Created
February 25, 2011 11:14
-
-
Save dryaf/843665 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
role admin sA | |
subject / rvka | |
/ rwcdmlxi | |
role default | |
subject / { | |
/ h | |
-CAP_ALL | |
connect disabled | |
bind disabled | |
} | |
role root uG | |
role_transitions admin | |
role_allow_ip 192.168.1.20/32 | |
role_allow_ip 0.0.0.0/32 | |
subject / { | |
/ h | |
/bin x | |
/dev | |
/dev/grsec h | |
/dev/kmem h | |
/dev/log h | |
/dev/mem h | |
/dev/null w | |
/dev/port h | |
/dev/tty rw | |
/etc r | |
/etc/grsec h | |
/etc/gshadow h | |
/etc/gshadow- h | |
/etc/ppp h | |
/etc/samba/smbpasswd h | |
/etc/shadow h | |
/etc/shadow- h | |
/etc/ssh h | |
/home h | |
/home/web/testapp/tmp/restart.txt | |
/lib rx | |
/lib/modules h | |
/proc r | |
/proc/bus h | |
/proc/kallsyms h | |
/proc/kcore h | |
/proc/modules h | |
/proc/slabinfo h | |
/root | |
/root/.bash_history r | |
/root/.bashrc r | |
/root/.profile r | |
/sbin x | |
/selinux | |
/tmp rwdx | |
/usr h | |
/usr/bin x | |
/usr/lib h | |
/usr/lib/gconv/gconv-modules.cache r | |
/usr/lib/locale/locale-archive r | |
/usr/local/rvm rx | |
/usr/sbin | |
/usr/share h | |
/usr/share/locale r | |
/var h | |
/var/run | |
/var/spool/cron/crontabs | |
-CAP_ALL | |
bind disabled | |
connect disabled | |
} | |
subject /usr/bin/mesg o { | |
/ h | |
/dev h | |
/dev/pts w | |
/etc h | |
/etc/group r | |
/etc/ld.so.cache r | |
/etc/nsswitch.conf r | |
/lib rx | |
/lib/modules h | |
/usr h | |
/usr/bin/mesg x | |
/var h | |
/var/run | |
-CAP_ALL | |
+CAP_FSETID | |
bind disabled | |
connect disabled | |
} | |
subject /usr/bin/vim.basic o { | |
/ h | |
/etc r | |
/etc/grsec h | |
/etc/gshadow h | |
/etc/gshadow- h | |
/etc/ppp h | |
/etc/samba/smbpasswd h | |
/etc/shadow h | |
/etc/shadow- h | |
/etc/ssh h | |
/etc/vim | |
/etc/vim/vimrc r | |
/lib rx | |
/lib/modules h | |
/proc h | |
/proc/filesystems r | |
/root rwcd | |
/selinux | |
/usr h | |
/usr/bin h | |
/usr/bin/curl | |
/usr/bin/ssh | |
/usr/bin/vim.basic x | |
/usr/lib h | |
/usr/lib/gconv/gconv-modules.cache r | |
/usr/lib/libgpm.so.2.0.0 rx | |
/usr/lib/locale/locale-archive r | |
/usr/share r | |
/var h | |
/var/lib/vim/addons | |
/var/run | |
-CAP_ALL | |
bind disabled | |
connect disabled | |
} | |
subject /usr/lib/apache2/mpm-prefork/apache2 o { | |
user_transition_allow www-data | |
group_transition_allow www-data | |
/ h | |
/etc/group r | |
/proc/sys/kernel/ngroups_max r | |
-CAP_ALL | |
+CAP_SETGID | |
+CAP_SETUID | |
bind disabled | |
connect disabled | |
sock_allow_family ipv6 | |
} | |
subject /usr/local/rvm/rubies/ree-1.8.7-2011.02/bin/ruby o { | |
user_transition_allow nobody | |
group_transition_allow nogroup | |
/ h | |
/dev h | |
/dev/urandom r | |
/etc h | |
/etc/group r | |
/etc/ld.so.cache r | |
/etc/nsswitch.conf r | |
/home/web/testapp r | |
/lib rx | |
/lib/modules h | |
/proc h | |
/proc/sys/kernel/ngroups_max r | |
/tmp rwcd | |
/var h | |
/var/run | |
-CAP_ALL | |
+CAP_SETGID | |
+CAP_SETUID | |
bind disabled | |
connect disabled | |
} | |
subject /usr/sbin/VBoxService o { | |
/ h | |
/var/run/utmp r | |
-CAP_ALL | |
+CAP_SYS_TIME | |
bind 0.0.0.0/32:0 dgram ip | |
connect disabled | |
} | |
subject /usr/sbin/rsyslogd o { | |
/ h | |
-CAP_ALL | |
+CAP_SYS_ADMIN | |
bind disabled | |
connect disabled | |
} | |
subject /usr/sbin/sshd o { | |
user_transition_allow sshd web root | |
group_transition_allow nogroup web root | |
