| 1 |
On Fri, Nov 25, 2016 at 02:01:51PM +0000, Robert Sharp wrote: |
| 2 |
> On 25/11/16 11:51, Jason Zaman wrote: |
| 3 |
> |
| 4 |
> Ideally, rkhunter should just have a policy. |
| 5 |
> It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t) |
| 6 |
> If you wanted to write one, basing it off the aide policy would probably |
| 7 |
> help. |
| 8 |
> [1]https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/con |
| 9 |
> trib/aide.te |
| 10 |
> Its quite a simple policy, it pretty much just needs to read everything |
| 11 |
> on disk. |
| 12 |
> |
| 13 |
> Well, I want to learn more about SELinux so writing and testing a |
| 14 |
> "proper" policy sounds like an idea. I will give it a go. |
| 15 |
|
| 16 |
Yes, the cron policy in SELinux has two "modes": either you have user cron |
| 17 |
jobs run as the users' domain, or as the cronjob_t one. System cronjobs will |
| 18 |
always run with system_cronjob_t. |
| 19 |
|
| 20 |
Both cronjob_t and system_cronjob_t are meant as a sort-of stepping stone |
| 21 |
towards the proper policy domain, as otherwise these domains would need to |
| 22 |
be made very permissive which is contrary to the approach we want to take |
| 23 |
with SELinux. |
| 24 |
|
| 25 |
Wkr, |
| 26 |
Sven Vermeulen |
Archives