2014-04-18 01:55:37 +00:00
|
|
|
#This configuration file aids the learning process by tweaking
|
|
|
|
#the learning algorithm for specific paths.
|
|
|
|
#
|
|
|
|
#It accepts lines in the form of <command> <pathname>
|
|
|
|
#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
|
|
|
|
#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
|
|
|
|
#read-protected-path, and always-reduce-path
|
|
|
|
#
|
|
|
|
#inherit-learn, no-learn, and inherit-no-learn operate only with
|
|
|
|
#full learning
|
|
|
|
#
|
|
|
|
#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
|
|
|
|
#and high-protected-path operate on both full and and regular learning
|
|
|
|
#(subject and role learning)
|
|
|
|
#
|
|
|
|
#inherit-learn changes the learning process for the specified path
|
|
|
|
#by throwing all learned accesses for every binary executed by the
|
|
|
|
#processes contained in the pathname into the subject specified
|
|
|
|
#by the pathname. This is useful for cron in the case of full
|
|
|
|
#system learning, so that scripts that eventually end up executing
|
|
|
|
#mv or rm with privilege don't cause the root policy to grant
|
|
|
|
#that privilege to mv or rm in all cases.
|
|
|
|
#
|
|
|
|
#no-learn allows processes within the path to perform any operation
|
|
|
|
#that normal system usage would allow without restriction. If
|
|
|
|
#a process is generating a huge number of learning logs, it may be
|
|
|
|
#best to use this command on that process and configure its policy
|
|
|
|
#manually.
|
|
|
|
#
|
|
|
|
#inherit-no-learn combines the above two cases, such that processes
|
|
|
|
#within the specified path will be able to perform any normal system
|
|
|
|
#operation without restriction as will any binaries executed by
|
|
|
|
#these processes.
|
|
|
|
#
|
|
|
|
#high-reduce-path modifies the heuristics of the learning process
|
|
|
|
#to weight in favor of reducing accesses for this path
|
|
|
|
#
|
|
|
|
#dont-reduce-path modifies the heuristics of the learning process
|
|
|
|
#so that it will never reduce accesses for this path
|
|
|
|
#
|
|
|
|
#always-reduce-path modifies the heuristics of the learning process
|
|
|
|
#so that the path specified will always have all files and directories
|
|
|
|
#within it reduced to the path specified.
|
|
|
|
#
|
|
|
|
#protected-path specifies a path on your system that is considered an
|
|
|
|
#important resource. Any process that modifies one of these paths
|
|
|
|
#is given its own subject in the learning process, facilitating
|
|
|
|
#a secure policy.
|
|
|
|
#
|
|
|
|
#read-protected-path specifies a path on your system that contains
|
|
|
|
#sensitive information. Any process that reads one of these paths is
|
|
|
|
#given its own subject in the learning process, facilitating a secure
|
|
|
|
#policy.
|
|
|
|
#
|
|
|
|
#high-protected-path specifies a path that should be hidden from
|
|
|
|
#all processes but those that access it directly. It is recommended
|
|
|
|
#to use highly sensitive files for this command.
|
|
|
|
#
|
|
|
|
#regular expressions are not supported for pathnames in this config file
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# uncomment this next line if you don't wish to generate a policy that
|
|
|
|
# restricts roles to specific IP ranges:
|
|
|
|
# dont-learn-allowed-ips
|
|
|
|
#
|
|
|
|
# to write out your generated policy such that roles are split into separate
|
|
|
|
# files by the name of the role (within user/group directories), uncomment
|
|
|
|
# the next line:
|
|
|
|
# split-roles
|
|
|
|
|
|
|
|
always-reduce-path /dev/pts
|
|
