RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow AIDE to mmap files 

AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
Sugar, David 2019-02-25 23:37:47 +00:00 committed by Chris PeBenito
parent e5b8318420
commit 59413b10b8
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
policy/modules/admin/aide.te
View File

@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
# Declarations
#
## <desc>
## <p>
## Control if AIDE can mmap files.
## AIDE can be compiled with the option 'with-mmap' in which case it will
## attempt to mmap files while running.
## </p>
## </desc>
gen_tunable(aide_mmap_files, false)
attribute_role aide_roles;
type aide_t;
@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
userdom_use_user_terminals(aide_t)
tunable_policy(`aide_mmap_files',`
files_map_non_auth_files(aide_t)
')
optional_policy(`
seutil_use_newrole_fds(aide_t)
')