[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/

Jason Zaman Tue, 13 Jun 2017 01:25:54 -0700

commit:     cdd50f44b7b658e9478e9c968a299919a679396c
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun  9 13:37:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdd50f44


chkrootkit: add interfaces and sysadm permit

v2:
 - add bin_t fc to corecommands

 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/roles/sysadm.te        |  4 ++++
 policy/modules/system/init.if         | 18 ++++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 320044e9..f1cb22b3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -426,6 +426,7 @@ ifdef(`distro_suse', `
 /var/ftp/bin(/.*)?                     gen_context(system_u:object_r:bin_t,s0)
 
 /var/lib/asterisk/agi-bin(/.*)?                
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chkrootkit/.*         --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/yp/.+                 --      gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin                 -d      gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 17e1e26f..e28a28bd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -236,6 +236,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+       chkrootkit_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
        chronyd_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 05fa767f..b9878d02 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -679,6 +679,24 @@ interface(`init_getpgid',`
 
 ########################################
 ## <summary>
+##     Send init a generic signal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_signal',`
+       gen_require(`
+               type init_t;
+       ')
+
+       allow $1 init_t:process signal;
+')
+
+########################################
+## <summary>
 ##     Send init a null signal.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/

Reply via email to