/ | |
/bin h | |
/bin/bash x | |
/boot h | |
/dev h | |
/dev/log rw | |
/dev/null rw | |
/dev/ptmx rw | |
/dev/pts rw | |
/dev/tty rw | |
/dev/urandom r | |
/etc r | |
/etc/grsec h | |
/etc/gshadow h | |
/etc/gshadow- h | |
/etc/ppp h | |
/etc/samba/smbpasswd h | |
/etc/shadow- h | |
/home h | |
/home/web | |
/lib rx | |
/lib/modules h | |
/proc w | |
/proc/bus h | |
/proc/filesystems r | |
/proc/kallsyms h | |
/proc/kcore h | |
/proc/modules h | |
/proc/slabinfo h | |
/proc/sys/kernel/ngroups_max r | |
/sys h | |
/usr h | |
/usr/lib rx | |
/usr/sbin/sshd x | |
/usr/share/ssh/blacklist.DSA-1024 r | |
/usr/share/ssh/blacklist.RSA-2048 r | |
/var h | |
/var/log | |
/var/log/lastlog rw | |
/var/log/wtmp w | |
/var/run | |
/var/run/motd r | |
/var/run/utmp rw | |
-CAP_ALL | |
+CAP_CHOWN | |
+CAP_SETGID | |
+CAP_SETUID | |
+CAP_SYS_CHROOT | |
+CAP_SYS_RESOURCE | |
+CAP_SYS_TTY_CONFIG | |
bind 0.0.0.0/32:22 stream dgram ip tcp | |
bind 0.0.0.0/32:0 stream dgram ip tcp | |
connect 192.168.1.1/32:53 dgram udp | |
sock_allow_family ipv6 netlink | |
} | |
role web u | |
role_allow_ip 192.168.1.20/32 | |
subject / { | |
/ | |
/bin x | |
/boot h | |
/dev | |
/dev/console rw | |
/dev/grsec h | |
/dev/kmem h | |
/dev/log h | |
/dev/mem h | |
/dev/null w | |
/dev/port h | |
/dev/pts rw | |
/dev/tty rw | |
/dev/tty0 rw | |
/etc r | |
/etc/grsec h | |
/etc/gshadow h | |
/etc/gshadow- h | |
/etc/ppp h | |
/etc/samba/smbpasswd h | |
/etc/shadow h | |
/etc/shadow- h | |
/etc/ssh h | |
/home | |
/home/web rwcd | |
/home/web/testapp rwcd | |
/home/web/testapp/app | |
/home/web/testapp/app/controllers rwcd | |
/home/web/testapp/tmp | |
/home/web/testapp/tmp/restart.txt w | |
/lib rx | |
/lib/modules h | |
/proc | |
/proc/bus h | |
/proc/filesystems r | |
/proc/kallsyms h | |
/proc/kcore h | |
/proc/meminfo r | |
/proc/modules h | |
/proc/slabinfo h | |
/proc/sys h | |
/sys h | |
/usr h | |
/usr/bin x | |
/usr/lib h | |
/usr/lib/gconv/gconv-modules.cache r | |
/usr/lib/libgpm.so.2.0.0 rx | |
/usr/lib/locale/locale-archive r | |
/usr/local r | |
/usr/sbin | |
/usr/share r | |
/var h | |
/var/lib/vim/addons | |
/var/run | |
-CAP_ALL | |
bind disabled | |
connect disabled | |
} | |
role sshd u | |
subject / { | |
/ h | |
-CAP_ALL | |
bind disabled | |
connect disabled | |
} | |
role nobody u | |
role_allow_ip 192.168.1.20/32 | |
subject / { | |
/ h | |
-CAP_ALL | |
bind disabled | |
connect disabled | |
} | |
subject /usr/local/rvm/rubies/ree-1.8.7-2011.02/bin/ruby o { | |
/ | |
/boot h | |
/dev h | |
/dev/urandom r | |
/etc r | |
/etc/grsec h | |
/etc/gshadow h | |
/etc/gshadow- h | |
/etc/ppp h | |
/etc/samba/smbpasswd h | |
/etc/shadow h | |
/etc/shadow- h | |
/etc/ssh h | |
/home | |
/home/web rwcd | |
/lib/modules h | |
/proc/bus h | |
/proc/kallsyms h | |
/proc/kcore h | |
/proc/modules h | |
/proc/slabinfo h | |
/proc/sys h | |
/sys h | |
/tmp rwcd | |
/usr | |
/usr/lib rx | |
/usr/local rx | |
/usr/src h | |
/var h | |
/var/run | |
-CAP_ALL | |
bind 127.0.0.1/32:1024-65535 stream tcp | |
bind 127.0.0.1/32:0 stream tcp | |
connect disabled | |
sock_allow_family netlink | |
} | |
role www-data u | |
role_allow_ip 192.168.1.20/32 | |
subject / { | |
/ h | |
/etc/localtime r | |
/home | |
/home/web | |
/home/web/testapp | |
/home/web/testapp/public r | |
/tmp rw | |
-CAP_ALL | |
bind disabled | |
connect disabled | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment