[arch-commits] Commit in gradm/repos (12 files)

Daniel Micay thestinger at archlinux.org
Sat Jan 7 03:51:41 UTC 2017


    Date: Saturday, January 7, 2017 @ 03:51:41
  Author: thestinger
Revision: 205876

archrelease: copy trunk to community-i686, community-x86_64

Added:
  gradm/repos/community-i686/PKGBUILD
    (from rev 205875, gradm/trunk/PKGBUILD)
  gradm/repos/community-i686/learn_config
    (from rev 205875, gradm/trunk/learn_config)
  gradm/repos/community-i686/policy
    (from rev 205875, gradm/trunk/policy)
  gradm/repos/community-x86_64/PKGBUILD
    (from rev 205875, gradm/trunk/PKGBUILD)
  gradm/repos/community-x86_64/learn_config
    (from rev 205875, gradm/trunk/learn_config)
  gradm/repos/community-x86_64/policy
    (from rev 205875, gradm/trunk/policy)
Deleted:
  gradm/repos/community-i686/PKGBUILD
  gradm/repos/community-i686/learn_config
  gradm/repos/community-i686/policy
  gradm/repos/community-x86_64/PKGBUILD
  gradm/repos/community-x86_64/learn_config
  gradm/repos/community-x86_64/policy

-------------------------------+
 /PKGBUILD                     |   92 +++
 /learn_config                 |  336 +++++++++++++
 /policy                       |  982 ++++++++++++++++++++++++++++++++++++++++
 community-i686/PKGBUILD       |   46 -
 community-i686/learn_config   |  168 ------
 community-i686/policy         |  491 --------------------
 community-x86_64/PKGBUILD     |   46 -
 community-x86_64/learn_config |  168 ------
 community-x86_64/policy       |  491 --------------------
 9 files changed, 1410 insertions(+), 1410 deletions(-)

Deleted: community-i686/PKGBUILD
===================================================================
--- community-i686/PKGBUILD	2017-01-07 03:51:02 UTC (rev 205875)
+++ community-i686/PKGBUILD	2017-01-07 03:51:41 UTC (rev 205876)
@@ -1,46 +0,0 @@
-# $Id$
-# Maintainer: Daniel Micay <danielmicay at gmail.com>
-# Contributor: Jonathan Liu <net147 at gmail.com>
-# Contributor: henning mueller <henning at orgizm.net>
-# Contributor: s1gma <s1gma at mindslicer.com>
-# Contributor: Ahmad24 <myitrayan at gmail.com>
-# Contributor: maxrp <maxp at pdx.edu>
-
-pkgname=gradm
-_version=3.1
-_timestamp=201608131257
-pkgver=$_version.$_timestamp
-pkgrel=1
-pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)"
-arch=(i686 x86_64)
-url=https://grsecurity.net/
-license=(GPL2)
-depends=(pam)
-source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz
-        https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig
-        learn_config
-        policy)
-sha256sums=('2b771346458f55805713e4cdfc4fefba1da88826dd9ecff38dacd0087331a578'
-            'SKIP'
-            '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0'
-            '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440')
-validpgpkeys=(
-              'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler
-)
-
-prepare() {
-  cd $pkgname
-  sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile
-}
-
-build() {
-  cd $pkgname
-  make
-}
-
-package() {
-  cd $pkgname
-  make DESTDIR="$pkgdir" install
-  cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec"
-  rm -r "$pkgdir/dev"
-}

Copied: gradm/repos/community-i686/PKGBUILD (from rev 205875, gradm/trunk/PKGBUILD)
===================================================================
--- community-i686/PKGBUILD	                        (rev 0)
+++ community-i686/PKGBUILD	2017-01-07 03:51:41 UTC (rev 205876)
@@ -0,0 +1,46 @@
+# $Id$
+# Maintainer: Daniel Micay <danielmicay at gmail.com>
+# Contributor: Jonathan Liu <net147 at gmail.com>
+# Contributor: henning mueller <henning at orgizm.net>
+# Contributor: s1gma <s1gma at mindslicer.com>
+# Contributor: Ahmad24 <myitrayan at gmail.com>
+# Contributor: maxrp <maxp at pdx.edu>
+
+pkgname=gradm
+_version=3.1
+_timestamp=201701031918
+pkgver=$_version.$_timestamp
+pkgrel=1
+pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)"
+arch=(i686 x86_64)
+url=https://grsecurity.net/
+license=(GPL2)
+depends=(pam)
+source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz
+        https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig
+        learn_config
+        policy)
+sha256sums=('794eca5fa9f51520ab4a83b8884cb90e7715061f3102bc896d78674b2c2ad94d'
+            'SKIP'
+            '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0'
+            '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440')
+validpgpkeys=(
+              'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler
+)
+
+prepare() {
+  cd $pkgname
+  sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile
+}
+
+build() {
+  cd $pkgname
+  make
+}
+
+package() {
+  cd $pkgname
+  make DESTDIR="$pkgdir" install
+  cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec"
+  rm -r "$pkgdir/dev"
+}

Deleted: community-i686/learn_config
===================================================================
--- community-i686/learn_config	2017-01-07 03:51:02 UTC (rev 205875)
+++ community-i686/learn_config	2017-01-07 03:51:41 UTC (rev 205876)
@@ -1,168 +0,0 @@
-#This configuration file aids the learning process by tweaking
-#the learning algorithm for specific paths.
-#
-#It accepts lines in the form of <command> <pathname>
-#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
-#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
-#read-protected-path, and always-reduce-path
-#
-#inherit-learn, no-learn, and inherit-no-learn operate only with
-#full learning
-#
-#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, 
-#and high-protected-path operate on both full and and regular learning 
-#(subject and role learning)
-#
-#inherit-learn changes the learning process for the specified path
-#by throwing all learned accesses for every binary executed by the
-#processes contained in the pathname into the subject specified
-#by the pathname.  This is useful for cron in the case of full
-#system learning, so that scripts that eventually end up executing
-#mv or rm with privilege don't cause the root policy to grant
-#that privilege to mv or rm in all cases.
-#
-#no-learn allows processes within the path to perform any operation
-#that normal system usage would allow without restriction.  If
-#a process is generating a huge number of learning logs, it may be
-#best to use this command on that process and configure its policy
-#manually.
-#
-#inherit-no-learn combines the above two cases, such that processes
-#within the specified path will be able to perform any normal system
-#operation without restriction as will any binaries executed by
-#these processes.
-#
-#high-reduce-path modifies the heuristics of the learning process
-#to weight in favor of reducing accesses for this path
-#
-#dont-reduce-path modifies the heuristics of the learning process
-#so that it will never reduce accesses for this path
-#
-#always-reduce-path modifies the heuristics of the learning process
-#so that the path specified will always have all files and directories
-#within it reduced to the path specified.
-#
-#protected-path specifies a path on your system that is considered an
-#important resource.  Any process that modifies one of these paths
-#is given its own subject in the learning process, facilitating
-#a secure policy.
-#
-#read-protected-path specifies a path on your system that contains 
-#sensitive information.  Any process that reads one of these paths is
-#given its own subject in the learning process, facilitating a secure
-#policy.
-#
-#high-protected-path specifies a path that should be hidden from
-#all processes but those that access it directly.  It is recommended
-#to use highly sensitive files for this command.
-#
-#regular expressions are not supported for pathnames in this config file
-#
-#
-# uncomment this next line if you don't wish to generate a policy that 
-# restricts roles to specific IP ranges:
-# dont-learn-allowed-ips
-#
-# to write out your generated policy such that roles are split into separate
-# files by the name of the role (within user/group directories), uncomment
-# the next line:
-# split-roles
-
-always-reduce-path /dev/pts
-always-reduce-path /var/spool/qmailscan/tmp
-always-reduce-path /var/spool/exim4
-always-reduce-path /run/screen
-always-reduce-path /usr/share/locale
-always-reduce-path /usr/share/zoneinfo
-always-reduce-path /usr/share/terminfo
-always-reduce-path /var/abs
-always-reduce-path /tmp
-always-reduce-path /var/tmp
-
-high-reduce-path /run/udev
-high-reduce-path /dev/mapper
-high-reduce-path /dev/snd
-high-reduce-path /proc
-high-reduce-path /usr/lib/security
-high-reduce-path /usr/lib/modules
-high-reduce-path /usr/lib
-high-reduce-path /usr/lib32
-high-reduce-path /usr/libx32
-high-reduce-path /usr/lib/tls
-high-reduce-path /usr/lib32/tls
-high-reduce-path /usr/libx32/tls
-high-reduce-path /usr/lib/libreoffice
-high-reduce-path /var/lib
-high-reduce-path /usr/bin
-high-reduce-path /usr/sbin
-high-reduce-path /usr/local/share
-high-reduce-path /usr/local/bin
-high-reduce-path /usr/local/sbin
-high-reduce-path /usr/local/etc
-high-reduce-path /usr/local/lib
-high-reduce-path /usr/share
-high-reduce-path /usr/X11R6/lib
-high-reduce-path /var/lib/openldap-data
-high-reduce-path /var/lib/krb5kdc
-
-dont-reduce-path /
-dont-reduce-path /home
-dont-reduce-path /dev
-dont-reduce-path /usr
-dont-reduce-path /var
-dont-reduce-path /opt
-
-protected-path /etc
-protected-path /boot
-protected-path /run
-protected-path /usr
-protected-path /opt
-protected-path /var
-protected-path /dev/log
-protected-path /root
-protected-path /sys
-
-read-protected-path /etc/ssh
-read-protected-path /proc/kallsyms
-read-protected-path /proc/kcore
-read-protected-path /proc/slabinfo
-read-protected-path /proc/modules
-read-protected-path /usr/lib/modules
-read-protected-path /boot
-read-protected-path /etc/shadow
-read-protected-path /etc/shadow-
-read-protected-path /etc/gshadow
-read-protected-path /etc/gshadow-
-read-protected-path /sys
-
-high-protected-path /etc/ssh
-high-protected-path /proc/kcore
-high-protected-path /proc/sys
-high-protected-path /proc/bus
-high-protected-path /proc/slabinfo
-high-protected-path /proc/modules
-high-protected-path /proc/kallsyms
-high-protected-path /etc/passwd
-high-protected-path /etc/shadow
-high-protected-path /var/backups
-high-protected-path /etc/shadow-
-high-protected-path /etc/gshadow
-high-protected-path /etc/gshadow-
-high-protected-path /var/log
-high-protected-path /dev/mem
-high-protected-path /dev/kmem
-high-protected-path /dev/port
-high-protected-path /dev/log
-high-protected-path /sys
-high-protected-path /etc/ppp
-high-protected-path /etc/samba/smbpasswd
-#to protect kernel images
-high-protected-path /boot
-high-protected-path /usr/lib/modules
-high-protected-path /usr/src
-
-inherit-learn /etc/cron.d
-inherit-learn /etc/cron.hourly
-inherit-learn /etc/cron.daily
-inherit-learn /etc/cron.weekly
-inherit-learn /etc/cron.monthly

