gradm generated policy with shipped learn_config

1. # policy generated from full system learning
2.  
3. define grsec_denied {
4. /boot h
5. /dev/grsec h
6. /dev/kmem h
7. /dev/mem h
8. /dev/port h
9. /etc/grsec h
10. /proc/kcore h
11. /proc/slabinfo h
12. /proc/modules h
13. /proc/kallsyms h
14. /lib/modules hs
15. /lib64/modules hs
16. /etc/ssh h
17. }
18.  
19. role admin sA
20. subject / rvka
21. / rwcdmlxi
22.  
23. role shutdown sARG
24. subject / rvka
25. /
26. /dev
27. /dev/urandom r
28. /dev/random r
29. /etc r
30. /bin rx
31. /sbin rx
32. /lib rx
33. /lib64 rx
34. /usr rx
35. /proc r
36. $grsec_denied
37. -CAP_ALL
38. connect disabled
39. bind disabled
40.  
41. role default
42. subject /
43. / h
44. -CAP_ALL
45. connect disabled
46. bind disabled
47.  
48. role sshd u
49. # Role: sshd
50. subject / {
51. / h
52. -CAP_ALL
53. bind disabled
54. connect disabled
55. }
56.  
57. role root uG
58. role_transitions admin shutdown
59. role_allow_ip 10.7.0.103/32
60. role_allow_ip 0.0.0.0/32
61. # Role: root
62. subject / {
63. / h
64. /bin h
65. /bin/bash x
66. /dev h
67. /dev/initctl
68. /dev/tty rw
69. /etc h
70. /etc/bash.bashrc r
71. /etc/ld.so.cache r
72. /lib rx
73. /lib/modules h
74. /proc h
75. /proc/meminfo r
76. /root
77. /root/.bashrc r
78. /sbin h
79. /sbin/gradm x
80. /usr h
81. /usr/lib/gconv/gconv-modules.cache r
82. /usr/lib/locale/locale-archive r
83. -CAP_ALL
84. bind disabled
85. connect disabled
86. }
87.  
88. # Role: root
89. subject /usr/sbin/sshd o {
90. user_transition_allow sshd root
91. group_transition_allow nogroup root
92.  
93. /
94. /bin h
95. /bin/bash x
96. /boot h
97. /dev h
98. /dev/log rw
99. /dev/null rw
100. /dev/urandom r
101. /etc r
102. /etc/grsec h
103. /etc/gshadow h
104. /etc/gshadow- h
105. /etc/ppp h
106. /etc/samba/smbpasswd h
107. /etc/shadow- h
108. /lib rx
109. /lib/modules h
110. /lib64/modules h
111. /proc w
112. /proc/bus h
113. /proc/filesystems r
114. /proc/kallsyms h
115. /proc/kcore h
116. /proc/modules h
117. /proc/slabinfo h
118. /proc/sys/kernel/ngroups_max r
119. /sys h
120. /usr h
121. /usr/lib rx
122. /usr/sbin h
123. /usr/sbin/sshd x
124. /usr/share h
125. /usr/share/ssh/blacklist.DSA-1024 r
126. /usr/share/ssh/blacklist.RSA-2048 r
127. /usr/share/ssh/blacklist.RSA-4096 r
128. /var h
129. /var/run
130. /var/run/motd r
131. /var/run/utmp r
132. -CAP_ALL
133. +CAP_SETGID
134. +CAP_SETUID
135. +CAP_SYS_CHROOT
136. +CAP_SYS_RESOURCE
137. bind 0.0.0.0/32:4301 stream tcp
138. connect disabled
139. sock_allow_family ipv6 netlink
140. }