role admin sA
subject / rvka
	/ rwcdmlxi

role default G
role_transitions admin
subject / dpo
	/		r
	/opt		rx
	/home		rwxcd
	/mnt		rw
	/dev
	/dev/grsec	h
	/dev/urandom	r
	/dev/random	r
	/dev/zero	rw
	/dev/input	rw
	/dev/psaux	rw
	/dev/null	rw
	/dev/tty?	rw
	/dev/hvc?	rw
	/dev/console	rw
	/dev/tty	rw
	/dev/pts	rw
	/dev/ptmx	rw
	/dev/dsp	rw
	/dev/mixer	rw
	/dev/initctl	rw
	/dev/fd0	r
	/dev/cdrom	r
	/dev/mem	h
	/dev/kmem	h
	/dev/port	h
	/bin		rx
	/sbin		rx
	/lib		rx
	/usr		rx
	/etc		rx
	/proc		rwx
	/proc/slabinfo	h
	/proc/kcore	h
	/proc/kallsyms  h
	/proc/modules   h
	/proc/sys	r
	/root		r
	/tmp		rwcd
	/var		rwxcd
	/var/tmp	rwcd
	/var/log	r
	/boot		h
	/lib/modules	h
	/etc/grsec	h
	/var/lib/grsec	h
	
	-CAP_KILL
	-CAP_SYS_TTY_CONFIG
	-CAP_LINUX_IMMUTABLE
	-CAP_NET_RAW
	-CAP_MKNOD
	-CAP_SYS_ADMIN
	-CAP_SYS_RAWIO
	-CAP_SYS_MODULE
	-CAP_SYS_PTRACE
	-CAP_NET_ADMIN
	-CAP_NET_BIND_SERVICE
	-CAP_NET_RAW
	-CAP_SYS_CHROOT
	-CAP_SYS_BOOT
	-CAP_SETFCAP

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)
subject /usr/sbin/sshd dpo
	/		h
	/bin/sh		x
	/bin/bash	x
	/dev		h
	/dev/log	rw
	/dev/random	r
	/dev/urandom	r
	/dev/null	rw
	/dev/ptmx	rw
	/dev/pts	rw
	/dev/tty	rw
	/dev/tty?	rw
	/etc		r
	/etc/passwd	r
	/etc/shadow	r
	/etc/grsec	h
	/home		rwcd
	/lib		rx
	/root
	/proc		r
	/proc/*/oom_adj	w
	/proc/kcore	h
	/proc/sys	h
	/usr/lib	rx
	/usr/share/zoneinfo r
	/var/log
	/var/mail
	/var/log/lastlog	rw
	/var/log/wtmp		w
	/var/run/sshd
	/var/run/utmp		rw
	/var/empty		rw

	-CAP_ALL
	+CAP_CHOWN
	+CAP_SETGID
	+CAP_SETUID
	+CAP_SYS_CHROOT
	+CAP_SYS_RESOURCE
	+CAP_SYS_TTY_CONFIG

subject /usr/bin/ssh
	/etc/ssh/ssh_config r

subject /bin/busybox
	+CAP_SYS_ADMIN
	+CAP_SYS_BOOT
	/root/.ash_history rw
	/dev/log rwc
	/var/log rwc
	/var/log/messages rwc
	/var/log/wtmp w
	/var/log/faillog rwcd

subject /usr/bin/sudo
	+CAP_SYS_ADMIN
	/dev/log rw

