selinux-refpolicy/policy/modules/admin/aide.te
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00

61 lines
1.2 KiB
Plaintext

policy_module(aide, 1.9.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Control if AIDE can mmap files.
## AIDE can be compiled with the option 'with-mmap' in which case it will
## attempt to mmap files while running.
## </p>
## </desc>
gen_tunable(aide_mmap_files, false)
attribute_role aide_roles;
type aide_t;
type aide_exec_t;
application_domain(aide_t, aide_exec_t)
role aide_roles types aide_t;
type aide_log_t;
logging_log_file(aide_log_t)
type aide_db_t;
files_type(aide_db_t)
########################################
#
# Local policy
#
allow aide_t self:capability { dac_override fowner };
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
create_files_pattern(aide_t, aide_log_t, aide_log_t)
append_files_pattern(aide_t, aide_log_t, aide_log_t)
setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
kernel_read_crypto_sysctls(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
userdom_use_user_terminals(aide_t)
tunable_policy(`aide_mmap_files',`
files_map_non_auth_files(aide_t)
')
optional_policy(`
seutil_use_newrole_fds(aide_t)
')