Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
SELinux and rkhunter
selinux at sharp
Nov 25, 2016, 2:16 AM
Post #1 of 4 (1231 views)
Permalink
Hi,

I can run rkhunter as root with role sysadm_r and there are no issues,
but when I run it from a cron job I get lots of AVCs because the source
context is system_cronjob_t. I am using vixie-cron and running rkhunter
from a crontab in /etc/cron.d/.

I can see 2 options for fixing this:

1) set the label on the crontab to be the same as when I run rkhunter
with no AVCs (sysadm_r). Not sure if this happens with a system crontab.
I would need to set the boolean cron_userdomain_transition to true, and
it would end up with a crontab file having a different label to that
specified by the policy.

2) create an intermediate script that I run from the crontab, that
itself runs rkhunter and effects a transition to the sysadm_t context
before doing so. I would need to write a short policy to do this and
allow system_cronjob_t to make the transition. This looks like the
better route to go.

Does anyone have any views about the best way to proceed or whether to
do this at all?

Thanks

Robert Sharp
Re: SELinux and rkhunter [ In reply to ]
jason at perfinion
Nov 25, 2016, 3:51 AM
Post #2 of 4 (1225 views)
Permalink
On Fri, Nov 25, 2016 at 10:16:24AM +0000, Robert Sharp wrote:
> Hi,
>
> I can run rkhunter as root with role sysadm_r and there are no issues,
> but when I run it from a cron job I get lots of AVCs because the source
> context is system_cronjob_t. I am using vixie-cron and running rkhunter
> from a crontab in /etc/cron.d/.
>
> I can see 2 options for fixing this:
>
> 1) set the label on the crontab to be the same as when I run rkhunter
> with no AVCs (sysadm_r). Not sure if this happens with a system crontab.
> I would need to set the boolean cron_userdomain_transition to true, and
> it would end up with a crontab file having a different label to that
> specified by the policy.
cron_userdomain_transition is for user's crontabs i thought, not for
/etc/cron.daily and stuff?
ie crontab -u root -e
If the boolean is on, everything there just gets run in sysadm_t so it
would definitely be the least work to get it working.

> 2) create an intermediate script that I run from the crontab, that
> itself runs rkhunter and effects a transition to the sysadm_t context
> before doing so. I would need to write a short policy to do this and
> allow system_cronjob_t to make the transition. This looks like the
> better route to go.
dont bother with this, you'd need to write policy for it and its
probably easier to just write a policy directly for rkhunter instead of
just your script.
>
> Does anyone have any views about the best way to proceed or whether to
> do this at all?

Ideally, rkhunter should just have a policy.
It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t)
If you wanted to write one, basing it off the aide policy would probably
help.
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/aide.te
Its quite a simple policy, it pretty much just needs to read everything
on disk.

-- Jason
Re: SELinux and rkhunter [ In reply to ]
selinux at sharp
Nov 25, 2016, 6:01 AM
Post #3 of 4 (1225 views)
Permalink
On 25/11/16 11:51, Jason Zaman wrote:
> Ideally, rkhunter should just have a policy.
> It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t)
> If you wanted to write one, basing it off the aide policy would probably
> help.
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/aide.te
> Its quite a simple policy, it pretty much just needs to read everything
> on disk.

Well, I want to learn more about SELinux so writing and testing a
"proper" policy sounds like an idea. I will give it a go.

Robert
Re: SELinux and rkhunter [ In reply to ]
swift at gentoo
Dec 3, 2016, 2:08 AM
Post #4 of 4 (1206 views)
Permalink
On Fri, Nov 25, 2016 at 02:01:51PM +0000, Robert Sharp wrote:
> On 25/11/16 11:51, Jason Zaman wrote:
>
> Ideally, rkhunter should just have a policy.
> It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t)
> If you wanted to write one, basing it off the aide policy would probably
> help.
> [1]https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/con
> trib/aide.te
> Its quite a simple policy, it pretty much just needs to read everything
> on disk.
>
> Well, I want to learn more about SELinux so writing and testing a
> "proper" policy sounds like an idea. I will give it a go.

Yes, the cron policy in SELinux has two "modes": either you have user cron
jobs run as the users' domain, or as the cronjob_t one. System cronjobs will
always run with system_cronjob_t.

Both cronjob_t and system_cronjob_t are meant as a sort-of stepping stone
towards the proper policy domain, as otherwise these domains would need to
be made very permissive which is contrary to the approach we want to take
with SELinux.

Wkr,
Sven Vermeulen

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal