From: dsugar@tresys.com (David Sugar) Date: Tue, 29 Aug 2017 16:09:58 +0000 Subject: [refpolicy] [PATCH 1/1] aide: tunable to disable AIDE from altering database Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B4A1D6@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add tunable to AIDE policy to give the ability to disable writing to the AIDE database. Thus once the database is created it can no longer be altered. --- aide.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/aide.te b/aide.te index 9d3c19c..2dda79d 100644 --- a/aide.te +++ b/aide.te @@ -18,6 +18,13 @@ logging_log_file(aide_log_t) type aide_db_t; files_type(aide_db_t) +## +##

+## Allow aide to write to the itegrity DB. +##

+##
+gen_tunable(aide_enable_write_db, true) + ######################################## # # Local policy @@ -25,7 +32,9 @@ files_type(aide_db_t) allow aide_t self:capability { dac_override fowner }; -manage_files_pattern(aide_t, aide_db_t, aide_db_t) +tunable_policy(`aide_enable_write_db',` + manage_files_pattern(aide_t, aide_db_t, aide_db_t) +') create_files_pattern(aide_t, aide_log_t, aide_log_t) append_files_pattern(aide_t, aide_log_t, aide_log_t) -- 2.13.5