1 |
On Fri, Nov 25, 2016 at 02:01:51PM +0000, Robert Sharp wrote: |
2 |
> On 25/11/16 11:51, Jason Zaman wrote: |
3 |
> |
4 |
> Ideally, rkhunter should just have a policy. |
5 |
> It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t) |
6 |
> If you wanted to write one, basing it off the aide policy would probably |
7 |
> help. |
8 |
> [1]https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/con |
9 |
> trib/aide.te |
10 |
> Its quite a simple policy, it pretty much just needs to read everything |
11 |
> on disk. |
12 |
> |
13 |
> Well, I want to learn more about SELinux so writing and testing a |
14 |
> "proper" policy sounds like an idea. I will give it a go. |
15 |
|
16 |
Yes, the cron policy in SELinux has two "modes": either you have user cron |
17 |
jobs run as the users' domain, or as the cronjob_t one. System cronjobs will |
18 |
always run with system_cronjob_t. |
19 |
|
20 |
Both cronjob_t and system_cronjob_t are meant as a sort-of stepping stone |
21 |
towards the proper policy domain, as otherwise these domains would need to |
22 |
be made very permissive which is contrary to the approach we want to take |
23 |
with SELinux. |
24 |
|
25 |
Wkr, |
26 |
Sven Vermeulen |