[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     2b9c35808edc6b66464db7ce0ba714b3ce81b15f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 14:36:06 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 14:36:06 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b9c3580

Add in AIDE SELinux manpage

---
 man/man8/aide_selinux.8         |  128 +++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/aide.rst |  107 ++++++++++++++++++++++++++++++++
 2 files changed, 235 insertions(+), 0 deletions(-)

diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
new file mode 100644
index 0000000..382376f
--- /dev/null
+++ b/man/man8/aide_selinux.8
@@ -0,0 +1,128 @@
+.\" Man page generated from reStructuredText.
+.
+.TH AIDE_SELINUX 8 "2013-04-11" "" "SELinux"
+.SH NAME
+aide_selinux \- SELinux policy module for AIDE
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBaide\fP SELinux module supports the AIDE application (Advanced Intrusion
+Detection Environment) and resources.
+.SH DOMAINS
+.SS aide_t
+.sp
+The \fBaide_t\fP domain is used for the application runtime context. When the
+\fBaide\fP command is invoked, it should run within this domain.
+.sp
+The use of this domain is restricted to the roles responsible for the security
+administration of the system, so \fBsysadm_r\fP and \fBsecadm_r\fP. It is strongly
+discouraged to allow the use of AIDE for other roles.
+.sp
+Due to its sensitive nature, when the MLS policy is enabled, AIDE runs in the
+\fBmls_systemhigh\fP sensitivity.
+.SH LOCATIONS
+.SS USER\-ORIENTED
+.sp
+The following list of locations identify file resources that are used by the
+AIDE domain. They are by default allocated towards the default locations for
+AIDE, so if you use a different location, you will need to properly address
+this. You can do so through \fBsemanage\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+semanage fcontext \-a \-t aide_db_t "/mnt/db/aide(/.*)?"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The above example marks the \fI/mnt/db/aide\fP location as the location where
+the AIDE databases are stored (identified through the \fBaide_db_t\fP type).
+.INDENT 0.0
+.TP
+.B aide_db_t
+is used for the AIDE database location
+.TP
+.B aide_log_t
+is used for the AIDE logs
+.UNINDENT
+.SH OTHER RESOURCES
+.SS EXECUTABLE FILES
+.INDENT 0.0
+.TP
+.B aide_exec_t
+is used as entry point for the AIDE application that runs in the \fBaide_t\fP
+domain
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+AIDE\-related privileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Run interfaces
+.sp
+The following run interfaces allow users and roles access to the specified
+domains. Only to be used for new user domains and roles.
+.INDENT 0.0
+.TP
+.B aide_run
+Allow the specified user domain and role access and transition rights to the
+\fBaide_t\fP domain.
+.TP
+.B aide_admin
+Allow the specified user domain and role access and transition rights to the
+\fBaide_t\fP domain, and allow administration of the AIDE related resources.
+.UNINDENT
+.SS Domtrans interfaces
+.sp
+The following domain transition interfaces allow domains to execute and
+transition into the mentioned AIDE domain. Only to be used for domains
+assumed to be running within the general \fBsystem_r\fP role, or within a role
+already allowed access to the AIDE domain (such as \fBsysadm_r\fP).
+.INDENT 0.0
+.TP
+.B aide_domtrans
+Allow the specified domain access and transition rights to the \fBaide_t\fP
+domain.
+.UNINDENT
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at
+\fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%http://www.gentoo.org/proj/en/hardened/selinux\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.

diff --git a/policy/modules/contrib/aide.rst b/policy/modules/contrib/aide.rst
new file mode 100644
index 0000000..80325fe
--- /dev/null
+++ b/policy/modules/contrib/aide.rst
@@ -0,0 +1,107 @@
+=================
+ aide_selinux
+=================
+
+------------------------------
+SELinux policy module for AIDE
+------------------------------
+
+:Author:        Sven Vermeulen <swift@gentoo.org>
+:Date:          2013-04-11
+:Manual section:        8
+:Manual group:          SELinux
+
+DESCRIPTION
+===========
+
+The **aide** SELinux module supports the AIDE application (Advanced Intrusion
+Detection Environment) and resources.
+
+DOMAINS
+=======
+
+aide_t
+------
+
+The **aide_t** domain is used for the application runtime context. When the
+``aide`` command is invoked, it should run within this domain. 
+
+The use of this domain is restricted to the roles responsible for the security
+administration of the system, so **sysadm_r** and **secadm_r**. It is strongly
+discouraged to allow the use of AIDE for other roles.
+
+Due to its sensitive nature, when the MLS policy is enabled, AIDE runs in the
+**mls_systemhigh** sensitivity.
+
+LOCATIONS
+=========
+
+USER-ORIENTED
+-------------
+
+The following list of locations identify file resources that are used by the
+AIDE domain. They are by default allocated towards the default locations for
+AIDE, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+  semanage fcontext -a -t aide_db_t "/mnt/db/aide(/.*)?"
+
+The above example marks the */mnt/db/aide* location as the location where
+the AIDE databases are stored (identified through the **aide_db_t** type).
+
+aide_db_t
+  is used for the AIDE database location
+
+aide_log_t
+  is used for the AIDE logs
+
+OTHER RESOURCES
+===============
+
+EXECUTABLE FILES
+----------------
+
+aide_exec_t
+  is used as entry point for the AIDE application that runs in the **aide_t**
+  domain
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+AIDE-related privileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Run interfaces
+--------------
+
+The following run interfaces allow users and roles access to the specified
+domains. Only to be used for new user domains and roles.
+
+aide_run
+  Allow the specified user domain and role access and transition rights to the
+  **aide_t** domain.
+
+aide_admin
+  Allow the specified user domain and role access and transition rights to the
+  **aide_t** domain, and allow administration of the AIDE related resources.
+
+Domtrans interfaces
+-------------------
+
+The following domain transition interfaces allow domains to execute and
+transition into the mentioned AIDE domain. Only to be used for domains
+assumed to be running within the general **system_r** role, or within a role
+already allowed access to the AIDE domain (such as **sysadm_r**).
+
+aide_domtrans
+  Allow the specified domain access and transition rights to the **aide_t**
+  domain.
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at 
+  https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at 
+  http://www.gentoo.org/proj/en/hardened/selinux