aboutsummaryrefslogtreecommitdiffstats
path: root/testing/gradm/base.policyd
diff options
context:
space:
mode:
Diffstat (limited to 'testing/gradm/base.policyd')
-rw-r--r--testing/gradm/base.policyd133
1 files changed, 0 insertions, 133 deletions
diff --git a/testing/gradm/base.policyd b/testing/gradm/base.policyd
deleted file mode 100644
index cf66e7301e..0000000000
--- a/testing/gradm/base.policyd
+++ /dev/null
@@ -1,133 +0,0 @@
-role admin sA
-subject / rvka
- / rwcdmlxi
-
-role default G
-role_transitions admin
-subject / dpo
- / r
- /opt rx
- /home rwxcd
- /mnt rw
- /dev
- /dev/grsec h
- /dev/urandom r
- /dev/random r
- /dev/zero rw
- /dev/input rw
- /dev/psaux rw
- /dev/null rw
- /dev/tty? rw
- /dev/hvc? rw
- /dev/console rw
- /dev/tty rw
- /dev/pts rw
- /dev/ptmx rw
- /dev/dsp rw
- /dev/mixer rw
- /dev/initctl rw
- /dev/fd0 r
- /dev/cdrom r
- /dev/mem h
- /dev/kmem h
- /dev/port h
- /bin rx
- /sbin rx
- /lib rx
- /usr rx
- /etc rx
- /proc rwx
- /proc/slabinfo h
- /proc/kcore h
- /proc/kallsyms h
- /proc/modules h
- /proc/sys r
- /root r
- /tmp rwcd
- /var rwxcd
- /var/tmp rwcd
- /var/log r
- /boot h
- /lib/modules h
- /etc/grsec h
- /var/lib/grsec h
-
- -CAP_KILL
- -CAP_SYS_TTY_CONFIG
- -CAP_LINUX_IMMUTABLE
- -CAP_NET_RAW
- -CAP_MKNOD
- -CAP_SYS_ADMIN
- -CAP_SYS_RAWIO
- -CAP_SYS_MODULE
- -CAP_SYS_PTRACE
- -CAP_NET_ADMIN
- -CAP_NET_BIND_SERVICE
- -CAP_NET_RAW
- -CAP_SYS_CHROOT
- -CAP_SYS_BOOT
- -CAP_SETFCAP
-
-# the d flag protects /proc fd and mem entries for sshd
-# all daemons should have 'p' in their subject mode to prevent
-# an attacker from killing the service (and restarting it with trojaned
-# config file or taking the port it reserved to run a trojaned service)
-subject /usr/sbin/sshd dpo
- / h
- /bin/sh x
- /bin/bash x
- /dev h
- /dev/log rw
- /dev/random r
- /dev/urandom r
- /dev/null rw
- /dev/ptmx rw
- /dev/pts rw
- /dev/tty rw
- /dev/tty? rw
- /etc r
- /etc/passwd r
- /etc/shadow r
- /etc/grsec h
- /home rwcd
- /lib rx
- /root
- /proc r
- /proc/*/oom_adj w
- /proc/kcore h
- /proc/sys h
- /usr/lib rx
- /usr/share/zoneinfo r
- /var/log
- /var/mail
- /var/log/lastlog rw
- /var/log/wtmp w
- /var/run/sshd
- /var/run/utmp rw
- /var/empty rw
-
- -CAP_ALL
- +CAP_CHOWN
- +CAP_SETGID
- +CAP_SETUID
- +CAP_SYS_CHROOT
- +CAP_SYS_RESOURCE
- +CAP_SYS_TTY_CONFIG
-
-subject /usr/bin/ssh
- /etc/ssh/ssh_config r
-
-subject /bin/busybox
- +CAP_SYS_ADMIN
- +CAP_SYS_BOOT
- /root/.ash_history rw
- /dev/log rwc
- /var/log rwc
- /var/log/messages rwc
- /var/log/wtmp w
- /var/log/faillog rwcd
-
-subject /usr/bin/sudo
- +CAP_SYS_ADMIN
- /dev/log rw
-
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-27 08:19:52 +0000