Return-Path: <SRS0=JOfW=RA=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C67DAC43381
	for <selinux-refpolicy@archiver.kernel.org>; Mon, 25 Feb 2019 23:38:08 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8F764218D3
	for <selinux-refpolicy@archiver.kernel.org>; Mon, 25 Feb 2019 23:38:08 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="hNwbRAYL"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727323AbfBYXiI (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Mon, 25 Feb 2019 18:38:08 -0500
Received: from mail-eopbgr790104.outbound.protection.outlook.com ([40.107.79.104]:63568
        "EHLO NAM03-CO1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726971AbfBYXiI (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 25 Feb 2019 18:38:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=j3jGkyR7NctGzOCgjsZdIHtLNKqOOmAQC6tafGu6sF0=;
 b=hNwbRAYLln9ankSqBqVNxCXLowgN1w7xuPRbncqXc23CgLGPjbRUDyid6ZT6y7ihU1SKJ+s/K8QL3ySkhC95phmZvXn2QLLvkibNxWD4hWrgMzJrPWYaS2YaY3Bp9+ZEWW78kl2CchLJ5/nHcbr458+v4+cwGEbWPjLDg55hKus=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1843.namprd15.prod.outlook.com (10.174.113.141) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1643.16; Mon, 25 Feb 2019 23:37:48 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019
 23:37:48 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Allow AIDE to mmap files
Thread-Topic: [PATCH] Allow AIDE to mmap files
Thread-Index: AQHUzWMdk/4Za63eBE6qOUhiPGMFrw==
Date:   Mon, 25 Feb 2019 23:37:47 +0000
Message-ID: <20190225233708.15319-6-dsugar@tresys.com>
References: <20190225233708.15319-1-dsugar@tresys.com>
In-Reply-To: <20190225233708.15319-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: BN6PR1401CA0006.namprd14.prod.outlook.com
 (2603:10b6:405:4b::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 069ace3c-f0cf-4ed6-57ef-08d69b7a3f71
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1843;
x-ms-traffictypediagnostic: BN6PR15MB1843:
x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1843;23:9HU/WpehKd6nfAys9jeYlZslzCZMaedxUdk0HyC?=
 =?iso-8859-1?Q?op8H4Gi736WjDw3oEXJa9014u9jcvmLcGUM8VjvMhlfsz/jqrsj9mNFZvp?=
 =?iso-8859-1?Q?G+VReGBG6gf0UAf0OuyJY2uepVfzsG1/rtapi6pQH6iOg9FwdOFLoXcQNd?=
 =?iso-8859-1?Q?tLK1uSeBt/rTrR9hrohCHjXKTLwtU7YzIXeI/tU13jghFpyuJBYzeP8Ohh?=
 =?iso-8859-1?Q?cRxkMXDNR+pOYIc6iOJ5brmsa8yJOwK8P6H5RksGdi2puhfHJFkZm/tvPP?=
 =?iso-8859-1?Q?ytipQlnGtsQziXg6U+cqh3clg3k8QXxkGQfcZgC8ST0J/cAieeFVqmsLjI?=
 =?iso-8859-1?Q?rEksx30kpzMkE47Wo3FHoo/i6ds2EHhE9L4m57zqahNKIG/gRtJAdpaVpd?=
 =?iso-8859-1?Q?63OeCQICuysuYZeFBKU0dxNz/NPZOdbn2YG9Br1ZFr7R/Y36gvAMwabSm9?=
 =?iso-8859-1?Q?49dEI/huPfehz/4OIXliQ8kF8+PuWeVm1/wrAZIcghmL7qM7FOZa83NSNd?=
 =?iso-8859-1?Q?iqakGCMkrl4Gsim5h9VqmHMKgO2/MftJc1ckPZrOgiIeJsvzeI6Dn0TyF+?=
 =?iso-8859-1?Q?Ct9aNvEuQh41yL0iAHqjKa0bVydO6h9uUkkB59TqLUi4XdJZJ8LVKHfEPo?=
 =?iso-8859-1?Q?6RmGKTMsAQjOHpKmhC29eoLOb8b1OkbTWxY+/bpvIlAMdt335C78s5AApF?=
