selinux-refpolicy/policy/modules/admin/aide.te

policy_module(aide, 1.9.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Control if AIDE can mmap files.
##	AIDE can be compiled with the option 'with-mmap' in which case it will
## 	attempt to mmap files while running.
##	</p>
## </desc>
gen_tunable(aide_mmap_files, false)

attribute_role aide_roles;

type aide_t;
type aide_exec_t;
application_domain(aide_t, aide_exec_t)
role aide_roles types aide_t;

type aide_log_t;
logging_log_file(aide_log_t)

type aide_db_t;
files_type(aide_db_t)

########################################
#
# Local policy
#

allow aide_t self:capability { dac_override fowner };

manage_files_pattern(aide_t, aide_db_t, aide_db_t)

create_files_pattern(aide_t, aide_log_t, aide_log_t)
append_files_pattern(aide_t, aide_log_t, aide_log_t)
setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)

files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)

kernel_read_crypto_sysctls(aide_t)

logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)

userdom_use_user_terminals(aide_t)

tunable_policy(`aide_mmap_files',`
	files_map_non_auth_files(aide_t)
')

optional_policy(`
	seutil_use_newrole_fds(aide_t)
')
Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-06-09 18:05:19 +00:00			`policy_module(aide, 1.9.0)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

Allow AIDE to mmap files AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-02-25 23:37:47 +00:00			`## <desc>`
			`## <p>`
			`## Control if AIDE can mmap files.`
			`## AIDE can be compiled with the option 'with-mmap' in which case it will`
			`## attempt to mmap files while running.`
			`## </p>`
			`## </desc>`
			`gen_tunable(aide_mmap_files, false)`

Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`attribute_role aide_roles;`

			`type aide_t;`
			`type aide_exec_t;`
			`application_domain(aide_t, aide_exec_t)`
			`role aide_roles types aide_t;`

			`type aide_log_t;`
			`logging_log_file(aide_log_t)`

			`type aide_db_t;`
			`files_type(aide_db_t)`

			`########################################`
			`#`
			`# Local policy`
			`#`

			`allow aide_t self:capability { dac_override fowner };`

			`manage_files_pattern(aide_t, aide_db_t, aide_db_t)`

			`create_files_pattern(aide_t, aide_log_t, aide_log_t)`
			`append_files_pattern(aide_t, aide_log_t, aide_log_t)`
			`setattr_files_pattern(aide_t, aide_log_t, aide_log_t)`
			`logging_log_filetrans(aide_t, aide_log_t, file)`

			`files_read_all_files(aide_t)`
			`files_read_all_symlinks(aide_t)`

Allow AIDE to read kernel sysctl_crypto_t type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-02-25 23:37:47 +00:00			`kernel_read_crypto_sysctls(aide_t)`
Allow AIDE to sendto kernel datagram socket type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-02-25 23:37:46 +00:00
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			`logging_send_audit_msgs(aide_t)`
			`logging_send_syslog_msg(aide_t)`

			`userdom_use_user_terminals(aide_t)`

Allow AIDE to mmap files AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-02-25 23:37:47 +00:00			tunable_policy(`aide_mmap_files',`
			`files_map_non_auth_files(aide_t)`
			`')`

Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00			optional_policy(`
			`seutil_use_newrole_fds(aide_t)`
			`')`