Copied: gradm/repos/community-i686/learn_config (from rev 205875, gradm/trunk/learn_config)
===================================================================
--- community-i686/learn_config	                        (rev 0)
+++ community-i686/learn_config	2017-01-07 03:51:41 UTC (rev 205876)
@@ -0,0 +1,168 @@
+#This configuration file aids the learning process by tweaking
+#the learning algorithm for specific paths.
+#
+#It accepts lines in the form of <command> <pathname>
+#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
+#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
+#read-protected-path, and always-reduce-path
+#
+#inherit-learn, no-learn, and inherit-no-learn operate only with
+#full learning
+#
+#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, 
+#and high-protected-path operate on both full and and regular learning 
+#(subject and role learning)
+#
+#inherit-learn changes the learning process for the specified path
+#by throwing all learned accesses for every binary executed by the
+#processes contained in the pathname into the subject specified
+#by the pathname.  This is useful for cron in the case of full
+#system learning, so that scripts that eventually end up executing
+#mv or rm with privilege don't cause the root policy to grant
+#that privilege to mv or rm in all cases.
+#
+#no-learn allows processes within the path to perform any operation
+#that normal system usage would allow without restriction.  If
+#a process is generating a huge number of learning logs, it may be
+#best to use this command on that process and configure its policy
+#manually.
+#
+#inherit-no-learn combines the above two cases, such that processes
+#within the specified path will be able to perform any normal system
+#operation without restriction as will any binaries executed by
+#these processes.
+#
+#high-reduce-path modifies the heuristics of the learning process
+#to weight in favor of reducing accesses for this path
+#
+#dont-reduce-path modifies the heuristics of the learning process
+#so that it will never reduce accesses for this path
+#
+#always-reduce-path modifies the heuristics of the learning process
+#so that the path specified will always have all files and directories
+#within it reduced to the path specified.
+#
+#protected-path specifies a path on your system that is considered an
+#important resource.  Any process that modifies one of these paths
+#is given its own subject in the learning process, facilitating
+#a secure policy.
+#
+#read-protected-path specifies a path on your system that contains 
+#sensitive information.  Any process that reads one of these paths is
+#given its own subject in the learning process, facilitating a secure
+#policy.
+#
+#high-protected-path specifies a path that should be hidden from
+#all processes but those that access it directly.  It is recommended
+#to use highly sensitive files for this command.
+#
+#regular expressions are not supported for pathnames in this config file
+#
+#
+# uncomment this next line if you don't wish to generate a policy that 
+# restricts roles to specific IP ranges:
+# dont-learn-allowed-ips
+#
+# to write out your generated policy such that roles are split into separate
+# files by the name of the role (within user/group directories), uncomment
+# the next line:
+# split-roles
+
+always-reduce-path /dev/pts
+always-reduce-path /var/spool/qmailscan/tmp
+always-reduce-path /var/spool/exim4
+always-reduce-path /run/screen
+always-reduce-path /usr/share/locale
+always-reduce-path /usr/share/zoneinfo
+always-reduce-path /usr/share/terminfo
+always-reduce-path /var/abs
+always-reduce-path /tmp
+always-reduce-path /var/tmp
+
+high-reduce-path /run/udev
+high-reduce-path /dev/mapper
+high-reduce-path /dev/snd
+high-reduce-path /proc
+high-reduce-path /usr/lib/security
+high-reduce-path /usr/lib/modules
+high-reduce-path /usr/lib
+high-reduce-path /usr/lib32
+high-reduce-path /usr/libx32
+high-reduce-path /usr/lib/tls
+high-reduce-path /usr/lib32/tls
+high-reduce-path /usr/libx32/tls
+high-reduce-path /usr/lib/libreoffice
+high-reduce-path /var/lib
+high-reduce-path /usr/bin
+high-reduce-path /usr/sbin
+high-reduce-path /usr/local/share
+high-reduce-path /usr/local/bin
+high-reduce-path /usr/local/sbin
+high-reduce-path /usr/local/etc
+high-reduce-path /usr/local/lib
+high-reduce-path /usr/share
+high-reduce-path /usr/X11R6/lib
+high-reduce-path /var/lib/openldap-data
+high-reduce-path /var/lib/krb5kdc
+
+dont-reduce-path /
+dont-reduce-path /home
+dont-reduce-path /dev
+dont-reduce-path /usr
+dont-reduce-path /var
+dont-reduce-path /opt
+
+protected-path /etc
+protected-path /boot
+protected-path /run
+protected-path /usr
+protected-path /opt
+protected-path /var
+protected-path /dev/log
+protected-path /root
+protected-path /sys
+
+read-protected-path /etc/ssh
+read-protected-path /proc/kallsyms
+read-protected-path /proc/kcore
+read-protected-path /proc/slabinfo
+read-protected-path /proc/modules
+read-protected-path /usr/lib/modules
+read-protected-path /boot
+read-protected-path /etc/shadow
+read-protected-path /etc/shadow-
+read-protected-path /etc/gshadow
+read-protected-path /etc/gshadow-
+read-protected-path /sys
+
+high-protected-path /etc/ssh
+high-protected-path /proc/kcore
+high-protected-path /proc/sys
+high-protected-path /proc/bus
+high-protected-path /proc/slabinfo
+high-protected-path /proc/modules
+high-protected-path /proc/kallsyms
+high-protected-path /etc/passwd
+high-protected-path /etc/shadow
+high-protected-path /var/backups
+high-protected-path /etc/shadow-
+high-protected-path /etc/gshadow
+high-protected-path /etc/gshadow-
+high-protected-path /var/log
+high-protected-path /dev/mem
+high-protected-path /dev/kmem
+high-protected-path /dev/port
+high-protected-path /dev/log
+high-protected-path /sys
+high-protected-path /etc/ppp
+high-protected-path /etc/samba/smbpasswd
+#to protect kernel images
+high-protected-path /boot
+high-protected-path /usr/lib/modules
+high-protected-path /usr/src
+
+inherit-learn /etc/cron.d
+inherit-learn /etc/cron.hourly
+inherit-learn /etc/cron.daily
+inherit-learn /etc/cron.weekly
+inherit-learn /etc/cron.monthly