|
|
always-reduce-path /var/spool/qmailscan/tmp
|
|
|
|
always-reduce-path /var/spool/exim4
|
|
|
|
always-reduce-path /run/screen
|
|
|
|
always-reduce-path /usr/share/locale
|
|
|
|
always-reduce-path /usr/share/zoneinfo
|
|
|
|
always-reduce-path /usr/share/terminfo
|
2014-09-02 05:26:28 +00:00
|
|
|
always-reduce-path /var/abs
|
2014-04-18 01:55:37 +00:00
|
|
|
always-reduce-path /tmp
|
|
|
|
always-reduce-path /var/tmp
|
|
|
|
|
2015-01-26 02:13:41 +00:00
|
|
|
high-reduce-path /run/udev
|
2014-04-18 01:55:37 +00:00
|
|
|
high-reduce-path /dev/mapper
|
|
|
|
high-reduce-path /dev/snd
|
|
|
|
high-reduce-path /proc
|
|
|
|
high-reduce-path /usr/lib/security
|
|
|
|
high-reduce-path /usr/lib/modules
|
|
|
|
high-reduce-path /usr/lib
|
|
|
|
high-reduce-path /usr/lib32
|
|
|
|
high-reduce-path /usr/libx32
|
|
|
|
high-reduce-path /usr/lib/tls
|
|
|
|
high-reduce-path /usr/lib32/tls
|
|
|
|
high-reduce-path /usr/libx32/tls
|
|
|
|
high-reduce-path /usr/lib/libreoffice
|
|
|
|
high-reduce-path /var/lib
|
|
|
|
high-reduce-path /usr/bin
|
|
|
|
high-reduce-path /usr/sbin
|
|
|
|
high-reduce-path /usr/local/share
|
|
|
|
high-reduce-path /usr/local/bin
|
|
|
|
high-reduce-path /usr/local/sbin
|
|
|
|
high-reduce-path /usr/local/etc
|
|
|
|
high-reduce-path /usr/local/lib
|
|
|
|
high-reduce-path /usr/share
|
|
|
|
high-reduce-path /usr/X11R6/lib
|
|
|
|
high-reduce-path /var/lib/openldap-data
|
|
|
|
high-reduce-path /var/lib/krb5kdc
|
|
|
|
|
|
|
|
dont-reduce-path /
|
|
|
|
dont-reduce-path /home
|
|
|
|
dont-reduce-path /dev
|
|
|
|
dont-reduce-path /usr
|
|
|
|
dont-reduce-path /var
|
|
|
|
dont-reduce-path /opt
|
|
|
|
|
|
|
|
protected-path /etc
|
|
|
|
protected-path /boot
|
|
|
|
protected-path /run
|
|
|
|
protected-path /usr
|
|
|
|
protected-path /opt
|
|
|
|
protected-path /var
|
|
|
|
protected-path /dev/log
|
|
|
|
protected-path /root
|
|
|
|
protected-path /sys
|
|
|
|
|
|
|
|
read-protected-path /etc/ssh
|
|
|
|
read-protected-path /proc/kallsyms
|
|
|
|
read-protected-path /proc/kcore
|
|
|
|
read-protected-path /proc/slabinfo
|
|
|
|
read-protected-path /proc/modules
|
|
|
|
read-protected-path /usr/lib/modules
|
|
|
|
read-protected-path /boot
|
|
|
|
read-protected-path /etc/shadow
|
|
|
|
read-protected-path /etc/shadow-
|
|
|
|
read-protected-path /etc/gshadow
|
|
|
|
read-protected-path /etc/gshadow-
|
|
|
|
read-protected-path /sys
|
|
|
|
|
|
|
|
high-protected-path /etc/ssh
|
|
|
|
high-protected-path /proc/kcore
|
|
|
|
high-protected-path /proc/sys
|
|
|
|
high-protected-path /proc/bus
|
|
|
|
high-protected-path /proc/slabinfo
|
|
|
|
high-protected-path /proc/modules
|
|
|
|
high-protected-path /proc/kallsyms
|
|
|
|
high-protected-path /etc/passwd
|
|
|
|
high-protected-path /etc/shadow
|
|
|
|
high-protected-path /var/backups
|
|
|
|
high-protected-path /etc/shadow-
|
|
|
|
high-protected-path /etc/gshadow
|
|
|
|
high-protected-path /etc/gshadow-
|
|
|
|
high-protected-path /var/log
|
|
|
|
high-protected-path /dev/mem
|
|
|
|
high-protected-path /dev/kmem
|
|
|
|
high-protected-path /dev/port
|
|
|
|
high-protected-path /dev/log
|
|
|
|
high-protected-path /sys
|
|
|
|
high-protected-path /etc/ppp
|
|
|
|
high-protected-path /etc/samba/smbpasswd
|
|
|
|
#to protect kernel images
|
|
|
|
high-protected-path /boot
|
|
|
|
high-protected-path /usr/lib/modules
|
|
|
|
high-protected-path /usr/src
|
|
|
|
|
|
|
|
inherit-learn /etc/cron.d
|
|
|
|
inherit-learn /etc/cron.hourly
|
|
|
|
inherit-learn /etc/cron.daily
|
|
|
|
inherit-learn /etc/cron.weekly
|
|
|
|
inherit-learn /etc/cron.monthly
|