| 1 |
On Fri, Nov 25, 2016 at 10:16:24AM +0000, Robert Sharp wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> I can run rkhunter as root with role sysadm_r and there are no issues, |
| 5 |
> but when I run it from a cron job I get lots of AVCs because the source |
| 6 |
> context is system_cronjob_t. I am using vixie-cron and running rkhunter |
| 7 |
> from a crontab in /etc/cron.d/. |
| 8 |
> |
| 9 |
> I can see 2 options for fixing this: |
| 10 |
> |
| 11 |
> 1) set the label on the crontab to be the same as when I run rkhunter |
| 12 |
> with no AVCs (sysadm_r). Not sure if this happens with a system crontab. |
| 13 |
> I would need to set the boolean cron_userdomain_transition to true, and |
| 14 |
> it would end up with a crontab file having a different label to that |
| 15 |
> specified by the policy. |
| 16 |
cron_userdomain_transition is for user's crontabs i thought, not for |
| 17 |
/etc/cron.daily and stuff? |
| 18 |
ie crontab -u root -e |
| 19 |
If the boolean is on, everything there just gets run in sysadm_t so it |
| 20 |
would definitely be the least work to get it working. |
| 21 |
|
| 22 |
> 2) create an intermediate script that I run from the crontab, that |
| 23 |
> itself runs rkhunter and effects a transition to the sysadm_t context |
| 24 |
> before doing so. I would need to write a short policy to do this and |
| 25 |
> allow system_cronjob_t to make the transition. This looks like the |
| 26 |
> better route to go. |
| 27 |
dont bother with this, you'd need to write policy for it and its |
| 28 |
probably easier to just write a policy directly for rkhunter instead of |
| 29 |
just your script. |
| 30 |
> |
| 31 |
> Does anyone have any views about the best way to proceed or whether to |
| 32 |
> do this at all? |
| 33 |
|
| 34 |
Ideally, rkhunter should just have a policy. |
| 35 |
It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t) |
| 36 |
If you wanted to write one, basing it off the aide policy would probably |
| 37 |
help. |
| 38 |
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/aide.te |
| 39 |
Its quite a simple policy, it pretty much just needs to read everything |
| 40 |
on disk. |
| 41 |
|
| 42 |
-- Jason |
Archives