Deleted: community-i686/policy
===================================================================
--- community-i686/policy	2017-01-07 03:51:02 UTC (rev 205875)
+++ community-i686/policy	2017-01-07 03:51:41 UTC (rev 205876)
@@ -1,491 +0,0 @@
-#sample default policy for grsecurity
-#
-# Role flags:
-# A -> This role is an administrative role, thus it has special privilege normal
-#      roles do not have.  In particular, this role bypasses the 
-#      additional ptrace restrictions
-# N -> Don't require authentication for this role.  To access
-#      the role, use gradm -n <rolename>
-# s -> This role is a special role, meaning it does not belong to a
-#      user or group, and does not require an enforced secure policy
-#      base to be included in the ruleset
-# u -> This role is a user role
-# g -> This role is a group role
-# G -> This role can use gradm to authenticate to the kernel
-#      A policy for gradm will automatically be added to the role
-# T -> Enable TPE for this role
-# l -> Enable learning for this role
-# P -> Use PAM authentication for this role.
-# R -> Enable persistence of special role.  Normal special roles will
-#      be removed upon exit of the process that entered the role, or
-#      upon unauth (this is what changes the apache process' role back 
-#      to its normal role after being restarted from the admin role, for
-#      instance).  Role persistence allows a special role to be used for
-#      system shutdown, as the point at which the admin's shell/SSH 
-#      session is terminated won't cause the rest of the shutdown 
-#      sequence to execute with reduced privilege.  Do *NOT* use this 
-#      flag with any role that does anything but shut the system down.
-#      This role will also be transferred to the init process upon
-#      writing to /dev/initctl.  This allows init to execute the rc 
-#      scripts for shutdown with the necessary privilege.
-#      For usability reasons, we allow the removal of persistence through
-#      the normal unauth process (so persistence only survives exit).
-#
-# a role can only be one of user, group, or special
-#
-# role_allow_ip IP/optional netmask
-# eg: role_allow_ip 192.168.1.0/24
-# You can have as many of these per role as you want
-# They restrict the use of a role to a list of IPs.  If a user
-# is on the system that would normally get the role does not
-# belong to those lists of IPs, the system falls back through
-# its method of determining a role for the user
-#
-# Role hierarchy
-# user -> group -> default
-# First a user role attempts to match, if one is not found,
-# a group role attempts to match, if one is not found,
-# the default role is used.
-#
-# role_transitions <special role 1> <special role 2> ... <special role n>
-# eg: role_transitions www_admin dns_admin
-#
-# role transitions specify which special roles a given role is allowed
-# to authenticate to.  This applies to special roles that do not
-# require password authentication as well.  If a user tries to
-# authenticate to a role that is not within his transition table, he
-# will receive a permission denied error
-#
-# Nested subjects
-# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat
-#	  / rwx
-#	  +CAP_ALL
-# grant privilege to specific processes if they are executed
-# within a trusted path.  In this case, privilege is
-# granted if /usr/bin/cat is executed from /usr/bin/bash, which is
-# executed from /usr/bin/su.
-#
-# Configuration inheritance on nested subjects
-# nested subjects inherit rules from their parents.  In the
-# example above, the nested subject would inherit rules
-# from the nested subject for /usr/bin/su:/usr/bin/bash,
-# and the subject /usr/bin/su
-# View the 1.9.x documentation for more information on
-# configuration inheritance
-#
-# new object modes:
-# m -> allow creation of setuid/setgid files/directories
-#      and modification of files/directories to be setuid/setgid
-# M -> audit the setuid/setgid creation/modification
-# c -> allow creation of the file/directory
-# C -> audit the creation
-# d -> allow deletion of the file/directory
-# D -> audit the deletion
-# p -> reject all ptraces to this object
-# l -> allow a hardlink at this path
-#	(hardlinking requires at a minimum c and l modes, and the target
-#	 link cannot have any greater permission than the source file)
-# L -> audit link creation
-# f -> needed to mark the pipe used for communication with init
-#      to transfer the privilege of the persistent role; only valid
-#      within a persistent role.  Transfer only occurs when the file is 
-#      opened for writing
-# Z -> tells gradm to ignore earlier object of the same name and use this
-#      one instead
-#
-# new subject modes:
-# O -> disable "writable library" restrictions for this task
-# t -> allow this process to ptrace any process (use with caution)
-# r -> relax ptrace restrictions (allows process to ptrace processes
-#      other than its own descendants)
-# i -> enable inheritance-based learning for this subject, causing
-#      all accesses of this subject and anything it executes to be placed
-#      in this subject, and inheritance flags added to executable objects
-#      in this subject
-# a -> allow this process to talk to the /dev/grsec device
-# s -> enable AT_SECURE when entering this subject
-#      (enables the same environment sanitization that occurs in glibc
-#	upon execution of a suid binary)
-# x -> allows executable anonymous shared memory for this subject
-# Z -> tells gradm to ignore earlier subject of the same path and use this
-#      one instead
-
-# user/group transitions:
-# You may now specify what users and groups a given subject can
-# transition to.  This can be done on an inclusive or exclusive basis.
-# Omitting these rules allows a process with proper privilege granted by
-# capabilities to transition to any user/group.
-#
-# Examples:
-# subject /usr/bin/su
-# user_transition_allow root spender
-# group_transition_allow root spender
-# subject /usr/bin/su
-# user_transition_deny evilhacker
-# subject /usr/bin/su
-# group_transition_deny evilhacker1 evilhacker2
-#
-# Domains:
-# With domains you can combine users that don't share a common
-# GID as well as groups so that they share a single policy
-# Domains work just like roles, with the only exception being that
-# the line starting with "role" is replaced with one of the following:
-# domain somedomainname u user1 user2 user3 user4 ... usern
-# domain somedomainname g group1 group2 group3 group4 ... groupn
-#
-# Inverted socket policies:
-# Rules such as
-# connect ! www.google.com:80 stream tcp
-# are now allowed, which allows you to specify that a process can connect to anything
-# except to port 80 of www.google.com with a stream tcp socket
-# the inverted socket matching also works on bind rules
-#
-# INADDR_ANY overriding
-# You can now force a given subject to bind to a particular IP address on the machine
-# This is useful for some chrooted environments, to ensure that the source IP they
-# use is one of your choosing
-# to use, add a line like:
-# ip_override 192.168.0.1
-#
-# Per-interface socket policies:
-# Rules such as
-# bind eth1:80 stream tcp
-# bind eth0#1:22 stream tcp
-# are now allowed, giving you the ability to tie specific socket rules 
-# to a single interface (or by using the inverted rules, all but one 
-# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
-# syntax.  If an interface is specified, no IP/netmask or host may be
-# specified for the rule.
-#
-# Allowing additional socket families:
-# Before v2.2.1 of the RBAC system, a subject that specified
-# connect/bind rules limited only the socket usage of IPv4, allowing
-# any other socket families to be used.  Starting with v2.2.1 of the 
-# RBAC system, when connect/bind rules are used, additional rules
-# will be required to unlock the use of additional socket families 
-# (outside of the common unix family).  Multiple families can be
-# specified per line.
-# To enable use of IPv6, add the line:
-# sock_allow_family ipv6
-# To enable use of netlink, add the line:
-# sock_allow_family netlink
-# To enable all other families, add the line:
-# sock_allow_family all
-#
-# New learning system:
-# To learn on a given subject: add l (the letter l, not the number 1)
-# to the subject mode
-# If you want to learn with the most restrictive policy, use the 
-# following:
-# subject /path/to/bin lo
-#    / h
-#    -CAP_ALL
-#    connect disabled
-#    bind disabled
-# Resource learning is also supported, so lines like
-#    RES_AS 0 0
-# can be used to learn a particular resource
-#
-# To learn on a given role, add l to the role mode
-# For both of these, to enable learning, enable the system like:
-# gradm -L /etc/grsec/learning.logs -E
-# and then generate the rules after disabling the system after the 
-# learning phase with:
-# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
-# To use full system learning, enable the system like:
-# gradm -F -L /etc/grsec/learning.logs
-# and then generate the rules after disabling the system after the 
-# learning phase with:
-# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
-#
-# New PaX flag format (replaces PaX subject flags):
-# PaX flags can be forced on or off, regardless of the flags on the 
-# binary, by using + or - before the following PaX flag names:
-# PAX_SEGMEXEC
-# PAX_PAGEEXEC
-# PAX_MPROTECT
-# PAX_RANDMMAP
-# PAX_EMUTRAMP
-#
-# New feature for easier policy maintenance:
-# replace <variable name> <replace string>
-# e.g.:
-# replace CVSROOT /home/cvs
-# now $(CVSROOT) can be used in any subject or object pathname, like:
-# $(CVSROOT)/grsecurity r
-# This will translate to /home/cvs/grsecurity r
-# This feature makes it easier to update policies by naming specific
-# paths by their function, then only having to update those paths once
-# to have it affect a large number of subjects/objects.
-#
-# capability auditing / log suppression
-# use of a capability can be audited by adding "audit" to the line, eg:
-# +CAP_SYS_RAWIO audit
-# log suppression for denial of a capbility can be done by adding "suppress":
-# -CAP_SYS_RAWIO suppress
-#
-# Per-role umask enforcement:
-# If you have a user that you want to be assured cannot accidentally
-# create a file that others can read (a confidentiality issue)
-# add the following under the role declaration:
-# role_umask 077
-# any normal octal umask may be specified
-# Note that unlike the normal umask, this umask will also apply
-# to the permissions one can chmod/fchmod a file to
-#
-# Note that the omission of any feature of a role or subject
-# results in a default-allow
-# For instance, if no capability rules are added in a subject without
-# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used
-#
-# Also note that policy inheritance does not exist for network policies, only
-# file objects and capabilities inherit policy
-#
-# Commonly-used objects can be defined and used in multiple subjects
-# As an example, we'll create a variable out of a list of objects
-# and their associated permissions that RBAC enforces
-# files, connect/bind rules, and capabilities can currently be added to a define
-
-define grsec_denied {
-	/boot		h
-	/dev/grsec	h
-	/dev/kmem	h
-	/dev/mem	h
-	/dev/port	h
-	/etc/grsec	h
-	/proc/kcore	h
-	/proc/slabinfo	h
-	/proc/modules	h
-	/proc/kallsyms	h
-	# hide and suppress logs about accessing this path
-	/usr/lib/modules	hs
-	/etc/ssh	h
-}
-# usage:
-# $grsec_denied
-
-role shutdown sARG
-subject / rvka
-	/
-	/dev
-	/dev/urandom	r
-	/dev/random	r
-	/etc		r
-	/usr		rx
-	/proc r
-	$grsec_denied
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib/systemd/systemd rvkao
-	/ rwcdmlxi
-subject /usr/bin/systemctl rvkao
-	/ rwcdmlxi
-	/dev/initctl rwf
-	/run/initctl rwf
-
-# Make sure to unauthenticate with gradm -u from
-# the admin role after restarting a service
-# The service started will run with admin
-# privileges until you run gradm -u or your shell exits
-
-role admin sA
-subject / rvka
-	/ rwcdmlxi
-
-role default G
-role_transitions admin shutdown
-subject /
-	/		r
-	/opt		rx
-	/home		rwxcd
-	/mnt		rw
-	/dev
-	/dev/urandom	r
-	/dev/random	r
-	/dev/zero	rw
-	/dev/input	rw
-	/dev/psaux	rw
-	/dev/null	rw
-	/dev/tty?	rw
-	/dev/console	rw
-	/dev/tty	rw
-	/dev/pts	rw
-	/dev/ptmx	rw
-	/dev/dsp	rw
-	/dev/mixer	rw
-	/dev/initctl	rw
-	/dev/fd0	r
-	/dev/sr0	r
-	/usr		rx
-# compilation of kernel code should be done within the admin role	
-	/usr/src	h
-	/etc		rx
-	/proc		rwx
-	/proc/sys	r
-	/sys		h
-	/root		r
-	/run		r
-	/tmp		rwcd
-	/var		rwxcd
-	/var/tmp	rwcd
-	/var/log	r
-# hide the kernel images and modules
-	$grsec_denied
-
-# if sshd needs to be restarted, it can be done through the admin role
-# restarting sshd should be followed immediately by a gradm -u
-	/usr/bin/sshd
-	
-	-CAP_KILL
-	-CAP_SYS_TTY_CONFIG
-	-CAP_LINUX_IMMUTABLE
-	-CAP_NET_RAW
-	-CAP_MKNOD
-	-CAP_SYS_ADMIN
-	-CAP_SYS_RAWIO
-	-CAP_SYS_MODULE
-	-CAP_SYS_PTRACE
-	-CAP_NET_ADMIN
-	-CAP_NET_BIND_SERVICE
-	-CAP_NET_RAW
-	-CAP_SYS_CHROOT
-	-CAP_SYS_BOOT
-	-CAP_SETFCAP
-	-CAP_SYSLOG
-
-#	RES_AS 100M 100M
-
-#	connect 192.168.1.0/24:22 stream tcp
-#	bind	0.0.0.0 stream dgram tcp udp
-
-# the d flag protects /proc fd and mem entries for sshd
-# all daemons should have 'p' in their subject mode to prevent
-# an attacker from killing the service (and restarting it with trojaned
-# config file or taking the port it reserved to run a trojaned service)
-
-subject /usr/bin/sshd dpo
-	/
-	/*		h
-	/usr/bin/bash	x
-	/dev		h
-	/dev/random	r
-	/dev/urandom	r
-	/dev/null	rw
-	/dev/ptmx	rw
-	/dev/pts	rw
-	/dev/tty	rw
-	/dev/tty?	rw
-	/etc		r
-	/etc/grsec	h
-	/home
-	/home/*/.ssh/authorized_keys r
-	/root
-	/proc		r
-	/proc/*/oom_adj rw
-	/proc/*/oom_score_adj rw
-	/proc/kcore	h
-	/proc/sys	h
-	/proc/sys/kernel/ngroups_max r
-	/selinux	r
-	/usr/lib	rx
-	/usr/lib32	rx
-	/usr/libx32	rx
-	/usr/share/zoneinfo r
-	/var/log
-	/var/spool/mail
-	/var/log/lastlog	rw
-	/var/log/wtmp		w
-	/var/run
-	/run
-	/run/systemd/journal/dev-log	rw
-	/var/run/sshd
-	/var/run/utmp		rw
-	/var/run/utmpx		rw
-	/var/run/.nscd_socket	rw
-
-	-CAP_ALL
-	+CAP_CHOWN
-	+CAP_SETGID
-	+CAP_SETUID
-	+CAP_SYS_CHROOT
-	+CAP_SYS_RESOURCE
-	+CAP_SYS_TTY_CONFIG
-	+CAP_AUDIT_WRITE
-	# to access user keys
-	+CAP_DAC_OVERRIDE
-
-subject /usr/bin/Xorg
-	/dev/mem	rw
-
-	+CAP_SYS_ADMIN
-	+CAP_SYS_TTY_CONFIG
-	+CAP_SYS_RAWIO
-
-subject /usr/bin/ssh
-	/etc/ssh/ssh_config r
-
-subject /usr/bin/postgres
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/exim
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/syslog-ng
-	+CAP_SYS_ADMIN
-
-subject /usr/bin/rsyslogd
-	+CAP_SYS_ADMIN
-
-subject /usr/bin/cron
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/crond
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/login
-	/run/systemd/journal/dev-log	rw
-	/var/log/wtmp w
-	/var/log/faillog rwcd
-
-subject /usr/bin/su
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/sudo
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/agetty
-	/var/log/wtmp w
-
-subject /usr/bin/xauth
-	/home r
-	/home/*/.Xauthority-* rwcdl
-
-# prevent ld.so breakouts of subjects with /usr/lib rx
-
-# many distros clutter up /usr/lib with shell scripts
-# that can be easily hijacked for malicious purposes
-subject /usr/lib o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib32 o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib/ld-linux.so.2 o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib/ld-linux-x86-64.so.2 o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled

