Skip to content

Instantly share code, notes, and snippets.

@dryaf

dryaf/gist:843665

Created February 25, 2011 11:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dryaf/843665 to your computer and use it in GitHub Desktop.
Save dryaf/843665 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
role admin sA
subject / rvka
/ rwcdmlxi
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role root uG
role_transitions admin
role_allow_ip 192.168.1.20/32
role_allow_ip 0.0.0.0/32
subject / {
/ h
/bin x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/dev/tty rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home h
/home/web/testapp/tmp/restart.txt
/lib rx
/lib/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/root
/root/.bash_history r
/root/.bashrc r
/root/.profile r
/sbin x
/selinux
/tmp rwdx
/usr h
/usr/bin x
/usr/lib h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/locale/locale-archive r
/usr/local/rvm rx
/usr/sbin
/usr/share h
/usr/share/locale r
/var h
/var/run
/var/spool/cron/crontabs
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/mesg o {
/ h
/dev h
/dev/pts w
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/lib rx
/lib/modules h
/usr h
/usr/bin/mesg x
/var h
/var/run
-CAP_ALL
+CAP_FSETID
bind disabled
connect disabled
}
subject /usr/bin/vim.basic o {
/ h
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/vim
/etc/vim/vimrc r
/lib rx
/lib/modules h
/proc h
/proc/filesystems r
/root rwcd
/selinux
/usr h
/usr/bin h
/usr/bin/curl
/usr/bin/ssh
/usr/bin/vim.basic x
/usr/lib h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/libgpm.so.2.0.0 rx
/usr/lib/locale/locale-archive r
/usr/share r
/var h
/var/lib/vim/addons
/var/run
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/lib/apache2/mpm-prefork/apache2 o {
user_transition_allow www-data
group_transition_allow www-data
/ h
/etc/group r
/proc/sys/kernel/ngroups_max r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
sock_allow_family ipv6
}
subject /usr/local/rvm/rubies/ree-1.8.7-2011.02/bin/ruby o {
user_transition_allow nobody
group_transition_allow nogroup
/ h
/dev h
/dev/urandom r
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/home/web/testapp r
/lib rx
/lib/modules h
/proc h
/proc/sys/kernel/ngroups_max r
/tmp rwcd
/var h
/var/run
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
subject /usr/sbin/VBoxService o {
/ h
/var/run/utmp r
-CAP_ALL
+CAP_SYS_TIME
bind 0.0.0.0/32:0 dgram ip
connect disabled
}
subject /usr/sbin/rsyslogd o {
/ h
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/sbin/sshd o {
user_transition_allow sshd web root
group_transition_allow nogroup web root
/
/bin h
/bin/bash x
/boot h
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow- h
/home h
/home/web
/lib rx
/lib/modules h
/proc w
/proc/bus h
/proc/filesystems r
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys/kernel/ngroups_max r
/sys h
/usr h
/usr/lib rx
/usr/sbin/sshd x
/usr/share/ssh/blacklist.DSA-1024 r
/usr/share/ssh/blacklist.RSA-2048 r
/var h
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run
/var/run/motd r
/var/run/utmp rw
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
bind 0.0.0.0/32:22 stream dgram ip tcp
bind 0.0.0.0/32:0 stream dgram ip tcp
connect 192.168.1.1/32:53 dgram udp
sock_allow_family ipv6 netlink
}
role web u
role_allow_ip 192.168.1.20/32
subject / {
/
/bin x
/boot h
/dev
/dev/console rw
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/dev/pts rw
/dev/tty rw
/dev/tty0 rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/web rwcd
/home/web/testapp rwcd
/home/web/testapp/app
/home/web/testapp/app/controllers rwcd
/home/web/testapp/tmp
/home/web/testapp/tmp/restart.txt w
/lib rx
/lib/modules h
/proc
/proc/bus h
/proc/filesystems r
/proc/kallsyms h
/proc/kcore h
/proc/meminfo r
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/usr h
/usr/bin x
/usr/lib h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/libgpm.so.2.0.0 rx
/usr/lib/locale/locale-archive r
/usr/local r
/usr/sbin
/usr/share r
/var h
/var/lib/vim/addons
/var/run
-CAP_ALL
bind disabled
connect disabled
}
role sshd u
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
role nobody u
role_allow_ip 192.168.1.20/32
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/local/rvm/rubies/ree-1.8.7-2011.02/bin/ruby o {
/
/boot h
/dev h
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/web rwcd
/lib/modules h
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/tmp rwcd
/usr
/usr/lib rx
/usr/local rx
/usr/src h
/var h
/var/run
-CAP_ALL
bind 127.0.0.1/32:1024-65535 stream tcp
bind 127.0.0.1/32:0 stream tcp
connect disabled
sock_allow_family netlink
}
role www-data u
role_allow_ip 192.168.1.20/32
subject / {
/ h
/etc/localtime r
/home
/home/web
/home/web/testapp
/home/web/testapp/public r
/tmp rw
-CAP_ALL
bind disabled
connect disabled
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment