role admin sA subject / rvka / rwcdmlxi role default G role_transitions admin subject / dpo / r /opt rx /home rwxcd /mnt rw /dev /dev/grsec h /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty? rw /dev/hvc? rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /bin rx /sbin rx /lib rx /usr rx /etc rx /proc rwx /proc/slabinfo h /proc/kcore h /proc/kallsyms h /proc/modules h /proc/sys r /root r /tmp rwcd /var rwxcd /var/tmp rwcd /var/log r /boot h /lib/modules h /etc/grsec h /var/lib/grsec h -CAP_KILL -CAP_SYS_TTY_CONFIG -CAP_LINUX_IMMUTABLE -CAP_NET_RAW -CAP_MKNOD -CAP_SYS_ADMIN -CAP_SYS_RAWIO -CAP_SYS_MODULE -CAP_SYS_PTRACE -CAP_NET_ADMIN -CAP_NET_BIND_SERVICE -CAP_NET_RAW -CAP_SYS_CHROOT -CAP_SYS_BOOT -CAP_SETFCAP # the d flag protects /proc fd and mem entries for sshd # all daemons should have 'p' in their subject mode to prevent # an attacker from killing the service (and restarting it with trojaned # config file or taking the port it reserved to run a trojaned service) subject /usr/sbin/sshd dpo / h /bin/sh x /bin/bash x /dev h /dev/log rw /dev/random r /dev/urandom r /dev/null rw /dev/ptmx rw /dev/pts rw /dev/tty rw /dev/tty? rw /etc r /etc/passwd r /etc/shadow r /etc/grsec h /home rwcd /lib rx /root /proc r /proc/*/oom_adj w /proc/kcore h /proc/sys h /usr/lib rx /usr/share/zoneinfo r /var/log /var/mail /var/log/lastlog rw /var/log/wtmp w /var/run/sshd /var/run/utmp rw /var/empty rw -CAP_ALL +CAP_CHOWN +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT +CAP_SYS_RESOURCE +CAP_SYS_TTY_CONFIG subject /usr/bin/ssh /etc/ssh/ssh_config r subject /bin/busybox +CAP_SYS_ADMIN +CAP_SYS_BOOT /root/.ash_history rw /dev/log rwc /var/log rwc /var/log/messages rwc /var/log/wtmp w /var/log/faillog rwcd subject /usr/bin/sudo +CAP_SYS_ADMIN /dev/log rw