +') + +######################################## +## +## Execute rkhunter in the rkhunter domain, +## and allow the specified role +## the rkhunter domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`rkhunter_run',` + gen_require(` + attribute_role rkhunter_roles; + ') + + rkhunter_domtrans($1) + roleattribute $2 rkhunter_roles; +') diff --git a/policy/modules/contrib/rkhunter.te b/policy/modules/contrib/rkhunter.te new file mode 100644 index 00000000..a57c826b --- /dev/null +++ b/policy/modules/contrib/rkhunter.te @@ -0,0 +1,126 @@ +policy_module(rkhunter, 0.0.1) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether rkhunter can connect +## to http ports. This is required by the +## --update option. +##

+## +gen_tunable(rkhunter_connect_http, false) + +attribute_role rkhunter_roles; + +type rkhunter_t; +type rkhunter_exec_t; +application_domain(rkhunter_t, rkhunter_exec_t) +role rkhunter_roles types rkhunter_t; + +type rkhunter_var_lib_t; +files_type(rkhunter_var_lib_t) + +type rkhunter_log_t; +logging_log_file(rkhunter_log_t) + +type rkhunter_tmpfs_t; +files_tmpfs_file(rkhunter_tmpfs_t) + +######################################## +# +# Application local policy +# + +allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace }; +allow rkhunter_t self:process { getsched setsched signal }; +allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms; +allow rkhunter_t self:tcp_socket { bind connect create listen read write }; +allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow rkhunter_t self:udp_socket { bind connect create ioctl read write }; +allow rkhunter_t self:fifo_file rw_fifo_file_perms; + +allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr }; +logging_log_filetrans(rkhunter_t, rkhunter_log_t, file) + +allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms; +fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file) + +allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms; +allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms; + +kernel_request_load_module(rkhunter_t) +kernel_read_all_sysctls(rkhunter_t) +kernel_read_network_state(rkhunter_t) +kernel_getattr_message_if(rkhunter_t) +kernel_get_sysvipc_info(rkhunter_t) + +auth_dontaudit_read_shadow(rkhunter_t) + +corecmd_exec_bin(rkhunter_t) +corecmd_exec_shell(rkhunter_t) + +corenet_tcp_bind_all_ports(rkhunter_t) +corenet_udp_bind_all_ports(rkhunter_t) +corenet_tcp_bind_generic_node(rkhunter_t) +corenet_udp_bind_generic_node(rkhunter_t) + +dev_read_urand(rkhunter_t) +dev_getattr_all_chr_files(rkhunter_t) +dev_getattr_all_blk_files(rkhunter_t) + +domain_read_all_domains_state(rkhunter_t) +domain_use_interactive_fds(rkhunter_t) +domain_getattr_all_sockets(rkhunter_t) +domain_getattr_all_pipes(rkhunter_t) + +hostname_exec(rkhunter_t) + +files_read_non_auth_files(rkhunter_t) +files_read_all_symlinks(rkhunter_t) +files_read_all_chr_files(rkhunter_t) +files_getattr_all_pipes(rkhunter_t) +files_getattr_all_sockets(rkhunter_t) + +fs_getattr_tracefs(rkhunter_t) +fs_getattr_tracefs_dirs(rkhunter_t) + +modutils_exec(rkhunter_t) + +logging_send_syslog_msg(rkhunter_t) + +sysnet_exec_ifconfig(rkhunter_t) + +userdom_use_inherited_user_terminals(rkhunter_t) + +ifdef(`init_systemd',` + # start as systemd timer + init_system_domain(rkhunter_t, rkhunter_exec_t) +') + +tunable_policy(`rkhunter_connect_http',` + corenet_tcp_connect_http_port(rkhunter_t) +') + +optional_policy(` + cron_system_entry(rkhunter_t, rkhunter_exec_t) + cron_rw_inherited_system_job_tmp_files(rkhunter_t) +') + +optional_policy(` + # exim check + exim_exec(rkhunter_t) +') + +optional_policy(` + # gpg check + gpg_exec(rkhunter_t) +') + +optional_policy(` + # ssh check + ssh_exec_sshd(rkhunter_t) +')