A no-poetterware desktop RBAC policy
Posted: Mon Feb 23, 2015 3:20 pm
A no-poetterware desktop RBAC policy
==================================================
( previous title "A no-poetteringware desktop RBAC policy" with the -ing-, now removed )
---
I got: "Your message contains 76257 characters. The maximum number of allowed characters is 60000." So...
PART 1
Follows PART2
==================================================
( previous title "A no-poetteringware desktop RBAC policy" with the -ing-, now removed )
---
I got: "Your message contains 76257 characters. The maximum number of allowed characters is 60000." So...
PART 1
- Code: Select all
# policy generated from full system learning
define grsec_denied {
/boot h
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
/etc/grsec h
/proc/kcore h
/proc/slabinfo h
/proc/modules h
/proc/kallsyms h
# /lib/modules hs
/lib64/modules hs
/etc/ssh h
}
role admin sA
subject / rvka
/ rwcdmlxi
role shutdown sARG
role_transitions shutdown
subject / rvka
/ rwcdmlxi
/dev
/dev/log rwmi
/dev/initctl rwcdmflxi
/dev/urandom r
/dev/random r
/etc r
/bin rx
/sbin rx
/lib rx
/lib64 rx
/usr rx
/run rwxcd
/proc r
/var/log rwd
$grsec_denied
-CAP_ALL
+CAP_SETUID
+CAP_SETGID
+CAP_SYS_TTY_CONFIG
+CAP_DAC_OVERRIDE
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
sock_allow_family all
# Role: shutdown
subject /sbin/init rvkao {
/ rwcdmlxi
/dev/initctl rwcdmflxi
/dev/log rwmi
/var/log rw
-CAP_ALL
+CAP_SETUID
+CAP_SETGID
+CAP_DAC_OVERRIDE
+CAP_SYS_TTY_CONFIG
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
sock_allow_family all
}
# Role: shutdown
subject /sbin/halt rvkao
/ rwcdmlxi
/dev/initctl rwf
/run/initctl rwf
# Role: shutdown
subject /sbin/shutdown rvkao {
/ rwcdmlxi
/dev/initctl rwf
/run/initctl rwf
# /dev/initctl rwcdmflxi
/dev/log rwmi
/var/log rw
-CAP_ALL
+CAP_SETUID
+CAP_SETGID
+CAP_DAC_OVERRIDE
+CAP_SYS_TTY_CONFIG
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
sock_allow_family all
}
role default
subject /
/ h
-CAP_ALL
connect disabled
bind disabled
role sshd u
# Role: sshd
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
role portage u
role_allow_ip 0.0.0.0/32
# Role: portage
subject / {
/ h
/bin/bash x
/usr/bin/wget x
-CAP_ALL
bind disabled
connect disabled
}
# Role: portage
subject /bin/bash o {
/ h
/bin h
/bin/bash x
/bin/rm x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/dev/tty rw
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/root
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/portage wc
-CAP_ALL
bind disabled
connect disabled
}
# Role: portage
subject /bin/rm o {
/ h
/bin h
/bin/rm x
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/usr h
/usr/lib64/locale/locale-archive r
/usr/portage wd
-CAP_ALL
bind disabled
connect disabled
}
# Role: portage
subject /usr/bin/wget o {
/ h
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/etc/localtime r
/etc/wgetrc r
/lib64 rx
/lib64/modules h
/usr h
/usr/bin h
/usr/bin/wget x
/usr/lib64 rx
/usr/portage wc
/var h
/var/log/portage_logs
/var/log/portage_logs/wget-fetch.log a
-CAP_ALL
bind disabled
connect 192.168.3.2/32:80 stream tcp
}
role root uG
role_transitions admin shutdown
role_allow_ip 192.168.3.0/24
role_allow_ip 0.0.0.0/32
# Role: root
subject / {
/
/Cmn r
/bin rx
/sbin rx
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/dev/urandom r
/etc rx
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/export h
/export/data
/export/home
/home h
/home/ukrainian
# /lib
# /lib/modules h
/lib64 rx
/lib64/firmware h
/lib64/firmware/radeon
# /lib64/libm.so.6
/lib64/modules h
/mnt r
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/root r
/sys
/sys/fs/cgroup
/tmp rwcd
/usr
/usr/bin x
/usr/include r
/usr/lib64 rx
/usr/libexec rx
/usr/sbin rx
/usr/share r
/usr/src rx
/usr/x86_64-pc-linux-gnu
/usr/x86_64-pc-linux-gnu/binutils-bin x
/usr/x86_64-pc-linux-gnu/gcc-bin
/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4
/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4/x86_64-pc-linux-gnu-g++ x
/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4/x86_64-pc-linux-gnu-gcc x
/var
/var/lib r
/var/log h
/var/log/messages r
/var/spool
/var/spool/postfix r
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /bin/bash o {
/
/Cmn wc
/bin x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/dev/tty rw
/etc r
/etc/bash h
/etc/bash/bash_logout r
/etc/bash/bashrc r
/etc/bash/bashrc.d
/etc/cron.hourly
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/init.d
/etc/java-config-2 h
/etc/java-config-2/current-system-vm
/etc/mactab w
/etc/postfix wc
/etc/profile.d
/etc/profile.d/java-config-2.sh r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/terminfo
/etc/terminfo/l/linux r
/etc/terminfo/r/rxvt-unicode r
/home
/home/ukrainian
# /lib/modules h
/lib64 rx
/lib64/modules h
/mnt
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys
/proc/sys/kernel
/proc/sys/kernel/grsecurity
/proc/sys/kernel/grsecurity/audit_chdir w
/proc/sys/kernel/grsecurity/exec_logging w
/proc/sys/net/netfilter
