Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/admin/chkrootkit.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/admin/chkrootkit.te')
-rw-r--r--policy/modules/admin/chkrootkit.te76
1 files changed, 76 insertions, 0 deletions
diff --git a/policy/modules/admin/chkrootkit.te b/policy/modules/admin/chkrootkit.te
new file mode 100644
index 00000000..6d9fc5c3
--- /dev/null
+++ b/policy/modules/admin/chkrootkit.te
@@ -0,0 +1,76 @@
+policy_module(chkrootkit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role chkrootkit_roles;
+
+type chkrootkit_t;
+type chkrootkit_exec_t;
+application_domain(chkrootkit_t, chkrootkit_exec_t)
+role chkrootkit_roles types chkrootkit_t;
+
+type chkrootkit_log_t;
+logging_log_file(chkrootkit_log_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow chkrootkit_t self:capability { dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
+allow chkrootkit_t self:udp_socket { create ioctl };
+
+kernel_read_all_sysctls(chkrootkit_t)
+kernel_getattr_proc(chkrootkit_t)
+kernel_read_network_state(chkrootkit_t)
+kernel_getattr_message_if(chkrootkit_t)
+
+corecmd_exec_bin(chkrootkit_t)
+corecmd_exec_shell(chkrootkit_t)
+
+dev_getattr_fs(chkrootkit_t)
+dev_read_rand(chkrootkit_t)
+dev_read_urand(chkrootkit_t)
+dev_getattr_all_chr_files(chkrootkit_t)
+
+domain_read_all_domains_state(chkrootkit_t)
+domain_use_interactive_fds(chkrootkit_t)
+domain_getattr_all_sockets(chkrootkit_t)
+domain_getattr_all_pipes(chkrootkit_t)
+
+files_read_non_auth_files(chkrootkit_t)
+files_read_all_symlinks(chkrootkit_t)
+files_read_all_chr_files(chkrootkit_t)
+files_getattr_all_pipes(chkrootkit_t)
+
+fs_getattr_xattr_fs(chkrootkit_t)
+
+init_signal(chkrootkit_t)
+
+logging_send_syslog_msg(chkrootkit_t)
+
+miscfiles_read_localization(chkrootkit_t)
+
+term_getattr_unallocated_ttys(chkrootkit_t)
+
+userdom_use_inherited_user_terminals(chkrootkit_t)
+
+usermanage_check_exec_passwd(chkrootkit_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(chkrootkit_t, chkrootkit_exec_t)
+')
+
+optional_policy(`
+ cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
+ cron_exec_crontab(chkrootkit_t)
+')
+
+optional_policy(`
+ ssh_exec(chkrootkit_t)
+')