1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.
#
#It accepts lines in the form of <command> <pathname>
#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
#and always-reduce-path
#
#inherit-learn, no-learn, and inherit-no-learn operate only with
#full learning
#
#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
#and high-protected-path operate on both full and and regular learning
#(subject and role learning)
#
#inherit-learn changes the learning process for the specified path
#by throwing all learned accesses for every binary executed by the
#processes contained in the pathname into the subject specified
#by the pathname. This is useful for cron in the case of full
#system learning, so that scripts that eventually end up executing
#mv or rm with privilege don't cause the root policy to grant
#that privilege to mv or rm in all cases.
#
#no-learn allows processes within the path to perform any operation
#that normal system usage would allow without restriction. If
#a process is generating a huge number of learning logs, it may be
#best to use this command on that process and configure its policy
#manually.
#
#inherit-no-learn combines the above two cases, such that processes
#within the specified path will be able to perform any normal system
#operation without restriction as will any binaries executed by
#these processes.
#
#high-reduce-path modifies the heuristics of the learning process
#to weight in favor of reducing accesses for this path
#
#dont-reduce-path modifies the heuristics of the learning process
#so that it will never reduce accesses for this path
#
#always-reduce-path modifies the heuristics of the learning process
#so that the path specified will always have all files and directories
#within it reduced to the path specified.
#
#protected-path specifies a path on your system that is considered an
#important resource. Any process that modifies one of these paths
#is given its own subject in the learning process, facilitating
#a secure policy.
#
#high-protected-path specifies a path that should be hidden from
#all processes but those that access it directly. It is recommended
#to use highly sensitive files for this command.
#
#regular expressions are not supported for pathnames in this config file
always-reduce-path /dev/pts
always-reduce-path /var/spool/qmailscan/tmp
always-reduce-path /var/spool/exim4
always-reduce-path /var/run/screen
always-reduce-path /usr/share/locale
always-reduce-path /usr/share/zoneinfo
always-reduce-path /usr/share/terminfo
always-reduce-path /usr/portage
always-reduce-path /tmp
always-reduce-path /var/tmp
high-reduce-path /proc
high-reduce-path /lib
high-reduce-path /lib64
high-reduce-path /lib/tls
high-reduce-path /lib64/tls
high-reduce-path /lib/security
high-reduce-path /lib/modules
high-reduce-path /usr/lib
high-reduce-path /usr/lib/tls
high-reduce-path /usr/lib64/tls
high-reduce-path /var/lib
high-reduce-path /usr/bin
high-reduce-path /usr/sbin
high-reduce-path /sbin
high-reduce-path /bin
high-reduce-path /usr/local/share
high-reduce-path /usr/local/bin
high-reduce-path /usr/local/sbin
high-reduce-path /usr/local/etc
high-reduce-path /usr/local/lib
high-reduce-path /usr/share
high-reduce-path /usr/X11R6/lib
dont-reduce-path /
dont-reduce-path /home
dont-reduce-path /dev
dont-reduce-path /usr
dont-reduce-path /var
dont-reduce-path /opt
protected-path /etc
protected-path /lib
protected-path /boot
protected-path /usr
protected-path /opt
protected-path /var
protected-path /dev/log
protected-path /root
high-protected-path /etc/ssh
high-protected-path /proc/kcore
high-protected-path /proc/sys
high-protected-path /proc/bus
high-protected-path /etc/passwd
high-protected-path /etc/shadow
high-protected-path /etc/shadow-
high-protected-path /etc/gshadow
high-protected-path /etc/gshadow-
high-protected-path /var/log
high-protected-path /dev/mem
high-protected-path /dev/kmem
high-protected-path /dev/port
high-protected-path /dev/log
high-protected-path /sys
high-protected-path /etc/ppp/chap-secrets
high-protected-path /etc/ppp/pap-secrets
high-protected-path /etc/samba/smbpasswd
#to protect kernel images
high-protected-path /boot
high-protected-path /usr/src
inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily
inherit-learn /etc/cron.weekly
inherit-learn /etc/cron.monthly
inherit-learn /etc/init.d
inherit-learn /etc/rc.d/init.d
|
