From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 19:27:03 -0400 Subject: [refpolicy] [PATCH] chkrootkit: update In-Reply-To: <20170910153808.8488-1-cgzones@googlemail.com> References: <20170910153808.8488-1-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/10/2017 11:38 AM, Christian G?ttsche via refpolicy wrote: > - drop unneeded dac_override permission > - add getattr permissions on filesystems > --- > chkrootkit.te | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/chkrootkit.te b/chkrootkit.te > index f62eb49..007b062 100644 > --- a/chkrootkit.te > +++ b/chkrootkit.te > @@ -20,7 +20,7 @@ logging_log_file(chkrootkit_log_t) > # Application local policy > # > > -allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace }; > +allow chkrootkit_t self:capability { dac_read_search setuid sys_ptrace }; > allow chkrootkit_t self:fifo_file rw_fifo_file_perms; > allow chkrootkit_t self:udp_socket { create ioctl }; > > @@ -32,6 +32,7 @@ kernel_getattr_message_if(chkrootkit_t) > corecmd_exec_bin(chkrootkit_t) > corecmd_exec_shell(chkrootkit_t) > > +dev_getattr_fs(chkrootkit_t) > dev_read_rand(chkrootkit_t) > dev_read_urand(chkrootkit_t) > dev_getattr_all_chr_files(chkrootkit_t) > @@ -46,6 +47,8 @@ files_read_all_symlinks(chkrootkit_t) > files_read_all_chr_files(chkrootkit_t) > files_getattr_all_pipes(chkrootkit_t) > > +fs_getattr_xattr_fs(chkrootkit_t) > + > init_signal(chkrootkit_t) > > logging_send_syslog_msg(chkrootkit_t) Merged. -- Chris PeBenito