LinuxLists.cc - [refpolicy] [PATCH 1/1] aide: tunable to disable AIDE from altering database

2017-08-29 16:09:58

Subject: [refpolicy] [PATCH 1/1] aide: tunable to disable AIDE from altering database

Add tunable to AIDE policy to give the ability to disable writing to the AIDE database. Thus once the database is created it can no longer be altered.

---
aide.te | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/aide.te b/aide.te
index 9d3c19c..2dda79d 100644
--- a/aide.te
+++ b/aide.te
@@ -18,6 +18,13 @@ logging_log_file(aide_log_t)
type aide_db_t;
files_type(aide_db_t)

+## <desc>
+## <p>
+## Allow aide to write to the itegrity DB.
+## </p>
+## </desc>
+gen_tunable(aide_enable_write_db, true)
+
########################################
#
# Local policy
@@ -25,7 +32,9 @@ files_type(aide_db_t)

allow aide_t self:capability { dac_override fowner };

-manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+tunable_policy(`aide_enable_write_db',`
+ manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+')

create_files_pattern(aide_t, aide_log_t, aide_log_t)
append_files_pattern(aide_t, aide_log_t, aide_log_t)
--
2.13.5

2017-08-29 23:12:55

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/1] aide: tunable to disable AIDE from altering database

On 08/29/2017 12:09 PM, David Sugar via refpolicy wrote:
> Add tunable to AIDE policy to give the ability to disable writing to the AIDE database. Thus once the database is created it can no longer be altered.
>
> ---
> aide.te | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/aide.te b/aide.te
> index 9d3c19c..2dda79d 100644
> --- a/aide.te
> +++ b/aide.te
> @@ -18,6 +18,13 @@ logging_log_file(aide_log_t)
> type aide_db_t;
> files_type(aide_db_t)
>
> +## <desc>
> +## <p>
> +## Allow aide to write to the itegrity DB.
> +## </p>
> +## </desc>
> +gen_tunable(aide_enable_write_db, true)
> +
> ########################################
> #
> # Local policy
> @@ -25,7 +32,9 @@ files_type(aide_db_t)
>
> allow aide_t self:capability { dac_override fowner };
>
> -manage_files_pattern(aide_t, aide_db_t, aide_db_t)
> +tunable_policy(`aide_enable_write_db',`
> + manage_files_pattern(aide_t, aide_db_t, aide_db_t)
> +')
>
> create_files_pattern(aide_t, aide_log_t, aide_log_t)
> append_files_pattern(aide_t, aide_log_t, aide_log_t)

"Can no longer be altered" is an ideal that can't be accomplished on
systems since there are issues such as restore and recovery situations.
In the absence of a labeled Boolean, what makes more sense would be to
remove the write access for aide_t and create a domain for aideinit that
can write the db.

--
Chris PeBenito