Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
Date: Tue, 26 Mar 2019 10:17:37
Message-Id: 1553508325.45581b7ac1b5fafd180b6bc43c1ea329c416b1ec.perfinion@gentoo
1 commit: 45581b7ac1b5fafd180b6bc43c1ea329c416b1ec
2 Author: Sugar, David <dsugar <AT> tresys <DOT> com>
3 AuthorDate: Mon Feb 25 23:37:47 2019 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Mar 25 10:05:25 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45581b7a
7
8 Allow AIDE to mmap files
9
10 AIDE has a compile time option WITH_MMAP which allows AIDE to
11 map files during scanning. RHEL7 has set this option in the
12 aide rpm they distribute.
13
14 Changes made to add a tunable to enable permissions allowing
15 aide to map files that it needs. I have set the default to
16 false as this seems perfered (in my mind).
17
18 Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
19 Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
20
21 policy/modules/admin/aide.te | 13 +++++++++++++
22 1 file changed, 13 insertions(+)
23
24 diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
25 index f58ba850..fe52a280 100644
26 --- a/policy/modules/admin/aide.te
27 +++ b/policy/modules/admin/aide.te
28 @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
29 # Declarations
30 #
31
32 +## <desc>
33 +## <p>
34 +## Control if AIDE can mmap files.
35 +## AIDE can be compiled with the option 'with-mmap' in which case it will
36 +## attempt to mmap files while running.
37 +## </p>
38 +## </desc>
39 +gen_tunable(aide_mmap_files, false)
40 +
41 attribute_role aide_roles;
42
43 type aide_t;
44 @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
45
46 userdom_use_user_terminals(aide_t)
47
48 +tunable_policy(`aide_mmap_files',`
49 + files_map_non_auth_files(aide_t)
50 +')
51 +
52 optional_policy(`
53 seutil_use_newrole_fds(aide_t)
54 ')