archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-08 22:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
PKGBUILDs/community/gradm/learn_config
Kevin Mihelich 721849e71b added community/gradm
2014-04-18 01:55:37 +00:00

167 lines
5.6 KiB
Text
Raw Blame History

#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.
#
#It accepts lines in the form of <command> <pathname>
#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
#read-protected-path, and always-reduce-path
#
#inherit-learn, no-learn, and inherit-no-learn operate only with
#full learning
#
#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
#and high-protected-path operate on both full and and regular learning
#(subject and role learning)
#
#inherit-learn changes the learning process for the specified path
#by throwing all learned accesses for every binary executed by the
#processes contained in the pathname into the subject specified
#by the pathname. This is useful for cron in the case of full
#system learning, so that scripts that eventually end up executing
#mv or rm with privilege don't cause the root policy to grant
#that privilege to mv or rm in all cases.
#
#no-learn allows processes within the path to perform any operation
#that normal system usage would allow without restriction. If
#a process is generating a huge number of learning logs, it may be
#best to use this command on that process and configure its policy
#manually.
#
#inherit-no-learn combines the above two cases, such that processes
#within the specified path will be able to perform any normal system
#operation without restriction as will any binaries executed by
#these processes.
#
#high-reduce-path modifies the heuristics of the learning process
#to weight in favor of reducing accesses for this path
#
#dont-reduce-path modifies the heuristics of the learning process
#so that it will never reduce accesses for this path
#
#always-reduce-path modifies the heuristics of the learning process
#so that the path specified will always have all files and directories
#within it reduced to the path specified.
#
#protected-path specifies a path on your system that is considered an
#important resource. Any process that modifies one of these paths
#is given its own subject in the learning process, facilitating
#a secure policy.
#
#read-protected-path specifies a path on your system that contains
#sensitive information. Any process that reads one of these paths is
#given its own subject in the learning process, facilitating a secure
#policy.
#
#high-protected-path specifies a path that should be hidden from
#all processes but those that access it directly. It is recommended
#to use highly sensitive files for this command.
#
#regular expressions are not supported for pathnames in this config file
#
#
# uncomment this next line if you don't wish to generate a policy that
# restricts roles to specific IP ranges:
# dont-learn-allowed-ips
#
# to write out your generated policy such that roles are split into separate
# files by the name of the role (within user/group directories), uncomment
# the next line:
# split-roles
always-reduce-path /dev/pts
always-reduce-path /var/spool/qmailscan/tmp
always-reduce-path /var/spool/exim4
always-reduce-path /run/screen
always-reduce-path /usr/share/locale
always-reduce-path /usr/share/zoneinfo
always-reduce-path /usr/share/terminfo
always-reduce-path /tmp
always-reduce-path /var/tmp
high-reduce-path /dev/.udev
high-reduce-path /dev/mapper
high-reduce-path /dev/snd
high-reduce-path /proc
high-reduce-path /usr/lib/security
high-reduce-path /usr/lib/modules
high-reduce-path /usr/lib
high-reduce-path /usr/lib32
high-reduce-path /usr/libx32
high-reduce-path /usr/lib/tls
high-reduce-path /usr/lib32/tls
high-reduce-path /usr/libx32/tls
high-reduce-path /usr/lib/libreoffice
high-reduce-path /var/lib
high-reduce-path /usr/bin
high-reduce-path /usr/sbin
high-reduce-path /usr/local/share
high-reduce-path /usr/local/bin
high-reduce-path /usr/local/sbin
high-reduce-path /usr/local/etc
high-reduce-path /usr/local/lib
high-reduce-path /usr/share
high-reduce-path /usr/X11R6/lib
high-reduce-path /var/lib/openldap-data
high-reduce-path /var/lib/krb5kdc
dont-reduce-path /
dont-reduce-path /home
dont-reduce-path /dev
dont-reduce-path /usr
dont-reduce-path /var
dont-reduce-path /opt
protected-path /etc
protected-path /boot
protected-path /run
protected-path /usr
protected-path /opt
protected-path /var
protected-path /dev/log
protected-path /root
protected-path /sys
read-protected-path /etc/ssh
read-protected-path /proc/kallsyms
read-protected-path /proc/kcore
read-protected-path /proc/slabinfo
read-protected-path /proc/modules
read-protected-path /usr/lib/modules
read-protected-path /boot
read-protected-path /etc/shadow
read-protected-path /etc/shadow-
read-protected-path /etc/gshadow
read-protected-path /etc/gshadow-
read-protected-path /sys
high-protected-path /etc/ssh
high-protected-path /proc/kcore
high-protected-path /proc/sys
high-protected-path /proc/bus
high-protected-path /proc/slabinfo
high-protected-path /proc/modules
high-protected-path /proc/kallsyms
high-protected-path /etc/passwd
high-protected-path /etc/shadow
high-protected-path /var/backups
high-protected-path /etc/shadow-
high-protected-path /etc/gshadow
high-protected-path /etc/gshadow-
high-protected-path /var/log
high-protected-path /dev/mem
high-protected-path /dev/kmem
high-protected-path /dev/port
high-protected-path /dev/log
high-protected-path /sys
high-protected-path /etc/ppp
high-protected-path /etc/samba/smbpasswd
#to protect kernel images
high-protected-path /boot
high-protected-path /usr/lib/modules
high-protected-path /usr/src
inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily
inherit-learn /etc/cron.weekly
inherit-learn /etc/cron.monthly
Reference in a new issue View git blame Copy permalink