From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 17:38:08 +0200
Subject: [refpolicy] [PATCH] chkrootkit: update
Message-ID: <20170910153808.8488-1-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

- drop unneeded dac_override permission
- add getattr permissions on filesystems
---
 chkrootkit.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/chkrootkit.te b/chkrootkit.te
index f62eb49..007b062 100644
--- a/chkrootkit.te
+++ b/chkrootkit.te
@@ -20,7 +20,7 @@ logging_log_file(chkrootkit_log_t)
 # Application local policy
 #
 
-allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:capability { dac_read_search setuid sys_ptrace };
 allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
 allow chkrootkit_t self:udp_socket { create ioctl };
 
@@ -32,6 +32,7 @@ kernel_getattr_message_if(chkrootkit_t)
 corecmd_exec_bin(chkrootkit_t)
 corecmd_exec_shell(chkrootkit_t)
 
+dev_getattr_fs(chkrootkit_t)
 dev_read_rand(chkrootkit_t)
 dev_read_urand(chkrootkit_t)
 dev_getattr_all_chr_files(chkrootkit_t)
@@ -46,6 +47,8 @@ files_read_all_symlinks(chkrootkit_t)
 files_read_all_chr_files(chkrootkit_t)
 files_getattr_all_pipes(chkrootkit_t)
 
+fs_getattr_xattr_fs(chkrootkit_t)
+
 init_signal(chkrootkit_t)
 
 logging_send_syslog_msg(chkrootkit_t)
-- 
2.14.1