-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Josef Kubin wrote:
Hello, it needs a new SELinux policy for rkhunter: I'm currently working on it ... Relational thing is https://bugzilla.redhat.com/show_bug.cgi?id=438576
Josef
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Joseph and I played around with a policy for rkhunter and quickly found it to be too cumbersome to confine. Pretty much needs unconfined_domain to do its thing. rkhunter package is moving it's log files to /var/log and other files to /var/run, We can then make policy for sendmail to dontaudit writes. This is a perfect example of allowing sendmail Read/Write but no Open.
Pedro, you can allow this access by executing
# grep mail /var/log/audit/audit.log | audit2allow -M myrkhunter # semodule -i myrkhunter.pp