.\" Man page generated from reStructuredText. . .TH AIDE_SELINUX 8 "2013-04-11" "" "SELinux" .SH NAME aide_selinux \- SELinux policy module for AIDE . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SH DESCRIPTION .sp The \fBaide\fP SELinux module supports the AIDE application (Advanced Intrusion Detection Environment) and resources. .SH DOMAINS .SS aide_t .sp The \fBaide_t\fP domain is used for the application runtime context. When the \fBaide\fP command is invoked, it should run within this domain. .sp The use of this domain is restricted to the roles responsible for the security administration of the system, so \fBsysadm_r\fP and \fBsecadm_r\fP. It is strongly discouraged to allow the use of AIDE for other roles. .sp Due to its sensitive nature, when the MLS policy is enabled, AIDE runs in the \fBmls_systemhigh\fP sensitivity. .SH LOCATIONS .SS USER\-ORIENTED .sp The following list of locations identify file resources that are used by the AIDE domain. They are by default allocated towards the default locations for AIDE, so if you use a different location, you will need to properly address this. You can do so through \fBsemanage\fP, like so: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C semanage fcontext \-a \-t aide_db_t "/mnt/db/aide(/.*)?" .ft P .fi .UNINDENT .UNINDENT .sp The above example marks the \fI/mnt/db/aide\fP location as the location where the AIDE databases are stored (identified through the \fBaide_db_t\fP type). .INDENT 0.0 .TP .B aide_db_t is used for the AIDE database location .TP .B aide_log_t is used for the AIDE logs .UNINDENT .SH OTHER RESOURCES .SS EXECUTABLE FILES .INDENT 0.0 .TP .B aide_exec_t is used as entry point for the AIDE application that runs in the \fBaide_t\fP domain .UNINDENT .SH POLICY .sp The following interfaces can be used to enhance the default policy with AIDE\-related privileges. More details on these interfaces can be found in the interface HTML documentation, we will not list all available interfaces here. .SS Run interfaces .sp The following run interfaces allow users and roles access to the specified domains. Only to be used for new user domains and roles. .INDENT 0.0 .TP .B aide_run Allow the specified user domain and role access and transition rights to the \fBaide_t\fP domain. .TP .B aide_admin Allow the specified user domain and role access and transition rights to the \fBaide_t\fP domain, and allow administration of the AIDE related resources. .UNINDENT .SS Domtrans interfaces .sp The following domain transition interfaces allow domains to execute and transition into the mentioned AIDE domain. Only to be used for domains assumed to be running within the general \fBsystem_r\fP role, or within a role already allowed access to the AIDE domain (such as \fBsysadm_r\fP). .INDENT 0.0 .TP .B aide_domtrans Allow the specified domain access and transition rights to the \fBaide_t\fP domain. .UNINDENT .SH SEE ALSO .INDENT 0.0 .IP \(bu 2 Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP .IP \(bu 2 Gentoo Hardened SELinux Project at \fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP .UNINDENT .SH AUTHOR Sven Vermeulen .\" Generated by docutils manpage writer. .