/proc/sys/net/netfilter/nf_conntrack_timestamp w
/root
/root/.bash_history rw
/root/.bashrc r
/root/.bashrc.ask r
/root/messages_150215_2246_gbn.diff wc
/sbin x
/sys h
/tmp rwcd
/usr
/usr/bin x
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/lib64/python-exec/python-exec2 x
/usr/local
/usr/sbin x
/usr/share h
/usr/share/locale r
/usr/src rxwc
/usr/x86_64-pc-linux-gnu
/usr/x86_64-pc-linux-gnu/binutils-bin h
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24 x
/usr/x86_64-pc-linux-gnu/gcc-bin
/var
/var/lib
/var/lib/portage
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_KILL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
# Role: root
subject /bin/cp o {
/ h
/Cmn r
/bin h
/bin/cp x
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules wc
/root
/root/messages_150215_2246_gbn wc
/root/messages_150215_22_gbn wc
/root/messages_150216_02_gbn wc
/usr h
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/local h
/usr/local/bin
/usr/local/bin/uncenz-kill w
/usr/share h
/usr/share/locale r
/usr/src r
/var h
/var/log
/var/log/messages r
/var/log/rkhunter.log r
/var/log/rkhunter.log.2015-02-15_19:55:46 wc
/var/log/rkhunter.log.old w
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
bind disabled
connect disabled
}
# Role: root
subject /bin/grep o {
/ h
/Cmn r
/bin h
/bin/grep x
/dev h
/dev/null r
/etc r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/lib64/libpcre.so.1.2.4 rx
/usr h
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/share h
/usr/share/locale r
/usr/src r
/var h
/var/lib r
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /bin/kmod o {
/ h
/bin h
/bin/kmod x
/etc h
/etc/ld.so.cache r
/lib64 rxwcd
/proc h
/proc/cmdline r
/proc/meminfo r
/tmp rwcd
/usr h
# /usr/src/linux r
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /bin/ln o {
/ h
/bin h
/bin/ln x
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
# /lib64/modules/3.18.5-hardened-r1-150215-23/build wc
# /lib64/modules/3.18.5-hardened-r1-150215-23/source wc
/usr h
/usr/lib64/locale/locale-archive r
/usr/share/locale r
# /usr/src/linux-3.18.5-hardened-r1/arch/x86_64/boot/bzImage wcd
/var h
/var/spool/cron wc
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /bin/login o {
user_transition_allow ukrainian root
group_transition_allow ukrainian root
/ h
/bin h
/bin/bash x
/bin/login x
/dev
/dev/grsec h
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/port h
/dev/tty rw
/dev/tty2 w
/dev/tty3 w
/dev/tty4 w
/dev/tty6 w
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys/kernel/ngroups_max r
/root
/run h
/run/utmp rw
/var h
/var/log/faillog rw
/var/log/lastlog rw
/var/log/wtmp w
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
sock_allow_family netlink
}
# Role: root
subject /bin/ls o {
/ h
/Cmn
/bin h
/bin/ls x
/boot
/etc r
/etc/grsec
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home h
/home/ukrainian
/lib64 rx
/lib64/modules h
/mnt
/root
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/local/bin
/usr/share/locale r
/var h
/var/lib
/var/log
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /bin/mktemp o {
/ h
/bin h
/bin/mktemp x
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/tmp wc
/usr h
/usr/lib64/locale/locale-archive r
/var h
/var/lib/rkhunter/tmp
/var/lib/rkhunter/tmp/mirrors.dat.6hadQeOMUw rwc
/var/lib/rkhunter/tmp/mirrors.dat.cy1b9KDXNC rwc
/var/lib/rkhunter/tmp/rkhunter.upd.dA7ntnkWDc rwc
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /bin/mount o {
user_transition_allow root
group_transition_allow root
/ h
/bin h
/bin/mount x
/boot w
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mapper
/dev/mem h
/dev/port h
/dev/sr0 r
/etc rwcd
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/mnt
/proc h
/proc/filesystems r
/run
/sbin h
/sbin/mount.nfs x
/sys h
/sys/devices/pci0000:00/0000:00:11.0/ata3/host2/target2:0:0/2:0:0:0/block/sr0
/usr h
/usr/lib64/locale/locale-archive r
/usr/share/locale r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
# Role: root
subject /bin/mv o {
/
/Cmn rwcd
/bin h
/bin/mv x
/boot h
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc h
/etc/ld.so.cache r
# /lib/modules h
/lib64 rx
/lib64/modules h
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/usr h
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/local h
/usr/local/bin
/usr/local/bin/uncenz-1st wcd
/usr/share h
/usr/share/locale r
/usr/src rwcd
/var/log h
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_FSETID
bind disabled
connect disabled
}
# Role: root
subject /bin/ping o {
/ h
/bin h
/bin/ping x
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
-CAP_ALL
+CAP_NET_RAW
bind 0.0.0.0/32:0 dgram ip
connect 192.168.3.2/32:1025 dgram udp
connect 0.0.0.0/32:0 raw_sock icmp
}
# Role: root
subject /bin/ps o {
/ h
/bin h
/bin/ps x
/dev h
/dev/pts
/dev/tty1
/dev/tty2
/dev/tty3
/dev/tty4
/dev/tty5
/dev/tty6
/dev/tty7
/etc h
/etc/ld.so.cache r
/etc/localtime r
/etc/nsswitch.conf r
/etc/passwd r
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/sys h
/sys/devices/system/cpu/online r
