diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2011-02-08 00:07:08 -0600 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2011-02-08 00:07:08 -0600 |
| commit | 4e75b2fc40c44c49152adb497660f6189261a929 (patch) | |
| tree | 28cce9c750130277da370ca2cb1087c6c0b6010b /main/gradm/base.policyd | |
| parent | b87391cc121aafd3de4c59466696a3b63dde8964 (diff) | |
| download | aports-4e75b2fc40c44c49152adb497660f6189261a929.tar.bz2 aports-4e75b2fc40c44c49152adb497660f6189261a929.tar.xz | |
testing/gradm: move to main
Diffstat (limited to 'main/gradm/base.policyd')
| -rw-r--r-- | main/gradm/base.policyd | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/main/gradm/base.policyd b/main/gradm/base.policyd new file mode 100644 index 000000000..cf66e7301 --- /dev/null +++ b/main/gradm/base.policyd @@ -0,0 +1,133 @@ +role admin sA +subject / rvka + / rwcdmlxi + +role default G +role_transitions admin +subject / dpo + / r + /opt rx + /home rwxcd + /mnt rw + /dev + /dev/grsec h + /dev/urandom r + /dev/random r + /dev/zero rw + /dev/input rw + /dev/psaux rw + /dev/null rw + /dev/tty? rw + /dev/hvc? rw + /dev/console rw + /dev/tty rw + /dev/pts rw + /dev/ptmx rw + /dev/dsp rw + /dev/mixer rw + /dev/initctl rw + /dev/fd0 r + /dev/cdrom r + /dev/mem h + /dev/kmem h + /dev/port h + /bin rx + /sbin rx + /lib rx + /usr rx + /etc rx + /proc rwx + /proc/slabinfo h + /proc/kcore h + /proc/kallsyms h + /proc/modules h + /proc/sys r + /root r + /tmp rwcd + /var rwxcd + /var/tmp rwcd + /var/log r + /boot h + /lib/modules h + /etc/grsec h + /var/lib/grsec h + + -CAP_KILL + -CAP_SYS_TTY_CONFIG + -CAP_LINUX_IMMUTABLE + -CAP_NET_RAW + -CAP_MKNOD + -CAP_SYS_ADMIN + -CAP_SYS_RAWIO + -CAP_SYS_MODULE + -CAP_SYS_PTRACE + -CAP_NET_ADMIN + -CAP_NET_BIND_SERVICE + -CAP_NET_RAW + -CAP_SYS_CHROOT + -CAP_SYS_BOOT + -CAP_SETFCAP + +# the d flag protects /proc fd and mem entries for sshd +# all daemons should have 'p' in their subject mode to prevent +# an attacker from killing the service (and restarting it with trojaned +# config file or taking the port it reserved to run a trojaned service) +subject /usr/sbin/sshd dpo + / h + /bin/sh x + /bin/bash x + /dev h + /dev/log rw + /dev/random r + /dev/urandom r + /dev/null rw + /dev/ptmx rw + /dev/pts rw + /dev/tty rw + /dev/tty? rw + /etc r + /etc/passwd r + /etc/shadow r + /etc/grsec h + /home rwcd + /lib rx + /root + /proc r + /proc/*/oom_adj w + /proc/kcore h + /proc/sys h + /usr/lib rx + /usr/share/zoneinfo r + /var/log + /var/mail + /var/log/lastlog rw + /var/log/wtmp w + /var/run/sshd + /var/run/utmp rw + /var/empty rw + + -CAP_ALL + +CAP_CHOWN + +CAP_SETGID + +CAP_SETUID + +CAP_SYS_CHROOT + +CAP_SYS_RESOURCE + +CAP_SYS_TTY_CONFIG + +subject /usr/bin/ssh + /etc/ssh/ssh_config r + +subject /bin/busybox + +CAP_SYS_ADMIN + +CAP_SYS_BOOT + /root/.ash_history rw + /dev/log rwc + /var/log rwc + /var/log/messages rwc + /var/log/wtmp w + /var/log/faillog rwcd + +subject /usr/bin/sudo + +CAP_SYS_ADMIN + /dev/log rw + |