On Fri, Nov 25, 2016 at 10:16:24AM +0000, Robert Sharp wrote: > Hi, > > I can run rkhunter as root with role sysadm_r and there are no issues, > but when I run it from a cron job I get lots of AVCs because the source > context is system_cronjob_t. I am using vixie-cron and running rkhunter > from a crontab in /etc/cron.d/. > > I can see 2 options for fixing this: > > 1) set the label on the crontab to be the same as when I run rkhunter > with no AVCs (sysadm_r). Not sure if this happens with a system crontab. > I would need to set the boolean cron_userdomain_transition to true, and > it would end up with a crontab file having a different label to that > specified by the policy. cron_userdomain_transition is for user's crontabs i thought, not for /etc/cron.daily and stuff? ie crontab -u root -e If the boolean is on, everything there just gets run in sysadm_t so it would definitely be the least work to get it working.
> 2) create an intermediate script that I run from the crontab, that > itself runs rkhunter and effects a transition to the sysadm_t context > before doing so. I would need to write a short policy to do this and > allow system_cronjob_t to make the transition. This looks like the > better route to go. dont bother with this, you'd need to write policy for it and its probably easier to just write a policy directly for rkhunter instead of just your script. > > Does anyone have any views about the best way to proceed or whether to > do this at all? Ideally, rkhunter should just have a policy. It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t) If you wanted to write one, basing it off the aide policy would probably help. https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/aide.te Its quite a simple policy, it pretty much just needs to read everything on disk. -- Jason
