forked from OwlCyberDefense/refpolicy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrkhunter.te
134 lines (103 loc) · 3.41 KB
/
rkhunter.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
policy_module(rkhunter, 1.0.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether rkhunter can connect
## to http ports. This is required by the
## --update option.
## </p>
## </desc>
gen_tunable(rkhunter_connect_http, false)
attribute_role rkhunter_roles;
type rkhunter_t;
type rkhunter_exec_t;
application_domain(rkhunter_t, rkhunter_exec_t)
role rkhunter_roles types rkhunter_t;
type rkhunter_log_t;
logging_log_file(rkhunter_log_t)
type rkhunter_tmpfs_t;
files_tmpfs_file(rkhunter_tmpfs_t)
type rkhunter_var_lib_t;
files_type(rkhunter_var_lib_t)
########################################
#
# Application local policy
#
allow rkhunter_t self:capability { dac_read_search kill net_admin setgid setuid sys_nice sys_ptrace };
allow rkhunter_t self:process { getsched setsched signal };
allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
allow rkhunter_t self:tcp_socket { bind connect create listen read write };
allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
allow rkhunter_t self:fifo_file rw_fifo_file_perms;
allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr };
logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
kernel_request_load_module(rkhunter_t)
kernel_read_all_sysctls(rkhunter_t)
kernel_read_network_state(rkhunter_t)
kernel_getattr_message_if(rkhunter_t)
kernel_get_sysvipc_info(rkhunter_t)
auth_dontaudit_read_shadow(rkhunter_t)
corecmd_exec_bin(rkhunter_t)
corecmd_exec_shell(rkhunter_t)
corenet_tcp_bind_all_ports(rkhunter_t)
corenet_udp_bind_all_ports(rkhunter_t)
corenet_tcp_bind_generic_node(rkhunter_t)
corenet_udp_bind_generic_node(rkhunter_t)
dev_getattr_fs(rkhunter_t)
dev_read_urand(rkhunter_t)
dev_getattr_all_chr_files(rkhunter_t)
dev_getattr_all_blk_files(rkhunter_t)
domain_read_all_domains_state(rkhunter_t)
domain_use_interactive_fds(rkhunter_t)
domain_getattr_all_sockets(rkhunter_t)
domain_getattr_all_pipes(rkhunter_t)
domain_getpgid_all_domains(rkhunter_t)
domain_getsched_all_domains(rkhunter_t)
domain_getsession_all_domains(rkhunter_t)
domain_signull_all_domains(rkhunter_t)
files_read_non_auth_files(rkhunter_t)
files_read_all_symlinks(rkhunter_t)
files_read_all_chr_files(rkhunter_t)
files_getattr_all_pipes(rkhunter_t)
files_getattr_all_sockets(rkhunter_t)
files_check_write_lock_dirs(rkhunter_t)
files_check_write_pid_dirs(rkhunter_t)
fs_getattr_tracefs(rkhunter_t)
fs_getattr_tracefs_dirs(rkhunter_t)
fs_getattr_xattr_fs(rkhunter_t)
hostname_exec(rkhunter_t)
logging_send_syslog_msg(rkhunter_t)
modutils_exec(rkhunter_t)
sysnet_exec_ifconfig(rkhunter_t)
userdom_use_inherited_user_terminals(rkhunter_t)
ifdef(`init_systemd',`
# start as systemd timer
init_system_domain(rkhunter_t, rkhunter_exec_t)
')
tunable_policy(`rkhunter_connect_http',`
corenet_tcp_connect_http_port(rkhunter_t)
')
optional_policy(`
cron_system_entry(rkhunter_t, rkhunter_exec_t)
cron_rw_inherited_system_job_tmp_files(rkhunter_t)
')
optional_policy(`
# exim check
exim_exec(rkhunter_t)
')
optional_policy(`
# gpg check
gpg_exec(rkhunter_t)
')
optional_policy(`
# ssh check
ssh_exec_sshd(rkhunter_t)
')