mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-01-04 08:12:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
aports/main/gradm/base.policyd
William Pitcock 4e75b2fc40 testing/gradm: move to main
2011-02-08 00:07:08 -06:00

134 lines
2.0 KiB
Plaintext
Raw Blame History

role admin sA
subject / rvka
/ rwcdmlxi
role default G
role_transitions admin
subject / dpo
/ r
/opt rx
/home rwxcd
/mnt rw
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/hvc? rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/initctl rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/slabinfo h
/proc/kcore h
/proc/kallsyms h
/proc/modules h
/proc/sys r
/root r
/tmp rwcd
/var rwxcd
/var/tmp rwcd
/var/log r
/boot h
/lib/modules h
/etc/grsec h
/var/lib/grsec h
-CAP_KILL
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_NET_RAW
-CAP_SYS_CHROOT
-CAP_SYS_BOOT
-CAP_SETFCAP
# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)
subject /usr/sbin/sshd dpo
/ h
/bin/sh x
/bin/bash x
/dev h
/dev/log rw
/dev/random r
/dev/urandom r
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/dev/tty? rw
/etc r
/etc/passwd r
/etc/shadow r
/etc/grsec h
/home rwcd
/lib rx
/root
/proc r
/proc/*/oom_adj w
/proc/kcore h
/proc/sys h
/usr/lib rx
/usr/share/zoneinfo r
/var/log
/var/mail
/var/log/lastlog rw
/var/log/wtmp w
/var/run/sshd
/var/run/utmp rw
/var/empty rw
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
subject /usr/bin/ssh
/etc/ssh/ssh_config r
subject /bin/busybox
+CAP_SYS_ADMIN
+CAP_SYS_BOOT
/root/.ash_history rw
/dev/log rwc
/var/log rwc
/var/log/messages rwc
/var/log/wtmp w
/var/log/faillog rwcd
subject /usr/bin/sudo
+CAP_SYS_ADMIN
/dev/log rw
Reference in New Issue View Git Blame Copy Permalink