Copied: gradm/repos/community-i686/policy (from rev 205875, gradm/trunk/policy)
===================================================================
--- community-i686/policy	                        (rev 0)
+++ community-i686/policy	2017-01-07 03:51:41 UTC (rev 205876)
@@ -0,0 +1,491 @@
+#sample default policy for grsecurity
+#
+# Role flags:
+# A -> This role is an administrative role, thus it has special privilege normal
+#      roles do not have.  In particular, this role bypasses the 
+#      additional ptrace restrictions
+# N -> Don't require authentication for this role.  To access
+#      the role, use gradm -n <rolename>
+# s -> This role is a special role, meaning it does not belong to a
+#      user or group, and does not require an enforced secure policy
+#      base to be included in the ruleset
+# u -> This role is a user role
+# g -> This role is a group role
+# G -> This role can use gradm to authenticate to the kernel
+#      A policy for gradm will automatically be added to the role
+# T -> Enable TPE for this role
+# l -> Enable learning for this role
+# P -> Use PAM authentication for this role.
+# R -> Enable persistence of special role.  Normal special roles will
+#      be removed upon exit of the process that entered the role, or
+#      upon unauth (this is what changes the apache process' role back 
+#      to its normal role after being restarted from the admin role, for
+#      instance).  Role persistence allows a special role to be used for
+#      system shutdown, as the point at which the admin's shell/SSH 
+#      session is terminated won't cause the rest of the shutdown 
+#      sequence to execute with reduced privilege.  Do *NOT* use this 
+#      flag with any role that does anything but shut the system down.
+#      This role will also be transferred to the init process upon
+#      writing to /dev/initctl.  This allows init to execute the rc 
+#      scripts for shutdown with the necessary privilege.
+#      For usability reasons, we allow the removal of persistence through
+#      the normal unauth process (so persistence only survives exit).
+#
+# a role can only be one of user, group, or special
+#
+# role_allow_ip IP/optional netmask
+# eg: role_allow_ip 192.168.1.0/24
+# You can have as many of these per role as you want
+# They restrict the use of a role to a list of IPs.  If a user
+# is on the system that would normally get the role does not
+# belong to those lists of IPs, the system falls back through
+# its method of determining a role for the user
+#
+# Role hierarchy
+# user -> group -> default
+# First a user role attempts to match, if one is not found,
+# a group role attempts to match, if one is not found,
+# the default role is used.
+#
+# role_transitions <special role 1> <special role 2> ... <special role n>
+# eg: role_transitions www_admin dns_admin
+#
+# role transitions specify which special roles a given role is allowed
+# to authenticate to.  This applies to special roles that do not
+# require password authentication as well.  If a user tries to
+# authenticate to a role that is not within his transition table, he
+# will receive a permission denied error
+#
+# Nested subjects
+# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat
+#	  / rwx
+#	  +CAP_ALL
+# grant privilege to specific processes if they are executed
+# within a trusted path.  In this case, privilege is
+# granted if /usr/bin/cat is executed from /usr/bin/bash, which is
+# executed from /usr/bin/su.
+#
+# Configuration inheritance on nested subjects
+# nested subjects inherit rules from their parents.  In the
+# example above, the nested subject would inherit rules
+# from the nested subject for /usr/bin/su:/usr/bin/bash,
+# and the subject /usr/bin/su
+# View the 1.9.x documentation for more information on
+# configuration inheritance
+#
+# new object modes:
+# m -> allow creation of setuid/setgid files/directories
+#      and modification of files/directories to be setuid/setgid
+# M -> audit the setuid/setgid creation/modification
+# c -> allow creation of the file/directory
+# C -> audit the creation
+# d -> allow deletion of the file/directory
+# D -> audit the deletion
+# p -> reject all ptraces to this object
+# l -> allow a hardlink at this path
+#	(hardlinking requires at a minimum c and l modes, and the target
+#	 link cannot have any greater permission than the source file)
+# L -> audit link creation
+# f -> needed to mark the pipe used for communication with init
+#      to transfer the privilege of the persistent role; only valid
+#      within a persistent role.  Transfer only occurs when the file is 
+#      opened for writing
+# Z -> tells gradm to ignore earlier object of the same name and use this
+#      one instead
+#
+# new subject modes:
+# O -> disable "writable library" restrictions for this task
+# t -> allow this process to ptrace any process (use with caution)
+# r -> relax ptrace restrictions (allows process to ptrace processes
+#      other than its own descendants)
+# i -> enable inheritance-based learning for this subject, causing
+#      all accesses of this subject and anything it executes to be placed
+#      in this subject, and inheritance flags added to executable objects
+#      in this subject
+# a -> allow this process to talk to the /dev/grsec device
+# s -> enable AT_SECURE when entering this subject
+#      (enables the same environment sanitization that occurs in glibc
+#	upon execution of a suid binary)
+# x -> allows executable anonymous shared memory for this subject
+# Z -> tells gradm to ignore earlier subject of the same path and use this
+#      one instead
+
+# user/group transitions:
+# You may now specify what users and groups a given subject can
+# transition to.  This can be done on an inclusive or exclusive basis.
+# Omitting these rules allows a process with proper privilege granted by
+# capabilities to transition to any user/group.
+#
+# Examples:
+# subject /usr/bin/su
+# user_transition_allow root spender
+# group_transition_allow root spender
+# subject /usr/bin/su
+# user_transition_deny evilhacker
+# subject /usr/bin/su
+# group_transition_deny evilhacker1 evilhacker2
+#
+# Domains:
+# With domains you can combine users that don't share a common
+# GID as well as groups so that they share a single policy
+# Domains work just like roles, with the only exception being that
+# the line starting with "role" is replaced with one of the following:
+# domain somedomainname u user1 user2 user3 user4 ... usern
+# domain somedomainname g group1 group2 group3 group4 ... groupn
+#
+# Inverted socket policies:
+# Rules such as
+# connect ! www.google.com:80 stream tcp
+# are now allowed, which allows you to specify that a process can connect to anything
+# except to port 80 of www.google.com with a stream tcp socket
+# the inverted socket matching also works on bind rules
+#
+# INADDR_ANY overriding
+# You can now force a given subject to bind to a particular IP address on the machine
+# This is useful for some chrooted environments, to ensure that the source IP they
+# use is one of your choosing
+# to use, add a line like:
+# ip_override 192.168.0.1
+#
+# Per-interface socket policies:
+# Rules such as
+# bind eth1:80 stream tcp
+# bind eth0#1:22 stream tcp
+# are now allowed, giving you the ability to tie specific socket rules 
+# to a single interface (or by using the inverted rules, all but one 
+# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
+# syntax.  If an interface is specified, no IP/netmask or host may be
+# specified for the rule.
+#
+# Allowing additional socket families:
+# Before v2.2.1 of the RBAC system, a subject that specified
+# connect/bind rules limited only the socket usage of IPv4, allowing
+# any other socket families to be used.  Starting with v2.2.1 of the 
+# RBAC system, when connect/bind rules are used, additional rules
+# will be required to unlock the use of additional socket families 
+# (outside of the common unix family).  Multiple families can be
+# specified per line.
+# To enable use of IPv6, add the line:
+# sock_allow_family ipv6
+# To enable use of netlink, add the line:
+# sock_allow_family netlink
+# To enable all other families, add the line:
+# sock_allow_family all
+#
+# New learning system:
+# To learn on a given subject: add l (the letter l, not the number 1)
+# to the subject mode
+# If you want to learn with the most restrictive policy, use the 
+# following:
+# subject /path/to/bin lo
+#    / h
+#    -CAP_ALL
+#    connect disabled
+#    bind disabled
+# Resource learning is also supported, so lines like
+#    RES_AS 0 0
+# can be used to learn a particular resource
+#
+# To learn on a given role, add l to the role mode
+# For both of these, to enable learning, enable the system like:
+# gradm -L /etc/grsec/learning.logs -E
+# and then generate the rules after disabling the system after the 
+# learning phase with:
+# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
+# To use full system learning, enable the system like:
+# gradm -F -L /etc/grsec/learning.logs
+# and then generate the rules after disabling the system after the 
+# learning phase with:
+# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
+#
+# New PaX flag format (replaces PaX subject flags):
+# PaX flags can be forced on or off, regardless of the flags on the 
+# binary, by using + or - before the following PaX flag names:
+# PAX_SEGMEXEC
+# PAX_PAGEEXEC
+# PAX_MPROTECT
+# PAX_RANDMMAP
+# PAX_EMUTRAMP
+#
+# New feature for easier policy maintenance:
+# replace <variable name> <replace string>
+# e.g.:
+# replace CVSROOT /home/cvs
+# now $(CVSROOT) can be used in any subject or object pathname, like:
+# $(CVSROOT)/grsecurity r
+# This will translate to /home/cvs/grsecurity r
+# This feature makes it easier to update policies by naming specific
+# paths by their function, then only having to update those paths once
+# to have it affect a large number of subjects/objects.
+#
+# capability auditing / log suppression
+# use of a capability can be audited by adding "audit" to the line, eg:
+# +CAP_SYS_RAWIO audit
+# log suppression for denial of a capbility can be done by adding "suppress":
+# -CAP_SYS_RAWIO suppress
+#
+# Per-role umask enforcement:
+# If you have a user that you want to be assured cannot accidentally
+# create a file that others can read (a confidentiality issue)
+# add the following under the role declaration:
+# role_umask 077
+# any normal octal umask may be specified
+# Note that unlike the normal umask, this umask will also apply
+# to the permissions one can chmod/fchmod a file to
+#
+# Note that the omission of any feature of a role or subject
+# results in a default-allow
+# For instance, if no capability rules are added in a subject without
+# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used
+#
+# Also note that policy inheritance does not exist for network policies, only
+# file objects and capabilities inherit policy
+#
+# Commonly-used objects can be defined and used in multiple subjects
+# As an example, we'll create a variable out of a list of objects
+# and their associated permissions that RBAC enforces
+# files, connect/bind rules, and capabilities can currently be added to a define
+
+define grsec_denied {
+	/boot		h
+	/dev/grsec	h
+	/dev/kmem	h
+	/dev/mem	h
+	/dev/port	h
+	/etc/grsec	h
+	/proc/kcore	h
+	/proc/slabinfo	h
+	/proc/modules	h
+	/proc/kallsyms	h
+	# hide and suppress logs about accessing this path
+	/usr/lib/modules	hs
+	/etc/ssh	h
+}
+# usage:
+# $grsec_denied
+
+role shutdown sARG
+subject / rvka
+	/
+	/dev
+	/dev/urandom	r
+	/dev/random	r
+	/etc		r
+	/usr		rx
+	/proc r
+	$grsec_denied
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib/systemd/systemd rvkao
+	/ rwcdmlxi
+subject /usr/bin/systemctl rvkao
+	/ rwcdmlxi
+	/dev/initctl rwf
+	/run/initctl rwf
+
+# Make sure to unauthenticate with gradm -u from
+# the admin role after restarting a service
+# The service started will run with admin
+# privileges until you run gradm -u or your shell exits
+
+role admin sA
+subject / rvka
+	/ rwcdmlxi
+
+role default G
+role_transitions admin shutdown
+subject /
+	/		r
+	/opt		rx
+	/home		rwxcd
+	/mnt		rw
+	/dev
+	/dev/urandom	r
+	/dev/random	r
+	/dev/zero	rw
+	/dev/input	rw
+	/dev/psaux	rw
+	/dev/null	rw
+	/dev/tty?	rw
+	/dev/console	rw
+	/dev/tty	rw
+	/dev/pts	rw
+	/dev/ptmx	rw
+	/dev/dsp	rw
+	/dev/mixer	rw
+	/dev/initctl	rw
+	/dev/fd0	r
+	/dev/sr0	r
+	/usr		rx
+# compilation of kernel code should be done within the admin role	
+	/usr/src	h
+	/etc		rx
+	/proc		rwx
+	/proc/sys	r
+	/sys		h
+	/root		r
+	/run		r
+	/tmp		rwcd
+	/var		rwxcd
+	/var/tmp	rwcd
+	/var/log	r
+# hide the kernel images and modules
+	$grsec_denied
+
+# if sshd needs to be restarted, it can be done through the admin role
+# restarting sshd should be followed immediately by a gradm -u
+	/usr/bin/sshd
+	
+	-CAP_KILL
+	-CAP_SYS_TTY_CONFIG
+	-CAP_LINUX_IMMUTABLE
+	-CAP_NET_RAW
+	-CAP_MKNOD
+	-CAP_SYS_ADMIN
+	-CAP_SYS_RAWIO
+	-CAP_SYS_MODULE
+	-CAP_SYS_PTRACE
+	-CAP_NET_ADMIN
+	-CAP_NET_BIND_SERVICE
+	-CAP_NET_RAW
+	-CAP_SYS_CHROOT
+	-CAP_SYS_BOOT
+	-CAP_SETFCAP
+	-CAP_SYSLOG
+
+#	RES_AS 100M 100M
+
+#	connect 192.168.1.0/24:22 stream tcp
+#	bind	0.0.0.0 stream dgram tcp udp
+
+# the d flag protects /proc fd and mem entries for sshd
+# all daemons should have 'p' in their subject mode to prevent
+# an attacker from killing the service (and restarting it with trojaned
+# config file or taking the port it reserved to run a trojaned service)
+
+subject /usr/bin/sshd dpo
+	/
+	/*		h
+	/usr/bin/bash	x
+	/dev		h
+	/dev/random	r
+	/dev/urandom	r
+	/dev/null	rw
+	/dev/ptmx	rw
+	/dev/pts	rw
+	/dev/tty	rw
+	/dev/tty?	rw
+	/etc		r
+	/etc/grsec	h
+	/home
+	/home/*/.ssh/authorized_keys r
+	/root
+	/proc		r
+	/proc/*/oom_adj rw
+	/proc/*/oom_score_adj rw
+	/proc/kcore	h
+	/proc/sys	h
+	/proc/sys/kernel/ngroups_max r
+	/selinux	r
+	/usr/lib	rx
+	/usr/lib32	rx
+	/usr/libx32	rx
+	/usr/share/zoneinfo r
+	/var/log
+	/var/spool/mail
+	/var/log/lastlog	rw
+	/var/log/wtmp		w
+	/var/run
+	/run
+	/run/systemd/journal/dev-log	rw
+	/var/run/sshd
+	/var/run/utmp		rw
+	/var/run/utmpx		rw
+	/var/run/.nscd_socket	rw
+
+	-CAP_ALL
+	+CAP_CHOWN
+	+CAP_SETGID
+	+CAP_SETUID
+	+CAP_SYS_CHROOT
+	+CAP_SYS_RESOURCE
+	+CAP_SYS_TTY_CONFIG
+	+CAP_AUDIT_WRITE
+	# to access user keys
+	+CAP_DAC_OVERRIDE
+
+subject /usr/bin/Xorg
+	/dev/mem	rw
+
+	+CAP_SYS_ADMIN
+	+CAP_SYS_TTY_CONFIG
+	+CAP_SYS_RAWIO
+
+subject /usr/bin/ssh
+	/etc/ssh/ssh_config r
+
+subject /usr/bin/postgres
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/exim
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/syslog-ng
+	+CAP_SYS_ADMIN
+
+subject /usr/bin/rsyslogd
+	+CAP_SYS_ADMIN
+
+subject /usr/bin/cron
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/crond
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/login
+	/run/systemd/journal/dev-log	rw
+	/var/log/wtmp w
+	/var/log/faillog rwcd
+
+subject /usr/bin/su
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/sudo
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/agetty
+	/var/log/wtmp w
+
+subject /usr/bin/xauth
+	/home r
+	/home/*/.Xauthority-* rwcdl
+
+# prevent ld.so breakouts of subjects with /usr/lib rx
+
+# many distros clutter up /usr/lib with shell scripts
+# that can be easily hijacked for malicious purposes
+subject /usr/lib o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib32 o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib/ld-linux.so.2 o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib/ld-linux-x86-64.so.2 o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled

