From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 29 Aug 2017 19:12:55 -0400 Subject: [refpolicy] [PATCH 1/1] aide: tunable to disable AIDE from altering database In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4A1D6@Exchange10.columbia.tresys.com> References: <1B50C12ACFF4CB42B90D2581155DF50205B4A1D6@Exchange10.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/29/2017 12:09 PM, David Sugar via refpolicy wrote: > Add tunable to AIDE policy to give the ability to disable writing to the AIDE database. Thus once the database is created it can no longer be altered. > > --- > aide.te | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/aide.te b/aide.te > index 9d3c19c..2dda79d 100644 > --- a/aide.te > +++ b/aide.te > @@ -18,6 +18,13 @@ logging_log_file(aide_log_t) > type aide_db_t; > files_type(aide_db_t) > > +## > +##

> +## Allow aide to write to the itegrity DB. > +##

> +##
> +gen_tunable(aide_enable_write_db, true) > + > ######################################## > # > # Local policy > @@ -25,7 +32,9 @@ files_type(aide_db_t) > > allow aide_t self:capability { dac_override fowner }; > > -manage_files_pattern(aide_t, aide_db_t, aide_db_t) > +tunable_policy(`aide_enable_write_db',` > + manage_files_pattern(aide_t, aide_db_t, aide_db_t) > +') > > create_files_pattern(aide_t, aide_log_t, aide_log_t) > append_files_pattern(aide_t, aide_log_t, aide_log_t) "Can no longer be altered" is an ideal that can't be accomplished on systems since there are issues such as restore and recovery situations. In the absence of a labeled Boolean, what makes more sense would be to remove the write access for aide_t and create a domain for aideinit that can write the db. -- Chris PeBenito