From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 29 Aug 2017 19:12:55 -0400
Subject: [refpolicy] [PATCH 1/1] aide: tunable to disable AIDE from
 altering database
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4A1D6@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B4A1D6@Exchange10.columbia.tresys.com>
Message-ID: <f15d535b-b378-10e9-6763-b48b02e90814@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/29/2017 12:09 PM, David Sugar via refpolicy wrote:
> Add tunable to AIDE policy to give the ability to disable writing to the AIDE database.  Thus once the database is created it can no longer be altered.
> 
> ---
>   aide.te | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/aide.te b/aide.te
> index 9d3c19c..2dda79d 100644
> --- a/aide.te
> +++ b/aide.te
> @@ -18,6 +18,13 @@ logging_log_file(aide_log_t)
>   type aide_db_t;
>   files_type(aide_db_t)
>   
> +## <desc>
> +## <p>
> +## Allow aide to write to the itegrity DB.
> +## </p>
> +## </desc>
> +gen_tunable(aide_enable_write_db, true)
> +
>   ########################################
>   #
>   # Local policy
> @@ -25,7 +32,9 @@ files_type(aide_db_t)
>   
>   allow aide_t self:capability { dac_override fowner };
>   
> -manage_files_pattern(aide_t, aide_db_t, aide_db_t)
> +tunable_policy(`aide_enable_write_db',`
> +	manage_files_pattern(aide_t, aide_db_t, aide_db_t)
> +')
>   
>   create_files_pattern(aide_t, aide_log_t, aide_log_t)
>   append_files_pattern(aide_t, aide_log_t, aide_log_t)

"Can no longer be altered" is an ideal that can't be accomplished on 
systems since there are issues such as restore and recovery situations. 
In the absence of a labeled Boolean, what makes more sense would be to 
remove the write access for aide_t and create a domain for aideinit that 
can write the db.

-- 
Chris PeBenito