Deleted: community-x86_64/PKGBUILD
===================================================================
--- community-x86_64/PKGBUILD	2017-01-07 03:51:02 UTC (rev 205875)
+++ community-x86_64/PKGBUILD	2017-01-07 03:51:41 UTC (rev 205876)
@@ -1,46 +0,0 @@
-# $Id$
-# Maintainer: Daniel Micay <danielmicay at gmail.com>
-# Contributor: Jonathan Liu <net147 at gmail.com>
-# Contributor: henning mueller <henning at orgizm.net>
-# Contributor: s1gma <s1gma at mindslicer.com>
-# Contributor: Ahmad24 <myitrayan at gmail.com>
-# Contributor: maxrp <maxp at pdx.edu>
-
-pkgname=gradm
-_version=3.1
-_timestamp=201608131257
-pkgver=$_version.$_timestamp
-pkgrel=1
-pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)"
-arch=(i686 x86_64)
-url=https://grsecurity.net/
-license=(GPL2)
-depends=(pam)
-source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz
-        https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig
-        learn_config
-        policy)
-sha256sums=('2b771346458f55805713e4cdfc4fefba1da88826dd9ecff38dacd0087331a578'
-            'SKIP'
-            '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0'
-            '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440')
-validpgpkeys=(
-              'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler
-)
-
-prepare() {
-  cd $pkgname
-  sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile
-}
-
-build() {
-  cd $pkgname
-  make
-}
-
-package() {
-  cd $pkgname
-  make DESTDIR="$pkgdir" install
-  cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec"
-  rm -r "$pkgdir/dev"
-}

Copied: gradm/repos/community-x86_64/PKGBUILD (from rev 205875, gradm/trunk/PKGBUILD)
===================================================================
--- community-x86_64/PKGBUILD	                        (rev 0)
+++ community-x86_64/PKGBUILD	2017-01-07 03:51:41 UTC (rev 205876)
@@ -0,0 +1,46 @@
+# $Id$
+# Maintainer: Daniel Micay <danielmicay at gmail.com>
+# Contributor: Jonathan Liu <net147 at gmail.com>
+# Contributor: henning mueller <henning at orgizm.net>
+# Contributor: s1gma <s1gma at mindslicer.com>
+# Contributor: Ahmad24 <myitrayan at gmail.com>
+# Contributor: maxrp <maxp at pdx.edu>
+
+pkgname=gradm
+_version=3.1
+_timestamp=201701031918
+pkgver=$_version.$_timestamp
+pkgrel=1
+pkgdesc="Administration utility for grsecurity's Role Based Access Control (RBAC)"
+arch=(i686 x86_64)
+url=https://grsecurity.net/
+license=(GPL2)
+depends=(pam)
+source=(https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz
+        https://grsecurity.net/stable/$pkgname-$_version-$_timestamp.tar.gz.sig
+        learn_config
+        policy)
+sha256sums=('794eca5fa9f51520ab4a83b8884cb90e7715061f3102bc896d78674b2c2ad94d'
+            'SKIP'
+            '61c3042879ec2303b713f57f751fb66a95e2cc4737fbbd6d95879829c7b7d3c0'
+            '73cf31add3da55b539777d736764a40c6b30041cc259e1d0372c867b87070440')
+validpgpkeys=(
+              'DE9452CE46F42094907F108B44D1C0F82525FE49' # Bradley Spengler
+)
+
+prepare() {
+  cd $pkgname
+  sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile
+}
+
+build() {
+  cd $pkgname
+  make
+}
+
+package() {
+  cd $pkgname
+  make DESTDIR="$pkgdir" install
+  cp "$srcdir"/{learn_config,policy} "$pkgdir/etc/grsec"
+  rm -r "$pkgdir/dev"
+}

Deleted: community-x86_64/learn_config
===================================================================
--- community-x86_64/learn_config	2017-01-07 03:51:02 UTC (rev 205875)
+++ community-x86_64/learn_config	2017-01-07 03:51:41 UTC (rev 205876)
@@ -1,168 +0,0 @@
-#This configuration file aids the learning process by tweaking
-#the learning algorithm for specific paths.
-#
-#It accepts lines in the form of <command> <pathname>
-#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
-#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
-#read-protected-path, and always-reduce-path
-#
-#inherit-learn, no-learn, and inherit-no-learn operate only with
-#full learning
-#
-#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, 
-#and high-protected-path operate on both full and and regular learning 
-#(subject and role learning)
-#
-#inherit-learn changes the learning process for the specified path
-#by throwing all learned accesses for every binary executed by the
-#processes contained in the pathname into the subject specified
-#by the pathname.  This is useful for cron in the case of full
-#system learning, so that scripts that eventually end up executing
-#mv or rm with privilege don't cause the root policy to grant
-#that privilege to mv or rm in all cases.
-#
-#no-learn allows processes within the path to perform any operation
-#that normal system usage would allow without restriction.  If
-#a process is generating a huge number of learning logs, it may be
-#best to use this command on that process and configure its policy
-#manually.
-#
-#inherit-no-learn combines the above two cases, such that processes
-#within the specified path will be able to perform any normal system
-#operation without restriction as will any binaries executed by
-#these processes.
-#
-#high-reduce-path modifies the heuristics of the learning process
-#to weight in favor of reducing accesses for this path
-#
-#dont-reduce-path modifies the heuristics of the learning process
-#so that it will never reduce accesses for this path
-#
-#always-reduce-path modifies the heuristics of the learning process
-#so that the path specified will always have all files and directories
-#within it reduced to the path specified.
-#
-#protected-path specifies a path on your system that is considered an
-#important resource.  Any process that modifies one of these paths
-#is given its own subject in the learning process, facilitating
-#a secure policy.
-#
-#read-protected-path specifies a path on your system that contains 
-#sensitive information.  Any process that reads one of these paths is
-#given its own subject in the learning process, facilitating a secure
-#policy.
-#
-#high-protected-path specifies a path that should be hidden from
-#all processes but those that access it directly.  It is recommended
-#to use highly sensitive files for this command.
-#
-#regular expressions are not supported for pathnames in this config file
-#
-#
-# uncomment this next line if you don't wish to generate a policy that 
-# restricts roles to specific IP ranges:
-# dont-learn-allowed-ips
-#
-# to write out your generated policy such that roles are split into separate
-# files by the name of the role (within user/group directories), uncomment
-# the next line:
-# split-roles
-
-always-reduce-path /dev/pts
-always-reduce-path /var/spool/qmailscan/tmp
-always-reduce-path /var/spool/exim4
-always-reduce-path /run/screen
-always-reduce-path /usr/share/locale
-always-reduce-path /usr/share/zoneinfo
-always-reduce-path /usr/share/terminfo
-always-reduce-path /var/abs
-always-reduce-path /tmp
-always-reduce-path /var/tmp
-
-high-reduce-path /run/udev
-high-reduce-path /dev/mapper
-high-reduce-path /dev/snd
-high-reduce-path /proc
-high-reduce-path /usr/lib/security
-high-reduce-path /usr/lib/modules
-high-reduce-path /usr/lib
-high-reduce-path /usr/lib32
-high-reduce-path /usr/libx32
-high-reduce-path /usr/lib/tls
-high-reduce-path /usr/lib32/tls
-high-reduce-path /usr/libx32/tls
-high-reduce-path /usr/lib/libreoffice
-high-reduce-path /var/lib
-high-reduce-path /usr/bin
-high-reduce-path /usr/sbin
-high-reduce-path /usr/local/share
-high-reduce-path /usr/local/bin
-high-reduce-path /usr/local/sbin
-high-reduce-path /usr/local/etc
-high-reduce-path /usr/local/lib
-high-reduce-path /usr/share
-high-reduce-path /usr/X11R6/lib
-high-reduce-path /var/lib/openldap-data
-high-reduce-path /var/lib/krb5kdc
-
-dont-reduce-path /
-dont-reduce-path /home
-dont-reduce-path /dev
-dont-reduce-path /usr
-dont-reduce-path /var
-dont-reduce-path /opt
-
-protected-path /etc
-protected-path /boot
-protected-path /run
-protected-path /usr
-protected-path /opt
-protected-path /var
-protected-path /dev/log
-protected-path /root
-protected-path /sys
-
-read-protected-path /etc/ssh
-read-protected-path /proc/kallsyms
-read-protected-path /proc/kcore
-read-protected-path /proc/slabinfo
-read-protected-path /proc/modules
-read-protected-path /usr/lib/modules
-read-protected-path /boot
-read-protected-path /etc/shadow
-read-protected-path /etc/shadow-
-read-protected-path /etc/gshadow
-read-protected-path /etc/gshadow-
-read-protected-path /sys
-
-high-protected-path /etc/ssh
-high-protected-path /proc/kcore
-high-protected-path /proc/sys
-high-protected-path /proc/bus
-high-protected-path /proc/slabinfo
-high-protected-path /proc/modules
-high-protected-path /proc/kallsyms
-high-protected-path /etc/passwd
-high-protected-path /etc/shadow
-high-protected-path /var/backups
-high-protected-path /etc/shadow-
-high-protected-path /etc/gshadow
-high-protected-path /etc/gshadow-
-high-protected-path /var/log
-high-protected-path /dev/mem
-high-protected-path /dev/kmem
-high-protected-path /dev/port
-high-protected-path /dev/log
-high-protected-path /sys
-high-protected-path /etc/ppp
-high-protected-path /etc/samba/smbpasswd
-#to protect kernel images
-high-protected-path /boot
-high-protected-path /usr/lib/modules
-high-protected-path /usr/src
-
-inherit-learn /etc/cron.d
-inherit-learn /etc/cron.hourly
-inherit-learn /etc/cron.daily
-inherit-learn /etc/cron.weekly
-inherit-learn /etc/cron.monthly