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/share/locale r
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /bin/rm o {
/
/bin h
/bin/rm x
/boot h
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc h
/etc/ld.so.cache r
# /lib/modules h
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/tmp wd
/usr h
/usr/lib64 h
/usr/lib64/locale/locale-archive r
/usr/src wd
/var h
/var/lib wd
/var/spool h
/var/spool/cron wd
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /bin/touch o {
/ h
/bin h
/bin/touch x
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/usr h
/usr/lib64/locale/locale-archive r
/var h
/var/lib/rkhunter/tmp wc
/var/spool/cron wc
/Cmn/mr wc
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /bin/umount o {
user_transition_allow root
group_transition_allow root
/ h
/bin h
/bin/umount x
/etc rwcd
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/run
/sbin h
/sbin/mount.nfs x
/usr h
/usr/lib64/locale/locale-archive r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
# Role: root
subject /etc/cron.daily o {
group_transition_allow nobody portage root
/
/.config
/bin rxi
/dev
/dev/.mdev-like-a-boss r
/dev/bsg
/dev/disk
/dev/dri
/dev/kmem h
/dev/log rw
/dev/mdev.seq r
/dev/misc
/dev/null rw
/dev/pktcdvd
/dev/port h
/dev/tty rw
/dev/urandom r
/etc r
/home
# /lib
# /lib/modules h
/lib64 rxi
/opt
/opt/icedtea-bin-7.2.5.3 r
/opt/mdev
/proc r
/proc/bus h
/proc/kcore h
/root rwcd
/run wcd
/sbin rxi
/sys r
/tmp rwcd
/usr
/usr/bin rxi
/usr/lib32
/usr/lib32/misc
/usr/lib32/misc/glibc
/usr/lib64 rxi
/usr/libexec rxi
/usr/local r
/usr/sbin rxi
/usr/share r
/usr/x86_64-pc-linux-gnu rxi
/var
/var/cache rwcd
/var/empty
/var/lib rwcd
/var/lib/alsa
/var/lib/gentoo
/var/lib/layman
/var/lib/layman/mail-client
/var/lib/nfs
/var/lib/rkhunter w
/var/lib/rkhunter/db rw
/var/lib/rkhunter/db/i18n r
/var/lib/rkhunter/tmp rwcd
/var/lib/syslog-ng
/var/lib/texmf
/var/lib/tripwire r
/var/lib/tripwire/report rwcd
/var/log rwcd
/var/nullmailer
/var/spool
/var/spool/cron r
/var/spool/postfix rwcd
/var/www r
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_IPC_LOCK
+CAP_SYS_PTRACE
bind 0.0.0.0/32:0 dgram ip
connect disabled
sock_allow_family ipv6 netlink
}
# Role: root
subject /etc/cron.hourly o {
group_transition_allow root nobody portage
/
/Cmn wc
/bin rxi
/boot r
/dev
/dev/.mdev-like-a-boss r
/dev/bsg
/dev/disk
/dev/dri
/dev/kmem h
/dev/log rw
/dev/mdev.seq r
/dev/misc
/dev/null rw
/dev/pktcdvd
/dev/tty rw
/dev/urandom r
/etc rxi
/home
/home/ukrainian r
# /lib
# /lib/modules h
/lib32 r
/lib64 rxi
/media
/mnt r
/opt
/opt/icedtea-bin-7.2.5.3 r
/opt/mdev r
/proc r
/proc/bus h
/proc/kcore h
/root rwcd
/run r
/run/apache_ssl_mutex
/run/clamav
/run/dovecot
/run/lock
/run/lock/mlocate.daily.lock wcd
/run/lvm
/run/openrc
/run/saslauthd
/run/sudo
/sbin rxi
/sys r
/sys/class h
/sys/class/power_supply
/sys/devices h
/sys/devices/system/cpu/online r
/sys/fs
/sys/fs/cgroup w
/sys/fs/cgroup/openrc
/sys/fs/cgroup/openrc/apache2 w
/sys/fs/cgroup/openrc/tasks w
/sys/kernel
/tmp rwcd
/usr
/usr/bin rxi
/usr/include r
/usr/lib32 r
/usr/lib64 rxi
/usr/libexec rxi
/usr/local r
/usr/portage r
/usr/sbin rxi
/usr/sbin/sendmail x
/usr/share r
/usr/src r
/usr/x86_64-pc-linux-gnu rxi
/var
/var/cache rwcd
/var/db r
/var/delta-webrsync
/var/empty
/var/empty/dev
/var/freenet
/var/freenet/run.sh r
/var/freenet/seednodes.fref r
/var/lib rwcd
/var/lib/alsa r
/var/lib/alsa/oss
/var/lib/alsa/oss/card0_pcm0c r
/var/lib/alsa/oss/card0_pcm0p r
/var/lib/alsa/oss/card0_pcm1p r
/var/lib/clamav r
/var/lib/dav
/var/lib/dhcpcd
/var/lib/dhcpcd/dhcpcd-enp7s0.lease r
/var/lib/dhcpcd/dhcpcd-eth0.lease r
/var/lib/dhcpcd/dhcpcd-eth1.lease r
/var/lib/dovecot
/var/lib/dovecot/instances r
/var/lib/dovecot/mounts r
/var/lib/dovecot/ssl-parameters.dat r
/var/lib/gentoo
/var/lib/gentoo/news r
/var/lib/gitolite
/var/lib/ip6tables
/var/lib/iptables
/var/lib/iptables/rules-save r
/var/lib/layman r
/var/lib/misc
/var/lib/misc/random-seed r
/var/lib/nfs r
/var/lib/nftables
/var/lib/openldap-data r
/var/lib/portage r
/var/lib/postfix
/var/lib/postfix/master.lock r
/var/lib/postfix/prng_exch r
/var/lib/rkhunter w
/var/lib/rkhunter/db rw
/var/lib/rkhunter/tmp rwcd
/var/lib/syslog-ng
/var/lib/syslog-ng/syslog-ng.persist r
/var/lib/texmf r
/var/lib/xkb
/var/lib/xkb/README.compiled r
/var/log rwcd
/var/nullmailer r
/var/spool rwcd
/var/spool/cups
/var/spool/cups/tmp
/var/spool/mail
/var/tmp r
/var/www r
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_IPC_LOCK
+CAP_SYS_PTRACE
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
sock_allow_family ipv6 netlink
}
# Role: root
subject /etc/init.d o {
/
/bin rxi
/dev
/dev/.mdev-like-a-boss r
/dev/grsec h
/dev/bsg
/dev/disk
/dev/dri
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/null rw
/dev/port h
/dev/mdev.seq r
/dev/misc
/dev/pktcdvd
/dev/tty rw
/dev/urandom r
/etc rxwicd
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/home
# /lib
# /lib/modules h
/lib64 rxi
/lib64/modules h
/opt
/opt/icedtea-bin-7.2.5.3 r
/opt/mdev
