On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote: > AIDE has a compile time option WITH_MMAP which allows AIDE to > map files during scanning. RHEL7 has set this option in the > aide rpm they distribute. > > Changes made to add a tunable to enable permissions allowing > aide to map files that it needs. I have set the default to > false as this seems perfered (in my mind). > > Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> > --- > policy/modules/admin/aide.te | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/policy/modules/admin/aide.te > b/policy/modules/admin/aide.te > index f58ba850..fe52a280 100644 > --- a/policy/modules/admin/aide.te > +++ b/policy/modules/admin/aide.te > @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0) > # Declarations > # > > +## <desc> > +## <p> > +## Control if AIDE can mmap files. > +## AIDE can be compiled with the option 'with-mmap' in which case > it will > +## attempt to mmap files while running. > +## </p> > +## </desc> > +gen_tunable(aide_mmap_files, false) > + > attribute_role aide_roles; > > type aide_t; > @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t) > > userdom_use_user_terminals(aide_t) > > +tunable_policy(`aide_mmap_files',` > + files_map_non_auth_files(aide_t) > +') > + > optional_policy(` > seutil_use_newrole_fds(aide_t) > ') Merged. -- Chris PeBenito