Copied: gradm/repos/community-x86_64/learn_config (from rev 205875, gradm/trunk/learn_config)
===================================================================
--- community-x86_64/learn_config	                        (rev 0)
+++ community-x86_64/learn_config	2017-01-07 03:51:41 UTC (rev 205876)
@@ -0,0 +1,168 @@
+#This configuration file aids the learning process by tweaking
+#the learning algorithm for specific paths.
+#
+#It accepts lines in the form of <command> <pathname>
+#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
+#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
+#read-protected-path, and always-reduce-path
+#
+#inherit-learn, no-learn, and inherit-no-learn operate only with
+#full learning
+#
+#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, 
+#and high-protected-path operate on both full and and regular learning 
+#(subject and role learning)
+#
+#inherit-learn changes the learning process for the specified path
+#by throwing all learned accesses for every binary executed by the
+#processes contained in the pathname into the subject specified
+#by the pathname.  This is useful for cron in the case of full
+#system learning, so that scripts that eventually end up executing
+#mv or rm with privilege don't cause the root policy to grant
+#that privilege to mv or rm in all cases.
+#
+#no-learn allows processes within the path to perform any operation
+#that normal system usage would allow without restriction.  If
+#a process is generating a huge number of learning logs, it may be
+#best to use this command on that process and configure its policy
+#manually.
+#
+#inherit-no-learn combines the above two cases, such that processes
+#within the specified path will be able to perform any normal system
+#operation without restriction as will any binaries executed by
+#these processes.
+#
+#high-reduce-path modifies the heuristics of the learning process
+#to weight in favor of reducing accesses for this path
+#
+#dont-reduce-path modifies the heuristics of the learning process
+#so that it will never reduce accesses for this path
+#
+#always-reduce-path modifies the heuristics of the learning process
+#so that the path specified will always have all files and directories
+#within it reduced to the path specified.
+#
+#protected-path specifies a path on your system that is considered an
+#important resource.  Any process that modifies one of these paths
+#is given its own subject in the learning process, facilitating
+#a secure policy.
+#
+#read-protected-path specifies a path on your system that contains 
+#sensitive information.  Any process that reads one of these paths is
+#given its own subject in the learning process, facilitating a secure
+#policy.
+#
+#high-protected-path specifies a path that should be hidden from
+#all processes but those that access it directly.  It is recommended
+#to use highly sensitive files for this command.
+#
+#regular expressions are not supported for pathnames in this config file
+#
+#
+# uncomment this next line if you don't wish to generate a policy that 
+# restricts roles to specific IP ranges:
+# dont-learn-allowed-ips
+#
+# to write out your generated policy such that roles are split into separate
+# files by the name of the role (within user/group directories), uncomment
+# the next line:
+# split-roles
+
+always-reduce-path /dev/pts
+always-reduce-path /var/spool/qmailscan/tmp
+always-reduce-path /var/spool/exim4
+always-reduce-path /run/screen
+always-reduce-path /usr/share/locale
+always-reduce-path /usr/share/zoneinfo
+always-reduce-path /usr/share/terminfo
+always-reduce-path /var/abs
+always-reduce-path /tmp
+always-reduce-path /var/tmp
+
+high-reduce-path /run/udev
+high-reduce-path /dev/mapper
+high-reduce-path /dev/snd
+high-reduce-path /proc
+high-reduce-path /usr/lib/security
+high-reduce-path /usr/lib/modules
+high-reduce-path /usr/lib
+high-reduce-path /usr/lib32
+high-reduce-path /usr/libx32
+high-reduce-path /usr/lib/tls
+high-reduce-path /usr/lib32/tls
+high-reduce-path /usr/libx32/tls
+high-reduce-path /usr/lib/libreoffice
+high-reduce-path /var/lib
+high-reduce-path /usr/bin
+high-reduce-path /usr/sbin
+high-reduce-path /usr/local/share
+high-reduce-path /usr/local/bin
+high-reduce-path /usr/local/sbin
+high-reduce-path /usr/local/etc
+high-reduce-path /usr/local/lib
+high-reduce-path /usr/share
+high-reduce-path /usr/X11R6/lib
+high-reduce-path /var/lib/openldap-data
+high-reduce-path /var/lib/krb5kdc
+
+dont-reduce-path /
+dont-reduce-path /home
+dont-reduce-path /dev
+dont-reduce-path /usr
+dont-reduce-path /var
+dont-reduce-path /opt
+
+protected-path /etc
+protected-path /boot
+protected-path /run
+protected-path /usr
+protected-path /opt
+protected-path /var
+protected-path /dev/log
+protected-path /root
+protected-path /sys
+
+read-protected-path /etc/ssh
+read-protected-path /proc/kallsyms
+read-protected-path /proc/kcore
+read-protected-path /proc/slabinfo
+read-protected-path /proc/modules
+read-protected-path /usr/lib/modules
+read-protected-path /boot
+read-protected-path /etc/shadow
+read-protected-path /etc/shadow-
+read-protected-path /etc/gshadow
+read-protected-path /etc/gshadow-
+read-protected-path /sys
+
+high-protected-path /etc/ssh
+high-protected-path /proc/kcore
+high-protected-path /proc/sys
+high-protected-path /proc/bus
+high-protected-path /proc/slabinfo
+high-protected-path /proc/modules
+high-protected-path /proc/kallsyms
+high-protected-path /etc/passwd
+high-protected-path /etc/shadow
+high-protected-path /var/backups
+high-protected-path /etc/shadow-
+high-protected-path /etc/gshadow
+high-protected-path /etc/gshadow-
+high-protected-path /var/log
+high-protected-path /dev/mem
+high-protected-path /dev/kmem
+high-protected-path /dev/port
+high-protected-path /dev/log
+high-protected-path /sys
+high-protected-path /etc/ppp
+high-protected-path /etc/samba/smbpasswd
+#to protect kernel images
+high-protected-path /boot
+high-protected-path /usr/lib/modules
+high-protected-path /usr/src
+
+inherit-learn /etc/cron.d
+inherit-learn /etc/cron.hourly
+inherit-learn /etc/cron.daily
+inherit-learn /etc/cron.weekly
+inherit-learn /etc/cron.monthly

Deleted: community-x86_64/policy
===================================================================
--- community-x86_64/policy	2017-01-07 03:51:02 UTC (rev 205875)
+++ community-x86_64/policy	2017-01-07 03:51:41 UTC (rev 205876)
@@ -1,491 +0,0 @@
-#sample default policy for grsecurity
-#
-# Role flags:
-# A -> This role is an administrative role, thus it has special privilege normal
-#      roles do not have.  In particular, this role bypasses the 
-#      additional ptrace restrictions
-# N -> Don't require authentication for this role.  To access
-#      the role, use gradm -n <rolename>
-# s -> This role is a special role, meaning it does not belong to a
-#      user or group, and does not require an enforced secure policy
-#      base to be included in the ruleset
-# u -> This role is a user role
-# g -> This role is a group role
-# G -> This role can use gradm to authenticate to the kernel
-#      A policy for gradm will automatically be added to the role
-# T -> Enable TPE for this role
-# l -> Enable learning for this role
-# P -> Use PAM authentication for this role.
-# R -> Enable persistence of special role.  Normal special roles will
-#      be removed upon exit of the process that entered the role, or
-#      upon unauth (this is what changes the apache process' role back 
-#      to its normal role after being restarted from the admin role, for
-#      instance).  Role persistence allows a special role to be used for
-#      system shutdown, as the point at which the admin's shell/SSH 
-#      session is terminated won't cause the rest of the shutdown 
-#      sequence to execute with reduced privilege.  Do *NOT* use this 
-#      flag with any role that does anything but shut the system down.
-#      This role will also be transferred to the init process upon
-#      writing to /dev/initctl.  This allows init to execute the rc 
-#      scripts for shutdown with the necessary privilege.
-#      For usability reasons, we allow the removal of persistence through
-#      the normal unauth process (so persistence only survives exit).
-#
-# a role can only be one of user, group, or special
-#
-# role_allow_ip IP/optional netmask
-# eg: role_allow_ip 192.168.1.0/24
-# You can have as many of these per role as you want
-# They restrict the use of a role to a list of IPs.  If a user
-# is on the system that would normally get the role does not
-# belong to those lists of IPs, the system falls back through
-# its method of determining a role for the user
-#
-# Role hierarchy
-# user -> group -> default
-# First a user role attempts to match, if one is not found,
-# a group role attempts to match, if one is not found,
-# the default role is used.
-#
-# role_transitions <special role 1> <special role 2> ... <special role n>
-# eg: role_transitions www_admin dns_admin
-#
-# role transitions specify which special roles a given role is allowed
-# to authenticate to.  This applies to special roles that do not
-# require password authentication as well.  If a user tries to
-# authenticate to a role that is not within his transition table, he
-# will receive a permission denied error
-#
-# Nested subjects
-# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat
-#	  / rwx
-#	  +CAP_ALL
-# grant privilege to specific processes if they are executed
-# within a trusted path.  In this case, privilege is
-# granted if /usr/bin/cat is executed from /usr/bin/bash, which is
-# executed from /usr/bin/su.
-#
-# Configuration inheritance on nested subjects
-# nested subjects inherit rules from their parents.  In the
-# example above, the nested subject would inherit rules
-# from the nested subject for /usr/bin/su:/usr/bin/bash,
-# and the subject /usr/bin/su
-# View the 1.9.x documentation for more information on
-# configuration inheritance
-#
-# new object modes:
-# m -> allow creation of setuid/setgid files/directories
-#      and modification of files/directories to be setuid/setgid
-# M -> audit the setuid/setgid creation/modification
-# c -> allow creation of the file/directory
-# C -> audit the creation
-# d -> allow deletion of the file/directory
-# D -> audit the deletion
-# p -> reject all ptraces to this object
-# l -> allow a hardlink at this path
-#	(hardlinking requires at a minimum c and l modes, and the target
-#	 link cannot have any greater permission than the source file)
-# L -> audit link creation
-# f -> needed to mark the pipe used for communication with init
-#      to transfer the privilege of the persistent role; only valid
-#      within a persistent role.  Transfer only occurs when the file is 
-#      opened for writing
-# Z -> tells gradm to ignore earlier object of the same name and use this
-#      one instead