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/root r
/root/.config
/root/.config/Trolltech.conf r
/root/.dillo
/root/.dillo/cookiesrc r
/root/.gnupg
/root/.gnupg/gpg.conf r
/root/.gnupg/pubring.gpg r
/root/.gnupg/secring.gpg r
/root/.links
/root/.links/bookmarks.html r
/root/.links/links.his r
/root/.mplayer
/root/.mplayer/config r
/root/.ssh
/root/.ssh/known_hosts r
/root/.subversion
/root/.subversion/README.txt r
/root/.subversion/config r
/root/.subversion/servers r
/root/.vim
/root/.vim/.netrwhist r
/root/Maildir rw
/root/dcron-4.5
/root/dcron-4.5/extra
/root/dcron-4.5/extra/crontab.vim r
/run r
/run/openrc rwcd
/sbin h
/sbin/openrc xi
/sys
/sys/fs
/sys/fs/cgroup w
/sys/fs/cgroup/openrc
/sys/fs/cgroup/openrc/apache2 w
/sys/fs/cgroup/openrc/tasks w
/usr h
/usr/bin h
/usr/bin/gawk xi
/usr/lib64 rxi
/usr/sbin/apache2 xi
/usr/sbin/suexec
/usr/share h
/usr/share/locale r
/var h
/var/log/apache2
/var/log/apache2/startuperror.log a
/var/www/localhost/htdocs
/var/lib rwcd
/var/lib/alsa
/var/lib/gentoo
/var/lib/layman
/var/lib/layman/mail-client
/var/lib/mlocate
/var/lib/mlocate/mlocate.db rwcd
/var/lib/mlocate/mlocate.db.0HdirB rwcd
/var/lib/nfs
/var/lib/nfs/rpc_pipefs
/var/lib/postfix
/var/lib/postfix/master.lock rw
/var/lib/rkhunter w
/var/lib/rkhunter/db rw
/var/lib/rkhunter/db/i18n r
/var/lib/rkhunter/tmp rwcd
/var/lib/syslog-ng
/var/lib/texmf
/var/lib/tripwire
/var/lib/tripwire/gbn.twd r
/var/lib/tripwire/report rwcd
/var/log rwcd
/var/nullmailer
/var/spool
/var/spool/cron rwcd
/var/spool/postfix rwcd
/var/www r
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_IPC_LOCK
+CAP_SYS_PTRACE
bind 0.0.0.0/32:0 dgram ip
bind 127.0.0.1/32:25 stream tcp
connect disabled
sock_allow_family ipv6 netlink
}
# Role: root
subject /sbin/agetty o {
/ h
/bin h
/bin/login x
/dev h
/dev/null rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty6 rw
/etc h
/etc/group r
/etc/issue r
/etc/ld.so.cache r
/etc/localtime r
/etc/nsswitch.conf r
/lib64 rx
/lib64/modules h
/run h
/run/utmp rw
/sbin h
/sbin/agetty x
/usr h
/usr/lib64/locale/locale-archive r
/usr/share/locale r
/var h
/var/log/wtmp w
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
# Role: root
subject /sbin/init o {
/ h
/dev h
/dev/console rw
/dev/initctl
/run h
/run/utmp rw
/sbin h
/sbin/agetty x
/var h
/var/log/wtmp w
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /sbin/installkernel o {
/ h
/bin x
/boot
/boot/System.map-3.18.5-hardened-r1-150215-23 wc
/boot/config-3.18.5-hardened-r1-150215-23 wc
/boot/vmlinuz-3.18.5-hardened-r1-150215-23 wc
/dev h
/dev/tty rw
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/sbin h
/sbin/installkernel r
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
# /usr/src/linux-3.18.5-hardened-r1
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /sbin/macchanger o {
/ h
/dev h
/dev/random r
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/sbin h
/sbin/macchanger x
-CAP_ALL
+CAP_NET_ADMIN
+CAP_SYS_MODULE
bind 0.0.0.0/32:0 dgram ip
connect disabled
}
# Role: root
subject /sbin/mount.nfs o {
/ h
/etc rwcd
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/mnt
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/mounts r
/proc/slabinfo h
/proc/sys h
/run
/sbin h
/sbin/mount.nfs x
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_SYS_ADMIN
bind 0.0.0.0/32 dgram udp
connect 127.0.0.1/32 dgram udp
connect 192.168.3.2/32 stream dgram tcp udp
}
# Role: root
subject /sbin/rpc.statd o {
/ h
/run/rpc.statd.pid w
/run/rpcbind.sock rw
-CAP_ALL
bind disabled
connect 127.0.0.1/32:1024-65535 dgram udp
}
# Role: root
subject /sbin/rpcbind o {
/ h
/etc/hosts.allow r
/etc/netconfig r
/run/rpcbind.lock wd
/run/rpcbind.sock wd
-CAP_ALL
bind 0.0.0.0/32:111 stream tcp
connect 127.0.0.1/32:1024-65535 dgram udp
connect 192.168.3.2/32:1024-65535 dgram udp
}
# Role: root
subject /usr/bin/clamscan o {
/ h
/Cmn r
/bin r
/boot
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc r
/export r
/home
/home/ukrainian r
# /lib
# /lib/modules h
/lib32 r
/lib64 rx
/lost+found
/mnt r
/opt
/opt/icedtea-bin-7.2.5.3 r
/opt/mdev r
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/root r
/run
/sbin r
/sys
/tmp rwcd
/usr h
/usr/bin rx
/usr/include r
# /usr/lib
/usr/lib32 r
/usr/lib64 rx
/usr/local r
/usr/portage r
/usr/sbin r
/usr/src r
# /usr/tmp
/usr/x86_64-pc-linux-gnu r
/var
/var/cache r
/var/db r
/var/delta-webrsync
/var/empty
/var/empty/dev
/var/freenet
/var/freenet/run.sh r
/var/freenet/seednodes.fref r
/var/lib r
/var/log r
/var/nullmailer r
/var/spool r
/var/spool/cups
/var/spool/cups/tmp
/var/spool/mail
/var/tmp r
/var/www r
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/crontab o {
group_transition_allow root nobody
/ h
/bin h
/bin/bash x
/etc h
/etc/crontab r
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/root
/tmp rwcd
/usr h
/usr/bin/crontab x
/var h
/var/spool/cron rwcd
-CAP_ALL
+CAP_SETGID
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/diff o {
/ h
/Cmn h
/Cmn/dLo rw
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/root h
/root/messages_150215_2246_gbn r
