Re: [redhat-lspp] Policy for aide

Tue, 07 Nov 2006 11:05:08 -0800 

Try this.



/usr/sbin/aide  --      
gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
/var/lib/aide(/.*)      gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide.log       --      
gen_context(system_u:object_r:aide_log_t,mls_systemhigh)

## <summary>Aide filesystem integrity checker</summary>

########################################
## <summary>
##      Execute aide in the aide domain
## </summary>
## <param name="domain">
##      <summary>
##      The type of the process performing this action.
##      </summary>
## </param>
#
interface(`aide_domtrans',`
        gen_require(`
                type aide_t, aide_exec_t;
        ')

        corecmd_search_sbin($1)
        domain_auto_trans($1,aide_exec_t,aide_t)

        allow $1 aide_t:fd use;
        allow aide_t $1:fd use;
        allow aide_t $1:fifo_file rw_file_perms;
        allow aide_t $1:process sigchld;
')


########################################
## <summary>
##      Execute aide programs in the AIDE domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      The role to allow the AIDE domain.
##      </summary>
## </param>
## <param name="terminal">
##      <summary>
##      The type of the terminal allow the AIDE domain to use.
##      </summary>
## </param>
#
interface(`aide_run',`
        gen_require(`
                type aide_t;
        ')

        aide_domtrans($1)
        role $2 types aide_t;
        allow aide_t $3:chr_file rw_file_perms;
')

policy_module(aide,1.0)

########################################
#
# Declarations
#

type aide_t;
type aide_exec_t;

domain_type(aide_t)
domain_entry_file(aide_t,aide_exec_t)

# log files
type aide_log_t;
logging_log_file(aide_log_t)

# aide database
type aide_db_t;
files_type(aide_db_t)

########################################
#
# aide local policy
#
seutil_use_newrole_fds(aide_t)

# database actions
allow aide_t aide_db_t:dir rw_dir_perms;
allow aide_t aide_db_t:file create_file_perms;

# logs
logging_log_filetrans(aide_t,aide_log_t,file)
allow aide_t aide_log_t:file create_file_perms;

# audit
allow aide_t self:capability audit_write;
allow aide_t self:netlink_audit_socket { create_netlink_socket_perms 
nlmsg_relay };


########################################
#
# Local policy
#

allow aide_t self:capability { dac_override fowner };

files_read_all_files(aide_t)

libs_use_shared_libs(aide_t)


policy_module(local,1.0)

gen_require(`
        type secadm_t, secadm_devpts_t, secadm_tty_device_t;    
        role secadm_r;
')

aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to