-#
-# new subject modes:
-# O -> disable "writable library" restrictions for this task
-# t -> allow this process to ptrace any process (use with caution)
-# r -> relax ptrace restrictions (allows process to ptrace processes
-#      other than its own descendants)
-# i -> enable inheritance-based learning for this subject, causing
-#      all accesses of this subject and anything it executes to be placed
-#      in this subject, and inheritance flags added to executable objects
-#      in this subject
-# a -> allow this process to talk to the /dev/grsec device
-# s -> enable AT_SECURE when entering this subject
-#      (enables the same environment sanitization that occurs in glibc
-#	upon execution of a suid binary)
-# x -> allows executable anonymous shared memory for this subject
-# Z -> tells gradm to ignore earlier subject of the same path and use this
-#      one instead
-
-# user/group transitions:
-# You may now specify what users and groups a given subject can
-# transition to.  This can be done on an inclusive or exclusive basis.
-# Omitting these rules allows a process with proper privilege granted by
-# capabilities to transition to any user/group.
-#
-# Examples:
-# subject /usr/bin/su
-# user_transition_allow root spender
-# group_transition_allow root spender
-# subject /usr/bin/su
-# user_transition_deny evilhacker
-# subject /usr/bin/su
-# group_transition_deny evilhacker1 evilhacker2
-#
-# Domains:
-# With domains you can combine users that don't share a common
-# GID as well as groups so that they share a single policy
-# Domains work just like roles, with the only exception being that
-# the line starting with "role" is replaced with one of the following:
-# domain somedomainname u user1 user2 user3 user4 ... usern
-# domain somedomainname g group1 group2 group3 group4 ... groupn
-#
-# Inverted socket policies:
-# Rules such as
-# connect ! www.google.com:80 stream tcp
-# are now allowed, which allows you to specify that a process can connect to anything
-# except to port 80 of www.google.com with a stream tcp socket
-# the inverted socket matching also works on bind rules
-#
-# INADDR_ANY overriding
-# You can now force a given subject to bind to a particular IP address on the machine
-# This is useful for some chrooted environments, to ensure that the source IP they
-# use is one of your choosing
-# to use, add a line like:
-# ip_override 192.168.0.1
-#
-# Per-interface socket policies:
-# Rules such as
-# bind eth1:80 stream tcp
-# bind eth0#1:22 stream tcp
-# are now allowed, giving you the ability to tie specific socket rules 
-# to a single interface (or by using the inverted rules, all but one 
-# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
-# syntax.  If an interface is specified, no IP/netmask or host may be
-# specified for the rule.
-#
-# Allowing additional socket families:
-# Before v2.2.1 of the RBAC system, a subject that specified
-# connect/bind rules limited only the socket usage of IPv4, allowing
-# any other socket families to be used.  Starting with v2.2.1 of the 
-# RBAC system, when connect/bind rules are used, additional rules
-# will be required to unlock the use of additional socket families 
-# (outside of the common unix family).  Multiple families can be
-# specified per line.
-# To enable use of IPv6, add the line:
-# sock_allow_family ipv6
-# To enable use of netlink, add the line:
-# sock_allow_family netlink
-# To enable all other families, add the line:
-# sock_allow_family all
-#
-# New learning system:
-# To learn on a given subject: add l (the letter l, not the number 1)
-# to the subject mode
-# If you want to learn with the most restrictive policy, use the 
-# following:
-# subject /path/to/bin lo
-#    / h
-#    -CAP_ALL
-#    connect disabled
-#    bind disabled
-# Resource learning is also supported, so lines like
-#    RES_AS 0 0
-# can be used to learn a particular resource
-#
-# To learn on a given role, add l to the role mode
-# For both of these, to enable learning, enable the system like:
-# gradm -L /etc/grsec/learning.logs -E
-# and then generate the rules after disabling the system after the 
-# learning phase with:
-# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
-# To use full system learning, enable the system like:
-# gradm -F -L /etc/grsec/learning.logs
-# and then generate the rules after disabling the system after the 
-# learning phase with:
-# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
-#
-# New PaX flag format (replaces PaX subject flags):
-# PaX flags can be forced on or off, regardless of the flags on the 
-# binary, by using + or - before the following PaX flag names:
-# PAX_SEGMEXEC
-# PAX_PAGEEXEC
-# PAX_MPROTECT
-# PAX_RANDMMAP
-# PAX_EMUTRAMP
-#
-# New feature for easier policy maintenance:
-# replace <variable name> <replace string>
-# e.g.:
-# replace CVSROOT /home/cvs
-# now $(CVSROOT) can be used in any subject or object pathname, like:
-# $(CVSROOT)/grsecurity r
-# This will translate to /home/cvs/grsecurity r
-# This feature makes it easier to update policies by naming specific
-# paths by their function, then only having to update those paths once
-# to have it affect a large number of subjects/objects.
-#
-# capability auditing / log suppression
-# use of a capability can be audited by adding "audit" to the line, eg:
-# +CAP_SYS_RAWIO audit
-# log suppression for denial of a capbility can be done by adding "suppress":
-# -CAP_SYS_RAWIO suppress
-#
-# Per-role umask enforcement:
-# If you have a user that you want to be assured cannot accidentally
-# create a file that others can read (a confidentiality issue)
-# add the following under the role declaration:
-# role_umask 077
-# any normal octal umask may be specified
-# Note that unlike the normal umask, this umask will also apply
-# to the permissions one can chmod/fchmod a file to
-#
-# Note that the omission of any feature of a role or subject
-# results in a default-allow
-# For instance, if no capability rules are added in a subject without
-# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used
-#
-# Also note that policy inheritance does not exist for network policies, only
-# file objects and capabilities inherit policy
-#
-# Commonly-used objects can be defined and used in multiple subjects
-# As an example, we'll create a variable out of a list of objects
-# and their associated permissions that RBAC enforces
-# files, connect/bind rules, and capabilities can currently be added to a define
-
-define grsec_denied {
-	/boot		h
-	/dev/grsec	h
-	/dev/kmem	h
-	/dev/mem	h
-	/dev/port	h
-	/etc/grsec	h
-	/proc/kcore	h
-	/proc/slabinfo	h
-	/proc/modules	h
-	/proc/kallsyms	h
-	# hide and suppress logs about accessing this path
-	/usr/lib/modules	hs
-	/etc/ssh	h
-}
-# usage:
-# $grsec_denied
-
-role shutdown sARG
-subject / rvka
-	/
-	/dev
-	/dev/urandom	r
-	/dev/random	r
-	/etc		r
-	/usr		rx
-	/proc r
-	$grsec_denied
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib/systemd/systemd rvkao
-	/ rwcdmlxi
-subject /usr/bin/systemctl rvkao
-	/ rwcdmlxi
-	/dev/initctl rwf
-	/run/initctl rwf
-
-# Make sure to unauthenticate with gradm -u from
-# the admin role after restarting a service
-# The service started will run with admin
-# privileges until you run gradm -u or your shell exits
-
-role admin sA
-subject / rvka
-	/ rwcdmlxi
-
-role default G
-role_transitions admin shutdown
-subject /
-	/		r
-	/opt		rx
-	/home		rwxcd
-	/mnt		rw
-	/dev
-	/dev/urandom	r
-	/dev/random	r
-	/dev/zero	rw
-	/dev/input	rw
-	/dev/psaux	rw
-	/dev/null	rw
-	/dev/tty?	rw
-	/dev/console	rw
-	/dev/tty	rw
-	/dev/pts	rw
-	/dev/ptmx	rw
-	/dev/dsp	rw
-	/dev/mixer	rw
-	/dev/initctl	rw
-	/dev/fd0	r
-	/dev/sr0	r
-	/usr		rx
-# compilation of kernel code should be done within the admin role	
-	/usr/src	h
-	/etc		rx
-	/proc		rwx
-	/proc/sys	r
-	/sys		h
-	/root		r
-	/run		r
-	/tmp		rwcd
-	/var		rwxcd
-	/var/tmp	rwcd
-	/var/log	r
-# hide the kernel images and modules
-	$grsec_denied
-
-# if sshd needs to be restarted, it can be done through the admin role
-# restarting sshd should be followed immediately by a gradm -u
-	/usr/bin/sshd
-	
-	-CAP_KILL
-	-CAP_SYS_TTY_CONFIG
-	-CAP_LINUX_IMMUTABLE
-	-CAP_NET_RAW
-	-CAP_MKNOD
-	-CAP_SYS_ADMIN
-	-CAP_SYS_RAWIO
-	-CAP_SYS_MODULE
-	-CAP_SYS_PTRACE
-	-CAP_NET_ADMIN
-	-CAP_NET_BIND_SERVICE
-	-CAP_NET_RAW
-	-CAP_SYS_CHROOT
-	-CAP_SYS_BOOT
-	-CAP_SETFCAP
-	-CAP_SYSLOG
-
-#	RES_AS 100M 100M
-
-#	connect 192.168.1.0/24:22 stream tcp
-#	bind	0.0.0.0 stream dgram tcp udp
-
-# the d flag protects /proc fd and mem entries for sshd
-# all daemons should have 'p' in their subject mode to prevent
-# an attacker from killing the service (and restarting it with trojaned
-# config file or taking the port it reserved to run a trojaned service)
-
-subject /usr/bin/sshd dpo
-	/
-	/*		h
-	/usr/bin/bash	x
-	/dev		h
-	/dev/random	r
-	/dev/urandom	r
-	/dev/null	rw
-	/dev/ptmx	rw
-	/dev/pts	rw
-	/dev/tty	rw
-	/dev/tty?	rw
-	/etc		r
-	/etc/grsec	h
-	/home
-	/home/*/.ssh/authorized_keys r
-	/root
-	/proc		r
-	/proc/*/oom_adj rw
-	/proc/*/oom_score_adj rw
-	/proc/kcore	h
-	/proc/sys	h
-	/proc/sys/kernel/ngroups_max r
-	/selinux	r
-	/usr/lib	rx
-	/usr/lib32	rx
-	/usr/libx32	rx
-	/usr/share/zoneinfo r
-	/var/log
-	/var/spool/mail
-	/var/log/lastlog	rw
-	/var/log/wtmp		w
-	/var/run
-	/run
-	/run/systemd/journal/dev-log	rw
-	/var/run/sshd
-	/var/run/utmp		rw
-	/var/run/utmpx		rw
-	/var/run/.nscd_socket	rw
-
-	-CAP_ALL
-	+CAP_CHOWN
-	+CAP_SETGID
-	+CAP_SETUID
-	+CAP_SYS_CHROOT
-	+CAP_SYS_RESOURCE
-	+CAP_SYS_TTY_CONFIG
-	+CAP_AUDIT_WRITE
-	# to access user keys
-	+CAP_DAC_OVERRIDE
-
-subject /usr/bin/Xorg
-	/dev/mem	rw
-
-	+CAP_SYS_ADMIN
-	+CAP_SYS_TTY_CONFIG
-	+CAP_SYS_RAWIO
-
-subject /usr/bin/ssh
-	/etc/ssh/ssh_config r
-
-subject /usr/bin/postgres
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/exim
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/syslog-ng
-	+CAP_SYS_ADMIN
-
-subject /usr/bin/rsyslogd
-	+CAP_SYS_ADMIN
-
-subject /usr/bin/cron
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/crond
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/login
-	/run/systemd/journal/dev-log	rw
-	/var/log/wtmp w
-	/var/log/faillog rwcd
-
-subject /usr/bin/su
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/sudo
-	/run/systemd/journal/dev-log	rw
-
-subject /usr/bin/agetty
-	/var/log/wtmp w
-
-subject /usr/bin/xauth
-	/home r
-	/home/*/.Xauthority-* rwcdl
-
-# prevent ld.so breakouts of subjects with /usr/lib rx
-
-# many distros clutter up /usr/lib with shell scripts
-# that can be easily hijacked for malicious purposes
-subject /usr/lib o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib32 o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib/ld-linux.so.2 o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled
-
-subject /usr/lib/ld-linux-x86-64.so.2 o
-	/ h
-	-CAP_ALL
-	connect disabled
-	bind disabled

