#sample default process acl for grsecurity
# Role flags:
# A -> This role is a "god" role, thus it has special privilege normal
#      roles do not have.  In particular, this role bypasses the 
#      additional ptrace restrictions
# N -> Don't require authentication for this role.  To access
#      the role, use gradm -n <rolename>
# s -> This role is a special role, meaning it does not belong to a
#      user or group, and does not fall under ACL enforcement
# u -> This role is a user role
# g -> This role is a group role
# G -> This role can use gradm to authenticate to the kernel
#      An ACL for gradm will automatically be added to the role
#
# a role can only be one of user, group, or special
#
# role_allow_ip IP/optional netmask
# eg: role_allow_ip 192.168.1.0/24
# You can have as many of these per role as you want
# They restrict the use of a role to a list of IPs.  If a user
# is on the system that would normally get the role does not
# belong to those lists of IPs, the system falls back through
# its method of determining a role for the user
#
# Role hierarchy
# user -> group -> default
# First a user role attempts to match, if one is not found,
# a group role attempts to match, if one is not found,
# the default role is used.
#
# role_transitions <special role 1> <special role 2> ... <special role n>
# eg: role_transitions www_admin dns_admin
#
# role transitions specify which special roles a given role is allowed
# to authenticate to.  This applies to special roles that do not
# require password authentication as well.  If a user tries to
# authenticate to a role that is not within his transition table, he
# will receive a permission denied error
#
# Nested subjects
# subject /bin/su:/bin/bash:/bin/cat
#	  / rwx
#	  +CAP_ALL
# grant privilege to specific processes if they are executed
# within a trusted path.  In this case, privilege is
# granted if /bin/cat is executed from /bin/bash, which is
# executed from /bin/su.
#
# Configuration inheritance on nested subjects
# nested subjects inherit rules from their parents.  In the
# example above, the nested subject would inherit rules
# from the nested subject for /bin/su:/bin/bash,
# and the subject /bin/su
# View the 1.9.x documentation for more information on
# configuration inheritance

role admin sA
subject /
	/ rwxi

role default G
role_transitions admin
subject /
	/		r
	/opt		rx
	/home		rwx
	/mnt		rw
	/dev
	/dev/grsec	h
	/dev/urandom	r
	/dev/random	r
	/dev/zero	rw
	/dev/input	rw
	/dev/psaux	rw
	/dev/null	rw
	/dev/tty0	rw
	/dev/tty1	rw
	/dev/tty2	rw
	/dev/tty3	rw
	/dev/tty4	rw
	/dev/tty5	rw
	/dev/tty6	rw
	/dev/tty7	rw
	/dev/tty8	rw
	/dev/console	rw
	/dev/tty	rw
	/dev/pts	rw
	/dev/ptmx	rw
	/dev/dsp	rw
	/dev/mixer	rw
	/dev/initctl	rw
	/dev/fd0	r
	/dev/cdrom	r
	/dev/mem	h
	/dev/kmem	h
	/dev/port	h
	/bin		rx
	/sbin		rx
	/lib		rx
	/usr		rx
	/etc		rx
	/proc		rwx
	/proc/kcore	h
	/proc/sys	r
	/root		r
	/tmp		rw
	/var		rwx
	/var/tmp	rw
	/var/log	r
	/boot		r
	/etc/grsec	h
	
	-CAP_LINUX_IMMUTABLE
	-CAP_NET_RAW
	-CAP_MKNOD
	-CAP_SYS_RAWIO
	-CAP_SYS_MODULE

#	RES_AS 100M 100M

#	connect 192.168.1.0/24:22 stream tcp
#	bind	0.0.0.0 stream dgram tcp udp