/root/messages_150215_22_gbn r
/usr h
/usr/bin/diff x
/usr/lib64/locale/locale-archive r
/usr/local/bin
/usr/local/bin/uncenz-1st r
/usr/local/bin/uncenz-kill r
/usr/share/locale r
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/eject o {
user_transition_allow root
group_transition_allow root
/ h
/Cmn
/bin h
/bin/umount x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mapper
/dev/mem h
/dev/port h
/dev/sr0 rw
/etc h
/etc/ld.so.cache r
/etc/mtab r
/export
/home
/home/ukrainian
/lib64 rx
/lib64/modules h
/mnt
/proc
/proc/bus h
/proc/fs
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys
/proc/sys/fs
/run
/sys
/sys/devices/pci0000:00/0000:00:11.0/ata3/host2/target2:0:0/2:0:0:0/block/sr0
/sys/devices/pci0000:00/0000:00:11.0/ata3/host2/target2:0:0/2:0:0:0/block/sr0/removable r
/sys/fs
/sys/fs/cgroup
/sys/kernel
/usr h
/usr/bin/eject x
/usr/lib64/locale/locale-archive r
/usr/share/locale r
/var
/var/lib
/var/lib/nfs
/var/log h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/less o {
/ h
/dev h
/dev/tty r
/etc h
/etc/ld.so.cache r
/etc/terminfo
/etc/terminfo/r/rxvt-unicode r
/lib64 rx
/lib64/modules h
/root
/root/.lesshsQ rwcd
/root/.lesshst rwcd
/usr h
/usr/bin/less x
/usr/lib64/locale/locale-archive r
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/logger o {
/ h
/dev h
/dev/log rw
/etc h
/etc/ld.so.cache r
/etc/localtime r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/usr h
/usr/bin/logger x
/usr/lib64/locale/locale-archive r
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/mutt o {
/ h
/bin h
/bin/bash x
/dev h
/dev/tty r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home h
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/root rwcd
/root/Maildir rwxcd
/tmp rwcdl
/usr h
/usr/bin h
/usr/bin/mutt x
/usr/lib64 rx
/usr/sbin h
/usr/sbin/sendmail x
/usr/share h
/usr/share/locale r
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/sudo o {
group_transition_allow nobody root
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/etc h
/etc/passwd r
/etc/sudoers r
/etc/sudoers.d
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/tee o {
/ h
/Cmn h
/Cmn/BAK_/emerge.d
/Cmn/BAK_/emerge.d/emerge-tuDN_world_1424218338 wc
/Cmn/BAK_/emerge.d/emerge-tuDN_world_1424218400 wc
/Cmn/BAK_/emerge.d/emerge-tuDNf_world_1424218406 wc
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/usr h
/usr/bin/tee x
/usr/lib64/locale/locale-archive r
/usr/share/locale r
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/top o {
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/terminfo
/etc/terminfo/l/linux r
/etc/terminfo/r/rxvt-unicode r
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/run h
/run/utmp r
/sys h
/sys/devices/system/cpu/online r
/usr h
/usr/bin/top x
/usr/lib64
/usr/lib64/locale/locale-archive r
/usr/share/locale r
-CAP_ALL
+CAP_DAC_READ_SEARCH
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/updatedb o {
/ h
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/usr h
/usr/portage
/usr/sbin
/usr/share
/usr/src
/usr/x86_64-pc-linux-gnu
/usr/x86_64-pc-linux-gnu/gcc-bin
/var
/var/empty
/var/lib rwcd
/var/nullmailer
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_FSETID
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/vim o {
/
/Cmn/ rwcd
/boot h
/dev h
/dev/urandom r
/etc rwcd
/etc/conf.d h
/etc/conf.d/.nfs.swp wd
/etc/conf.d/nfs
/etc/cron.hourly
/etc/cron.hourly/rkhunter rw
/etc/grsec h
/etc/grsec/policy
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/syslog-ng h
/etc/syslog-ng/.syslog-ng.conf.swp wd
/etc/syslog-ng/syslog-ng.conf
/etc/terminfo
/etc/terminfo/l/linux r
/etc/terminfo/r/rxvt-unicode r
/etc/vim
/etc/vim/vimrc r
/etc/vim/vimrc.local r
/home h
/home/ukrainian rwcd
# /lib/modules h
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/root rwcd
/sys h
/tmp rwcd
/usr
/usr/bin x
/usr/lib64 rx
/usr/share r
/usr/src h
/var
/var/.log.swp rwcd
/var/.log.swpx rwcd
/var/lib/portage
/var/lib/portage/.world.swp rwcd
/var/lib/portage/.world.swpx rwcd
/var/lib/portage/4913 wcd
/var/lib/portage/world rwcd
/var/lib/portage/world~ rwcd
/var/log rwcd
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_FSETID
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/wget o {
/ h
/dev h
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/bin h
/usr/bin/wget x
/usr/lib64 rx
/usr/share h
/usr/share/locale r
/var h
/var/lib/rkhunter/tmp
/var/lib/rkhunter/tmp/rkhunter.upd.dA7ntnkWDc wc
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 127.0.0.1/32:53 dgram udp
}
# Role: root
subject /usr/lib64/python-exec/python2.7/emerge o {
user_transition_allow portage
group_transition_allow portage
/ w
/bin h
/bin/bash x
/bin/bzip2
/boot h
/dev h
/dev/urandom r
/etc rw
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
# /lib/modules h
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/tmp
/usr
/usr/bin x
/usr/lib64 rx
/usr/portage rwcd
/usr/share r
/usr/src h
/var
/var/cache
/var/cache/edb r
/var/cache/edb/dep w
/var/cache/edb/dep/usr/portage
/var/cache/edb/dep/var/lib/layman r