 =?iso-8859-1?Q?YJ/I3oKxHgGp8H33e4ZKqJmh2xYOjezDW3LxQdP6Pjg0+3hhJpKtCrtnVW?=
 =?iso-8859-1?Q?xIbJMojlHR6eHvJVejA6QN2dIkSqt2PYi+B9W8zItSodTBtryvXRDJg9aS?=
 =?iso-8859-1?Q?e75tSvNGbEn6ZezGZNvWXXHP5u1SMq0GqKhqkOrxM4yzXrMNKA7TcwSgni?=
 =?iso-8859-1?Q?vx98MV3WXDNEIXhHzLeG+gqRMzEgEScPTIBXbl/kMiOzT7fgD+q+nNRL/o?=
 =?iso-8859-1?Q?umuwtp4vy0pfibTQbm3n4zTkozNA/f7SBs38yQecDvHRxOQXyOoqETfcSM?=
 =?iso-8859-1?Q?VplFtUDaSsXsUgIJDFEWRLBvqEzVFWU+Ku4hjL2ZMoVj9mAnxTQxZU5fGf?=
 =?iso-8859-1?Q?ICYRsyKJVrDLc7fmcNsRYDsR+D5dcKrBJCsDdm2RbZlHM9ho9hJskoc2Uu?=
 =?iso-8859-1?Q?6YeU2jZmlKTKaZqdiQbeTIB3avOhOp5LJnITG3iJ2ci5z25al1h8GCMHci?=
 =?iso-8859-1?Q?PPy3u9ms3kXbH6suF0dz/H2bnv2xodKnxAIlyY0zKu7ynR8B/MAys+EDg9?=
 =?iso-8859-1?Q?6rts7dmUPqgxRHZ0we1FNmpiZFzrRhzp3KAy58A=3D=3D?=
x-microsoft-antispam-prvs: <BN6PR15MB184365977D4594CC868F9289B97A0@BN6PR15MB1843.namprd15.prod.outlook.com>
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(366004)(376002)(396003)(39830400003)(346002)(189003)(199004)(81166006)(316002)(8676002)(2351001)(66066001)(106356001)(71200400001)(71190400001)(25786009)(76176011)(68736007)(1076003)(14454004)(5660300002)(6916009)(81156014)(3846002)(52116002)(8936002)(99286004)(50226002)(256004)(6116002)(36756003)(6512007)(446003)(11346002)(97736004)(7736002)(486006)(2616005)(186003)(305945005)(6436002)(86362001)(6486002)(5640700003)(105586002)(53936002)(508600001)(2906002)(26005)(386003)(2501003)(476003)(6506007)(102836004);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1843;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: yFgRl1RyZKQ4blWD/Fuw9caCOh5uJvf7pRiZ8UkbvriF7eL1V/4Bz1nGK4W1J9pFf5Mtcci/oODezR1fwQIc9KhEa8gtldUq1tUZTQ105CDpvSohpqoNzE18X/kIJCai0o/0LuZnvEeG/jtSEfJcdkKI0BhcKPc0Xv95dZDQ8A4BGmF4053vKTWuubEh6ibcGXI9Z3ivoaB0W8XXPXrFCuGtNTJO3U85b+IvWfsaUJe7p6qKgiy8elVYgrsp2bgZ5rlIRhkeEeBzhi2XMEPfzWH80mOCHGErjlDGRCkBoCaHN8os8aLaRv9+juIcEMHwxwsET6y/pXB7FeBmmTF/p3eKxo6+NgJsgtmnmPMlV55wUQK2bKN3iQC3mNi/NlQpjADJ4PMTJF/p4s3JGVIFwDu8Wct8Ae8gDTPoSmxAXFg=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 069ace3c-f0cf-4ed6-57ef-08d69b7a3f71
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 23:37:47.1331
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1843
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/aide.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index f58ba850..fe52a280 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
 # Declarations
 #
=20
+## <desc>
+##	<p>
+##	Control if AIDE can mmap files.
+##	AIDE can be compiled with the option 'with-mmap' in which case it will
+## 	attempt to mmap files while running.
+##	</p>
+## </desc>
+gen_tunable(aide_mmap_files, false)
+
 attribute_role aide_roles;
=20
 type aide_t;
@@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
=20
 userdom_use_user_terminals(aide_t)
=20
+tunable_policy(`aide_mmap_files',`
+	files_map_non_auth_files(aide_t)
+')
+
 optional_policy(`
 	seutil_use_newrole_fds(aide_t)
 ')
--=20
2.20.1