commit: 86cb44cbdb6a3622e09333b6038b0f48d5859e36 Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com> AuthorDate: Sun Sep 10 15:38:08 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Sep 14 19:34:43 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86cb44cb
chkrootkit: update - drop unneeded dac_override permission - add getattr permissions on filesystems policy/modules/contrib/chkrootkit.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te index f62eb493..007b0623 100644 --- a/policy/modules/contrib/chkrootkit.te +++ b/policy/modules/contrib/chkrootkit.te @@ -20,7 +20,7 @@ logging_log_file(chkrootkit_log_t) # Application local policy # -allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace }; +allow chkrootkit_t self:capability { dac_read_search setuid sys_ptrace }; allow chkrootkit_t self:fifo_file rw_fifo_file_perms; allow chkrootkit_t self:udp_socket { create ioctl }; @@ -32,6 +32,7 @@ kernel_getattr_message_if(chkrootkit_t) corecmd_exec_bin(chkrootkit_t) corecmd_exec_shell(chkrootkit_t) +dev_getattr_fs(chkrootkit_t) dev_read_rand(chkrootkit_t) dev_read_urand(chkrootkit_t) dev_getattr_all_chr_files(chkrootkit_t) @@ -46,6 +47,8 @@ files_read_all_symlinks(chkrootkit_t) files_read_all_chr_files(chkrootkit_t) files_getattr_all_pipes(chkrootkit_t) +fs_getattr_xattr_fs(chkrootkit_t) + init_signal(chkrootkit_t) logging_send_syslog_msg(chkrootkit_t)