/var/db rwcd
/var/lib rwcd
/var/log
/var/log/emerge.log rw
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
# Role: root
subject /usr/libexec/dovecot/auth o {
user_transition_allow dovecot
group_transition_allow dovecot
/ h
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/pam.d
/etc/pam.d/dovecot r
/etc/pam.d/other r
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/run h
/run/dovecot
/run/dovecot/anvil-auth-penalty rw
/run/dovecot/auth-token-secret.dat rwc
/run/dovecot/auth-token-secret.dat.tmp rwcd
/run/dovecot/config rw
/run/utmp r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/dovecot/auth x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/dovecot/config o {
/ h
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64/dovecot/libdovecot.so.0.0.0 rx
/usr/libexec/dovecot/config x
-CAP_ALL
+CAP_SETGID
bind disabled
connect disabled
}
# Role: root
subject /usr/libexec/dovecot/log o {
/ h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64/dovecot/libdovecot.so.0.0.0 rx
/usr/libexec/dovecot/config x
-CAP_ALL
+CAP_SETGID
bind disabled
connect disabled
}
# Role: root
subject /usr/libexec/dovecot/imap o {
user_transition_allow ukrainian dovenull
group_transition_allow ukrainian dovenull
/ h
/dev h
/dev/log rw
/dev/urandom r
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/run h
/run/dovecot/auth-master rw
/run/dovecot/config rw
/usr h
# /usr/lib64/dovecot/libdovecot-storage.so.0
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0 rx
/usr/lib64/dovecot/libdovecot.so.0.0.0 rx
/usr/libexec/dovecot/imap x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 127.0.0.1/32:143 stream tcp
connect disabled
}
# Role: root
subject /usr/libexec/dovecot/imap-login o {
user_transition_allow dovenull
group_transition_allow dovenull
/ h
/dev h
/dev/log rw
/dev/urandom r
/etc h
/etc/ld.so.cache r
/etc/localtime r
/lib64 rx
/lib64/modules h
/run h
/run/dovecot/anvil rw
/run/dovecot/config rw
/run/dovecot/login
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/dovecot/imap-login x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind disabled
connect disabled
}
# Role: root
subject /usr/libexec/dovecot/ssl-params o {
/ h
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/run h
/run/dovecot/config rw
/usr h
/usr/lib64/dovecot/libdovecot.so.0.0.0 rx
/usr/lib64/libcrypto.so.1.0.0 rx
/usr/libexec/dovecot/ssl-params x
/var h
/var/lib/dovecot/ssl-parameters.dat r
-CAP_ALL
+CAP_SETGID
bind 127.0.0.1/32:143 stream tcp
connect disabled
}
# Role: root
subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 o {
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/tmp w
/usr
/usr/include r
/usr/lib64 rx
/usr/libexec h
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 x
/usr/share h
/usr/share/locale r
/usr/src rxwc
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/libexec/postfix/bounce o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/bounce x
/var h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/cleanup o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/cleanup x
/var h
/var/spool/postfix rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/error o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/error x
/var h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/local o {
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/mail h
/etc/mail/aliases
/etc/mail/aliases.db r
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home h
/home/ukrainian/Maildir/tmp
/home/ukrainian/Maildir/tmp/1424093106.P4290.gbn wcdl
/home/ukrainian/Maildir/tmp/1424149487.P9876.gbn wcdl
/lib64 rx
/lib64/modules h
/root wcdl
/sys h
/sys/devices/system/cpu/online r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/local x
/var h
/var/spool/postfix rwcd
/var/tmp
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/master o {
/ h
/dev h
/dev/log rw
/dev/null rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/postfix/master.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/libexec x
/var h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_DAC_READ_SEARCH
+CAP_KILL
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/pickup o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/bin/bash x
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/pickup x
/var h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/qmgr o {
/ h
/bin/bash x
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/showq o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/showq x
/var h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/smtp o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/postfix/saslpass
/etc/postfix/saslpass.db r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/sys h
/sys/devices/system/cpu/online r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/smtp x
/var h
/var/spool/postfix rwcd
/var/tmp
-CAP_ALL
+CAP_DAC_READ_SEARCH
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/tlsmgr o {
user_transition_allow nobody postfix root
group_transition_allow nobody postfix root