Copied: gradm/repos/community-x86_64/policy (from rev 205875, gradm/trunk/policy)
===================================================================
--- community-x86_64/policy	                        (rev 0)
+++ community-x86_64/policy	2017-01-07 03:51:41 UTC (rev 205876)
@@ -0,0 +1,491 @@
+#sample default policy for grsecurity
+#
+# Role flags:
+# A -> This role is an administrative role, thus it has special privilege normal
+#      roles do not have.  In particular, this role bypasses the 
+#      additional ptrace restrictions
+# N -> Don't require authentication for this role.  To access
+#      the role, use gradm -n <rolename>
+# s -> This role is a special role, meaning it does not belong to a
+#      user or group, and does not require an enforced secure policy
+#      base to be included in the ruleset
+# u -> This role is a user role
+# g -> This role is a group role
+# G -> This role can use gradm to authenticate to the kernel
+#      A policy for gradm will automatically be added to the role
+# T -> Enable TPE for this role
+# l -> Enable learning for this role
+# P -> Use PAM authentication for this role.
+# R -> Enable persistence of special role.  Normal special roles will
+#      be removed upon exit of the process that entered the role, or
+#      upon unauth (this is what changes the apache process' role back 
+#      to its normal role after being restarted from the admin role, for
+#      instance).  Role persistence allows a special role to be used for
+#      system shutdown, as the point at which the admin's shell/SSH 
+#      session is terminated won't cause the rest of the shutdown 
+#      sequence to execute with reduced privilege.  Do *NOT* use this 
+#      flag with any role that does anything but shut the system down.
+#      This role will also be transferred to the init process upon
+#      writing to /dev/initctl.  This allows init to execute the rc 
+#      scripts for shutdown with the necessary privilege.
+#      For usability reasons, we allow the removal of persistence through
+#      the normal unauth process (so persistence only survives exit).
+#
+# a role can only be one of user, group, or special
+#
+# role_allow_ip IP/optional netmask
+# eg: role_allow_ip 192.168.1.0/24
+# You can have as many of these per role as you want
+# They restrict the use of a role to a list of IPs.  If a user
+# is on the system that would normally get the role does not
+# belong to those lists of IPs, the system falls back through
+# its method of determining a role for the user
+#
+# Role hierarchy
+# user -> group -> default
+# First a user role attempts to match, if one is not found,
+# a group role attempts to match, if one is not found,
+# the default role is used.
+#
+# role_transitions <special role 1> <special role 2> ... <special role n>
+# eg: role_transitions www_admin dns_admin
+#
+# role transitions specify which special roles a given role is allowed
+# to authenticate to.  This applies to special roles that do not
+# require password authentication as well.  If a user tries to
+# authenticate to a role that is not within his transition table, he
+# will receive a permission denied error
+#
+# Nested subjects
+# subject /usr/bin/su:/usr/bin/bash:/usr/bin/cat
+#	  / rwx
+#	  +CAP_ALL
+# grant privilege to specific processes if they are executed
+# within a trusted path.  In this case, privilege is
+# granted if /usr/bin/cat is executed from /usr/bin/bash, which is
+# executed from /usr/bin/su.
+#
+# Configuration inheritance on nested subjects
+# nested subjects inherit rules from their parents.  In the
+# example above, the nested subject would inherit rules
+# from the nested subject for /usr/bin/su:/usr/bin/bash,
+# and the subject /usr/bin/su
+# View the 1.9.x documentation for more information on
+# configuration inheritance
+#
+# new object modes:
+# m -> allow creation of setuid/setgid files/directories
+#      and modification of files/directories to be setuid/setgid
+# M -> audit the setuid/setgid creation/modification
+# c -> allow creation of the file/directory
+# C -> audit the creation
+# d -> allow deletion of the file/directory
+# D -> audit the deletion
+# p -> reject all ptraces to this object
+# l -> allow a hardlink at this path
+#	(hardlinking requires at a minimum c and l modes, and the target
+#	 link cannot have any greater permission than the source file)
+# L -> audit link creation
+# f -> needed to mark the pipe used for communication with init
+#      to transfer the privilege of the persistent role; only valid
+#      within a persistent role.  Transfer only occurs when the file is 
+#      opened for writing
+# Z -> tells gradm to ignore earlier object of the same name and use this
+#      one instead
+#
+# new subject modes:
+# O -> disable "writable library" restrictions for this task
+# t -> allow this process to ptrace any process (use with caution)
+# r -> relax ptrace restrictions (allows process to ptrace processes
+#      other than its own descendants)
+# i -> enable inheritance-based learning for this subject, causing
+#      all accesses of this subject and anything it executes to be placed
+#      in this subject, and inheritance flags added to executable objects
+#      in this subject
+# a -> allow this process to talk to the /dev/grsec device
+# s -> enable AT_SECURE when entering this subject
+#      (enables the same environment sanitization that occurs in glibc
+#	upon execution of a suid binary)
+# x -> allows executable anonymous shared memory for this subject
+# Z -> tells gradm to ignore earlier subject of the same path and use this
+#      one instead
+
+# user/group transitions:
+# You may now specify what users and groups a given subject can
+# transition to.  This can be done on an inclusive or exclusive basis.
+# Omitting these rules allows a process with proper privilege granted by
+# capabilities to transition to any user/group.
+#
+# Examples:
+# subject /usr/bin/su
+# user_transition_allow root spender
+# group_transition_allow root spender
+# subject /usr/bin/su
+# user_transition_deny evilhacker
+# subject /usr/bin/su
+# group_transition_deny evilhacker1 evilhacker2
+#
+# Domains:
+# With domains you can combine users that don't share a common
+# GID as well as groups so that they share a single policy
+# Domains work just like roles, with the only exception being that
+# the line starting with "role" is replaced with one of the following:
+# domain somedomainname u user1 user2 user3 user4 ... usern
+# domain somedomainname g group1 group2 group3 group4 ... groupn
+#
+# Inverted socket policies:
+# Rules such as
+# connect ! www.google.com:80 stream tcp
+# are now allowed, which allows you to specify that a process can connect to anything
+# except to port 80 of www.google.com with a stream tcp socket
+# the inverted socket matching also works on bind rules
+#
+# INADDR_ANY overriding
+# You can now force a given subject to bind to a particular IP address on the machine
+# This is useful for some chrooted environments, to ensure that the source IP they
+# use is one of your choosing
+# to use, add a line like:
+# ip_override 192.168.0.1
+#
+# Per-interface socket policies:
+# Rules such as
+# bind eth1:80 stream tcp
+# bind eth0#1:22 stream tcp
+# are now allowed, giving you the ability to tie specific socket rules 
+# to a single interface (or by using the inverted rules, all but one 
+# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
+# syntax.  If an interface is specified, no IP/netmask or host may be
+# specified for the rule.
+#
+# Allowing additional socket families:
+# Before v2.2.1 of the RBAC system, a subject that specified
+# connect/bind rules limited only the socket usage of IPv4, allowing
+# any other socket families to be used.  Starting with v2.2.1 of the 
+# RBAC system, when connect/bind rules are used, additional rules
+# will be required to unlock the use of additional socket families 
+# (outside of the common unix family).  Multiple families can be
+# specified per line.
+# To enable use of IPv6, add the line:
+# sock_allow_family ipv6
+# To enable use of netlink, add the line:
+# sock_allow_family netlink
+# To enable all other families, add the line:
+# sock_allow_family all
+#
+# New learning system:
+# To learn on a given subject: add l (the letter l, not the number 1)
+# to the subject mode
+# If you want to learn with the most restrictive policy, use the 
+# following:
+# subject /path/to/bin lo
+#    / h
+#    -CAP_ALL
+#    connect disabled
+#    bind disabled
+# Resource learning is also supported, so lines like
+#    RES_AS 0 0
+# can be used to learn a particular resource
+#
+# To learn on a given role, add l to the role mode
+# For both of these, to enable learning, enable the system like:
+# gradm -L /etc/grsec/learning.logs -E
+# and then generate the rules after disabling the system after the 
+# learning phase with:
+# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
+# To use full system learning, enable the system like:
+# gradm -F -L /etc/grsec/learning.logs
+# and then generate the rules after disabling the system after the 
+# learning phase with:
+# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
+#
+# New PaX flag format (replaces PaX subject flags):
+# PaX flags can be forced on or off, regardless of the flags on the 
+# binary, by using + or - before the following PaX flag names:
+# PAX_SEGMEXEC
+# PAX_PAGEEXEC
+# PAX_MPROTECT
+# PAX_RANDMMAP
+# PAX_EMUTRAMP
+#
+# New feature for easier policy maintenance:
+# replace <variable name> <replace string>
+# e.g.:
+# replace CVSROOT /home/cvs
+# now $(CVSROOT) can be used in any subject or object pathname, like:
+# $(CVSROOT)/grsecurity r
+# This will translate to /home/cvs/grsecurity r
+# This feature makes it easier to update policies by naming specific
+# paths by their function, then only having to update those paths once
+# to have it affect a large number of subjects/objects.
+#
+# capability auditing / log suppression
+# use of a capability can be audited by adding "audit" to the line, eg:
+# +CAP_SYS_RAWIO audit
+# log suppression for denial of a capbility can be done by adding "suppress":
+# -CAP_SYS_RAWIO suppress
+#
+# Per-role umask enforcement:
+# If you have a user that you want to be assured cannot accidentally
+# create a file that others can read (a confidentiality issue)
+# add the following under the role declaration:
+# role_umask 077
+# any normal octal umask may be specified
+# Note that unlike the normal umask, this umask will also apply
+# to the permissions one can chmod/fchmod a file to
+#
+# Note that the omission of any feature of a role or subject
+# results in a default-allow
+# For instance, if no capability rules are added in a subject without
+# policy inheritance ("o" in subject mode), an implicit +CAP_ALL is used
+#
+# Also note that policy inheritance does not exist for network policies, only
+# file objects and capabilities inherit policy
+#
+# Commonly-used objects can be defined and used in multiple subjects
+# As an example, we'll create a variable out of a list of objects
+# and their associated permissions that RBAC enforces
+# files, connect/bind rules, and capabilities can currently be added to a define
+
+define grsec_denied {
+	/boot		h
+	/dev/grsec	h
+	/dev/kmem	h
+	/dev/mem	h
+	/dev/port	h
+	/etc/grsec	h
+	/proc/kcore	h
+	/proc/slabinfo	h
+	/proc/modules	h
+	/proc/kallsyms	h
+	# hide and suppress logs about accessing this path
+	/usr/lib/modules	hs
+	/etc/ssh	h
+}
+# usage:
+# $grsec_denied
+
+role shutdown sARG
+subject / rvka
+	/
+	/dev
+	/dev/urandom	r
+	/dev/random	r
+	/etc		r
+	/usr		rx
+	/proc r
+	$grsec_denied
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib/systemd/systemd rvkao
+	/ rwcdmlxi
+subject /usr/bin/systemctl rvkao
+	/ rwcdmlxi
+	/dev/initctl rwf
+	/run/initctl rwf
+
+# Make sure to unauthenticate with gradm -u from
+# the admin role after restarting a service
+# The service started will run with admin
+# privileges until you run gradm -u or your shell exits
+
+role admin sA
+subject / rvka
+	/ rwcdmlxi
+
+role default G
+role_transitions admin shutdown
+subject /
+	/		r
+	/opt		rx
+	/home		rwxcd
+	/mnt		rw
+	/dev
+	/dev/urandom	r
+	/dev/random	r
+	/dev/zero	rw
+	/dev/input	rw
+	/dev/psaux	rw
+	/dev/null	rw
+	/dev/tty?	rw
+	/dev/console	rw
+	/dev/tty	rw
+	/dev/pts	rw
+	/dev/ptmx	rw
+	/dev/dsp	rw
+	/dev/mixer	rw
+	/dev/initctl	rw
+	/dev/fd0	r
+	/dev/sr0	r
+	/usr		rx
+# compilation of kernel code should be done within the admin role	
+	/usr/src	h
+	/etc		rx
+	/proc		rwx
+	/proc/sys	r
+	/sys		h
+	/root		r
+	/run		r
+	/tmp		rwcd
+	/var		rwxcd
+	/var/tmp	rwcd
+	/var/log	r
+# hide the kernel images and modules
+	$grsec_denied
+
+# if sshd needs to be restarted, it can be done through the admin role
+# restarting sshd should be followed immediately by a gradm -u
+	/usr/bin/sshd
+	
+	-CAP_KILL
+	-CAP_SYS_TTY_CONFIG
+	-CAP_LINUX_IMMUTABLE
+	-CAP_NET_RAW
+	-CAP_MKNOD
+	-CAP_SYS_ADMIN
+	-CAP_SYS_RAWIO
+	-CAP_SYS_MODULE
+	-CAP_SYS_PTRACE
+	-CAP_NET_ADMIN
+	-CAP_NET_BIND_SERVICE
+	-CAP_NET_RAW
+	-CAP_SYS_CHROOT
+	-CAP_SYS_BOOT
+	-CAP_SETFCAP
+	-CAP_SYSLOG
+
+#	RES_AS 100M 100M
+
+#	connect 192.168.1.0/24:22 stream tcp
+#	bind	0.0.0.0 stream dgram tcp udp
+
+# the d flag protects /proc fd and mem entries for sshd
+# all daemons should have 'p' in their subject mode to prevent
+# an attacker from killing the service (and restarting it with trojaned
+# config file or taking the port it reserved to run a trojaned service)
+
+subject /usr/bin/sshd dpo
+	/
+	/*		h
+	/usr/bin/bash	x
+	/dev		h
+	/dev/random	r
+	/dev/urandom	r
+	/dev/null	rw
+	/dev/ptmx	rw
+	/dev/pts	rw
+	/dev/tty	rw
+	/dev/tty?	rw
+	/etc		r
+	/etc/grsec	h
+	/home
+	/home/*/.ssh/authorized_keys r
+	/root
+	/proc		r
+	/proc/*/oom_adj rw
+	/proc/*/oom_score_adj rw
+	/proc/kcore	h
+	/proc/sys	h
+	/proc/sys/kernel/ngroups_max r
+	/selinux	r
+	/usr/lib	rx
+	/usr/lib32	rx
+	/usr/libx32	rx
+	/usr/share/zoneinfo r
+	/var/log
+	/var/spool/mail
+	/var/log/lastlog	rw
+	/var/log/wtmp		w
+	/var/run
+	/run
+	/run/systemd/journal/dev-log	rw
+	/var/run/sshd
+	/var/run/utmp		rw
+	/var/run/utmpx		rw
+	/var/run/.nscd_socket	rw
+
+	-CAP_ALL
+	+CAP_CHOWN
+	+CAP_SETGID
+	+CAP_SETUID
+	+CAP_SYS_CHROOT
+	+CAP_SYS_RESOURCE
+	+CAP_SYS_TTY_CONFIG
+	+CAP_AUDIT_WRITE
+	# to access user keys
+	+CAP_DAC_OVERRIDE
+
+subject /usr/bin/Xorg
+	/dev/mem	rw
+
+	+CAP_SYS_ADMIN
+	+CAP_SYS_TTY_CONFIG
+	+CAP_SYS_RAWIO
+
+subject /usr/bin/ssh
+	/etc/ssh/ssh_config r
+
+subject /usr/bin/postgres
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/exim
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/syslog-ng
+	+CAP_SYS_ADMIN
+
+subject /usr/bin/rsyslogd
+	+CAP_SYS_ADMIN
+
+subject /usr/bin/cron
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/crond
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/login
+	/run/systemd/journal/dev-log	rw
+	/var/log/wtmp w
+	/var/log/faillog rwcd
+
+subject /usr/bin/su
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/sudo
+	/run/systemd/journal/dev-log	rw
+
+subject /usr/bin/agetty
+	/var/log/wtmp w
+
+subject /usr/bin/xauth
+	/home r
+	/home/*/.Xauthority-* rwcdl
+
+# prevent ld.so breakouts of subjects with /usr/lib rx
+
+# many distros clutter up /usr/lib with shell scripts
+# that can be easily hijacked for malicious purposes
+subject /usr/lib o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib32 o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib/ld-linux.so.2 o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled
+
+subject /usr/lib/ld-linux-x86-64.so.2 o
+	/ h
+	-CAP_ALL
+	connect disabled
+	bind disabled



More information about the arch-commits mailing list