#sample default process acl for grsecurity

/ {
	/		r
	/opt		rx
	/home		rwx
	/mnt		rw
	/dev
	/dev/urandom	r
	/dev/random	r
	/dev/zero	rw
	/dev/input	rw
	/dev/psaux	rw
	/dev/null	rw
	/dev/tty?	rw
	/dev/console	rw
	/dev/tty	rw
	/dev/ttyp?	rw
	/dev/pts	rw
	/dev/ptmx	rw
	/dev/dsp	rw
	/dev/mixer	rw
	/dev/fd0	r
	/dev/cdrom	r
	/dev/mem	h
	/dev/kmem	h
	/dev/port	h
	/bin		rx
	/sbin		rx
	/lib		rx
	/usr		rx
	/etc		rx
	/etc/ssh	h
	/proc		rwx
	/proc/kcore	h
	/proc/sys	r
	/root		r
	/tmp		rw
	/var		rwx
	/var/tmp	rw
	/var/log	r
	/boot		h
	/etc/grsec	h
	
	-CAP_SYS_TTY_CONFIG
	-CAP_LINUX_IMMUTABLE
	-CAP_NET_RAW
	-CAP_MKNOD
	-CAP_SYS_ADMIN
	-CAP_SYS_RAWIO
	-CAP_SYS_MODULE
	-CAP_SYS_PTRACE
	-CAP_NET_ADMIN
	-CAP_NET_BIND_SERVICE
	-CAP_SYS_CHROOT
}

/sbin/init {
	/dev/initctl rw
}

/sbin/syslogd {
	/dev/log rw
	/var/log w
}

/sbin/klogd {
	/dev/log rw
}

/usr/sbin/cron {
	/dev/log rw
}

/usr/sbin/crond {
	/dev/log rw
}

/usr/sbin/xinetd p {
	/dev/log rw
}

/usr/sbin/inetd p {
	/dev/log rw
}

/usr/sbin/anacron {
	/dev/log rw
}

/bin/login {
	/dev/log rw
}

# the d flag protects /proc fd and mem entries for sshd
/usr/sbin/sshd dp {
	/etc/ssh r
	/dev/log rw
	+CAP_SYS_TTY_CONFIG
	+CAP_SYS_CHROOT
}

/usr/sbin/tcpd {
	/dev/log rw
}