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/tlsmgr x
/var h
/var/lib/postfix
/var/lib/postfix/prng_exch rw
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/libexec/postfix/trivial-rewrite o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/sys h
/sys/devices/system/cpu/online r
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix/trivial-rewrite x
/var h
/var/spool/postfix rwcd
/var/tmp
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/apache2 o {
user_transition_allow apache
group_transition_allow apache
/ h
/dev h
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 h
/lib64/libz.so.1.2.8 rx
/proc h
/proc/sys/kernel/ngroups_max r
/run
/run/apache2.pid wd
/run/cgisock.2260 wcd
/run/cgisock.24604 wd
/usr h
/usr/lib64/apache2 rx
/usr/lib64/libcrypto.so.1.0.0 rx
/usr/lib64/libssl.so.1.0.0 rx
/usr/sbin/suexec
/var h
/var/log/apache2 acd
/var/www/localhost/htdocs r
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_READ_SEARCH
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
sock_allow_family ipv6 netlink
}
# Role: root
subject /usr/sbin/crond o {
group_transition_allow root nobody
/ h
/bin h
/bin/bash x
# /bin/sh
/etc h
/etc/cron.d
/etc/cron.d/prune-cronstamps r
/etc/group r
/etc/localtime r
/etc/passwd r
/proc h
/proc/sys/kernel/ngroups_max r
/root
/tmp rwcd
/usr h
/usr/sbin/sendmail x
/var h
/var/spool/cron rwd
-CAP_ALL
+CAP_SETGID
bind disabled
connect disabled
}
# Role: root
subject /usr/sbin/dovecot o {
/ h
/dev/log rw
/etc h
/etc/passwd r
/etc/hosts r
/etc/resolv.conf
/run h
/run/dovecot/config rwcd
/run/dovecot/dovecot.conf h
/usr h
/usr/libexec h
/usr/libexec/dovecot x
/var h
/var/lib/dovecot rwcdl
-CAP_ALL
+CAP_KILL
bind disabled
connect disabled
}
# Role: root
subject /usr/bin/doveadm o {
/ h
/dev/log rw
/etc h
/etc/hosts r
/etc/resolv.conf
/run h
/run/dovecot/config rwcd
# /run/dovecot/dovecot.conf h
/usr h
/usr/libexec h
/usr/libexec/dovecot x
/var h
/var/lib/dovecot rwcdl
-CAP_ALL
+CAP_KILL
bind disabled
connect disabled
}
# Role: root
subject /usr/sbin/gpm o {
/ h
/dev/input/mice rw
/dev/tty0 rw
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
# Role: root
subject /usr/sbin/postconf o {
/ h
/etc h
/etc/ld.so.cache r
/etc/postfix/main.cf r
/etc/postfix/master.cf r
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/postconf x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/postdrop o {
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/postdrop x
/usr/share h
/usr/share/zoneinfo r
/var h
/var/spool/postfix rwcd
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/postfix o {
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/libexec h
/usr/libexec/postfix
/usr/libexec/postfix/postfix-script x
/usr/sbin
/usr/sbin/postfix x
/var h
/var/spool/postfix rwcd
-CAP_ALL
bind disabled
connect disabled
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/postlog o {
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/postlog x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/postqueue o {
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/postqueue x
/usr/share h
/usr/share/zoneinfo r
/var h
/var/spool/postfix rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/postsuper o {
user_transition_allow postfix
group_transition_allow postfix
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/postsuper x
/var h
/var/spool/postfix
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/rkhunter o {
/ h
/bin x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow- h
/etc/ssh h
/etc/ssh/ssh_config
/home h
/home/ukrainian
/lib64 rx
/opt
/proc h
/proc/meminfo r
/root
/sbin
/usr
/usr/bin x
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/lib64/rkhunter/scripts
/usr/local h
/usr/local/bin
/usr/local/sbin
/usr/sbin
/usr/sbin/rkhunter r
/usr/share h
/usr/share/locale r
/usr/src h
/usr/x86_64-pc-linux-gnu h
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings
/usr/x86_64-pc-linux-gnu/binutils-bin/2.25/strings
/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4
/var h
/var/lib/rkhunter/db w
/var/lib/rkhunter/db/i18n
/var/lib/rkhunter/tmp w
/var/lib/rkhunter/tmp/mirrors.dat.6hadQeOMUw w
/var/lib/rkhunter/tmp/mirrors.dat.cy1b9KDXNC w
/var/lib/rkhunter/tmp/rkhunter.upd.dA7ntnkWDc
/var/log w
/var/log/rkhunter.log w
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/sbin/rpc.mountd o {
/
/boot h
/dev h
/dev/dm-2 r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/export
# /lib/modules h
/lib64/modules h
/proc w
/proc/bus h
/proc/fs/nfsd/filehandle rw
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/run h
/run/rpcbind.sock rw
/sys h
/sys/dev/block/252:2
/sys/devices/virtual/block/dm-2
/sys/devices/virtual/block/dm-2/dm/uuid r
/usr/src h
/var h
/var/lib/nfs
/var/lib/nfs/.etab.lock wd
/var/lib/nfs/.rmtab.lock rw
/var/lib/nfs/.xtab.lock wd
/var/lib/nfs/etab r
/var/lib/nfs/rmtab rwcd
/var/lib/nfs/rmtab.tmp rwcd
-CAP_ALL
bind disabled
connect 192.168.3.2/32:34970 dgram udp
connect 192.168.3.2/32:670 dgram udp
connect 192.168.3.2/32:45009 dgram udp
connect 192.168.3.2/32:684 dgram udp
