policy_module(aide, 1.9.0) ######################################## # # Declarations # ## ##

## Control if AIDE can mmap files. ## AIDE can be compiled with the option 'with-mmap' in which case it will ## attempt to mmap files while running. ##

##
gen_tunable(aide_mmap_files, false) attribute_role aide_roles; type aide_t; type aide_exec_t; application_domain(aide_t, aide_exec_t) role aide_roles types aide_t; type aide_log_t; logging_log_file(aide_log_t) type aide_db_t; files_type(aide_db_t) ######################################## # # Local policy # allow aide_t self:capability { dac_override fowner }; manage_files_pattern(aide_t, aide_db_t, aide_db_t) create_files_pattern(aide_t, aide_log_t, aide_log_t) append_files_pattern(aide_t, aide_log_t, aide_log_t) setattr_files_pattern(aide_t, aide_log_t, aide_log_t) logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) files_read_all_symlinks(aide_t) kernel_read_crypto_sysctls(aide_t) logging_send_audit_msgs(aide_t) logging_send_syslog_msg(aide_t) userdom_use_user_terminals(aide_t) tunable_policy(`aide_mmap_files',` files_map_non_auth_files(aide_t) ') optional_policy(` seutil_use_newrole_fds(aide_t) ')