1 |
On Fri, Nov 25, 2016 at 10:16:24AM +0000, Robert Sharp wrote: |
2 |
> Hi, |
3 |
> |
4 |
> I can run rkhunter as root with role sysadm_r and there are no issues, |
5 |
> but when I run it from a cron job I get lots of AVCs because the source |
6 |
> context is system_cronjob_t. I am using vixie-cron and running rkhunter |
7 |
> from a crontab in /etc/cron.d/. |
8 |
> |
9 |
> I can see 2 options for fixing this: |
10 |
> |
11 |
> 1) set the label on the crontab to be the same as when I run rkhunter |
12 |
> with no AVCs (sysadm_r). Not sure if this happens with a system crontab. |
13 |
> I would need to set the boolean cron_userdomain_transition to true, and |
14 |
> it would end up with a crontab file having a different label to that |
15 |
> specified by the policy. |
16 |
cron_userdomain_transition is for user's crontabs i thought, not for |
17 |
/etc/cron.daily and stuff? |
18 |
ie crontab -u root -e |
19 |
If the boolean is on, everything there just gets run in sysadm_t so it |
20 |
would definitely be the least work to get it working. |
21 |
|
22 |
> 2) create an intermediate script that I run from the crontab, that |
23 |
> itself runs rkhunter and effects a transition to the sysadm_t context |
24 |
> before doing so. I would need to write a short policy to do this and |
25 |
> allow system_cronjob_t to make the transition. This looks like the |
26 |
> better route to go. |
27 |
dont bother with this, you'd need to write policy for it and its |
28 |
probably easier to just write a policy directly for rkhunter instead of |
29 |
just your script. |
30 |
> |
31 |
> Does anyone have any views about the best way to proceed or whether to |
32 |
> do this at all? |
33 |
|
34 |
Ideally, rkhunter should just have a policy. |
35 |
It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t) |
36 |
If you wanted to write one, basing it off the aide policy would probably |
37 |
help. |
38 |
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/aide.te |
39 |
Its quite a simple policy, it pretty much just needs to read everything |
40 |
on disk. |
41 |
|
42 |
-- Jason |