connect 192.168.3.2/32:41407 dgram udp
connect 192.168.3.2/32:753 dgram udp
}
# Role: root
subject /usr/sbin/sendmail o {
/ h
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/postfix h
/etc/postfix/main.cf r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/postdrop x
/usr/sbin/postqueue x
/usr/sbin/sendmail x
/var h
/var/spool/postfix
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.164.164/32 ip dgram stream tcp udp
sock_allow_family netlink
}
# Role: root
subject /usr/sbin/sshd o {
user_transition_allow sshd nobody root
group_transition_allow sshd nobody root
/
/bin h
/bin/bash x
/boot h
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow- h
# /lib/modules h
/lib64 rx
/lib64/modules h
/proc w
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys/kernel/ngroups_max r
/run h
/run/sshd.pid wd
/run/utmp rw
/sys h
/usr h
/usr/lib64/libcrypto.so.1.0.0 rx
/usr/sbin/sshd x
/var h
/var/empty
/var/log
/var/log/lastlog rw
/var/log/wtmp w
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind 0.0.0.0/32:22 stream tcp
connect disabled
sock_allow_family ipv6 netlink
}
# Role: root
subject /usr/sbin/syslog-ng o {
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/dev/tty12 w
/etc/localtime r
/var/log rwxcd
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/sbin/tripwire o {
user_transition_allow root
group_transition_allow root
/
/bin rx
/dev
/dev/grsec h
/dev/kmem h
/dev/log rw
/dev/port h
/etc r
/home
/home/ukrainian rwcd
# /lib
# /lib/modules h
/lib64 rx
/opt
/opt/icedtea-bin-7.2.5.3 r
/proc
/proc/bus h
/proc/kcore h
/proc/sys h
/root rwcd
/sbin r
/usr
/usr/bin r
/usr/lib64 rx
/usr/libexec r
/usr/local
/usr/local/bin r
/usr/local/sbin
/usr/local/sbin/.keep r
/usr/sbin rx
/usr/sbin/sendmail x
/usr/share r
/usr/src h
/usr/x86_64-pc-linux-gnu r
/var
/var/lib rwcd
/var/spool h
/var/spool/cron r
/var/www r
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
# Role: root
subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/ar o {
/ h
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 h
/usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so rx
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/src h
/usr/src/linux-3.18.5-hardened-r1 rwc
/usr/x86_64-pc-linux-gnu h
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24/ar x
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/as o {
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/tmp rw
/usr h
/usr/lib64 h
/usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so rx
/usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libopcodes-2.24.so rx
/usr/lib64/locale/locale-archive r
/usr/share h
/usr/share/locale r
/usr/src rwcd
/usr/x86_64-pc-linux-gnu h
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24/as x
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/ld o {
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/etc h
/etc/ld.so.cache r
/etc/ld.so.conf r
/etc/ld.so.conf.d
/etc/ld.so.conf.d/05binutils.conf r
/etc/ld.so.conf.d/05gcc-x86_64-pc-linux-gnu.conf r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/tmp r
/usr h
/usr/lib64 rx
/usr/share h
/usr/share/locale r
/usr/src rwcd
/usr/x86_64-pc-linux-gnu h
/usr/x86_64-pc-linux-gnu/binutils-bin/2.24/ld x
-CAP_ALL
bind disabled
connect disabled
}
# Role: root
subject /var/tmp/portage/net-fs/nfs-utils-1.3.2-r6/image/sbin/rpc.statd o {
/ h
/run/rpc.statd.pid w
/run/rpcbind.sock rw
-CAP_ALL
bind disabled
connect disabled
}
role apache u
role_allow_ip 192.168.3.2/32
role_allow_ip 0.0.0.0/32
# Role: apache
subject / {
/ h
/bin h
/bin/bzip2 x
/etc h
/etc/cgit-repos r
/etc/cgitrc r
/etc/ld.so.cache r
/etc/localtime r
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64/libcrypto.so.1.0.0 rx
/usr/lib64/liblua.so.5.1.5 rx
/var h
/var/www rx
-CAP_ALL
bind disabled
connect disabled
}
# Role: apache
subject /usr/sbin/apache2 o {
/ h
/proc/meminfo r
/usr
/usr/share r
/usr/src h
/var
/var/log/apache2
/var/log/apache2/cgi.log a
/var/www rx
-CAP_ALL
bind 192.168.3.3/32:80 stream tcp
bind 192.168.3.3/32:443 stream tcp
bind 127.0.0.1/32:80 stream tcp
connect disabled
}
role dovecot u
role_allow_ip 0.0.0.0/32
# Role: dovecot
subject / {
/ h
-CAP_ALL
bind 127.0.0.1/32:143 stream tcp
connect disabled
}
# Role: dovecot
subject /usr/libexec/dovecot/auth o {
/ h
/run/dovecot/auth-worker rw
-CAP_ALL
bind 127.0.0.1/32:143 stream tcp
connect disabled
}
role dovenull u
role_allow_ip 0.0.0.0/32
# Role: dovenull
subject / {
/ h
-CAP_ALL
bind 127.0.0.1/32:143 stream tcp
connect disabled
}
# Role: dovenull
subject /usr/libexec/dovecot/imap-login o {
/ h
/dev h
/dev/log rw
/etc h
/etc/localtime r
/lib64 rx
/lib64/modules h
/run h
/run/dovecot/login/imap rw
/run/dovecot/login/login rw
/run/dovecot/login/ssl-params rw
/usr h
/usr/lib64 rx
/usr/libexec h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind 127.0.0.1/32:143 stream tcp
connect disabled
}
role clamav u
role_allow_ip 0.0.0.0/32
# Role: clamav
subject / {
/ h
/var/lib/clamav
/var/log/clamav/clamd.log
-CAP_ALL
bind disabled
connect disabled
}
Follows PART2