1 files changed, 169 insertions, 0 deletions

diff --git a/kernels/gradm/learn_config b/kernels/gradm/learn_config
new file mode 100644
index 000000000..24c4cbc25
--- /dev/null
+++ b/kernels/gradm/learn_config
@@ -0,0 +1,169 @@
+#This configuration file aids the learning process by tweaking
+#the learning algorithm for specific paths.
+#
+#It accepts lines in the form of <command> <pathname>
+#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
+#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
+#read-protected-path, and always-reduce-path
+#
+#inherit-learn, no-learn, and inherit-no-learn operate only with
+#full learning
+#
+#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path, 
+#and high-protected-path operate on both full and and regular learning 
+#(subject and role learning)
+#
+#inherit-learn changes the learning process for the specified path
+#by throwing all learned accesses for every binary executed by the
+#processes contained in the pathname into the subject specified
+#by the pathname.  This is useful for cron in the case of full
+#system learning, so that scripts that eventually end up executing
+#mv or rm with privilege don't cause the root policy to grant
+#that privilege to mv or rm in all cases.
+#
+#no-learn allows processes within the path to perform any operation
+#that normal system usage would allow without restriction.  If
+#a process is generating a huge number of learning logs, it may be
+#best to use this command on that process and configure its policy
+#manually.
+#
+#inherit-no-learn combines the above two cases, such that processes
+#within the specified path will be able to perform any normal system
+#operation without restriction as will any binaries executed by
+#these processes.
+#
+#high-reduce-path modifies the heuristics of the learning process
+#to weight in favor of reducing accesses for this path
+#
+#dont-reduce-path modifies the heuristics of the learning process
+#so that it will never reduce accesses for this path
+#
+#always-reduce-path modifies the heuristics of the learning process
+#so that the path specified will always have all files and directories
+#within it reduced to the path specified.
+#
+#protected-path specifies a path on your system that is considered an
+#important resource.  Any process that modifies one of these paths
+#is given its own subject in the learning process, facilitating
+#a secure policy.
+#
+#read-protected-path specifies a path on your system that contains 
+#sensitive information.  Any process that reads one of these paths is
+#given its own subject in the learning process, facilitating a secure
+#policy.
+#
+#high-protected-path specifies a path that should be hidden from
+#all processes but those that access it directly.  It is recommended
+#to use highly sensitive files for this command.
+#
+#regular expressions are not supported for pathnames in this config file
+#
+#
+# uncomment this next line if you don't wish to generate a policy that 
+# restricts roles to specific IP ranges:
+# dont-learn-allowed-ips
+#
+# to write out your generated policy such that roles are split into separate
+# files by the name of the role (within user/group directories), uncomment
+# the next line:
+# split-roles
+
+always-reduce-path /dev/pts
+always-reduce-path /var/spool/qmailscan/tmp
+always-reduce-path /var/spool/exim4
+always-reduce-path /var/run/screen
+always-reduce-path /usr/share/locale
+always-reduce-path /usr/share/zoneinfo
+always-reduce-path /usr/share/terminfo
+always-reduce-path /tmp
+always-reduce-path /var/tmp
+
+high-reduce-path /dev/.udev
+high-reduce-path /dev/mapper
+high-reduce-path /dev/snd
+high-reduce-path /proc
+high-reduce-path /usr/lib
+high-reduce-path /usr/lib/tls
+high-reduce-path /usr/lib/libreoffice
+high-reduce-path /usr/lib32
+high-reduce-path /usr/lib32/tls
+high-reduce-path /usr/lib64
+high-reduce-path /usr/lib64/tls
+high-reduce-path /var/lib
+high-reduce-path /usr/bin
+high-reduce-path /usr/sbin
+high-reduce-path /usr/local/share
+high-reduce-path /usr/local/bin
+high-reduce-path /usr/local/sbin
+high-reduce-path /usr/local/etc
+high-reduce-path /usr/local/lib
+high-reduce-path /usr/share
+high-reduce-path /usr/X11R6/lib
+high-reduce-path /var/lib/openldap-data
+high-reduce-path /var/lib/krb5kdc
+
+dont-reduce-path /
+dont-reduce-path /home
+dont-reduce-path /dev
+dont-reduce-path /usr
+dont-reduce-path /var
+dont-reduce-path /opt
+
+protected-path /boot
+protected-path /dev/log
+protected-path /etc
+protected-path /opt
+protected-path /root
+protected-path /run
+protected-path /sys
+protected-path /usr
+protected-path /var
+
+read-protected-path /etc/ssh
+read-protected-path /proc/kallsyms
+read-protected-path /proc/kcore
+read-protected-path /proc/slabinfo
+read-protected-path /proc/modules
+read-protected-path /usr/lib/modules
+read-protected-path /usr/lib64/modules
+read-protected-path /boot
+read-protected-path /etc/shadow
+read-protected-path /etc/shadow-
+read-protected-path /etc/gshadow
+read-protected-path /etc/gshadow-
+read-protected-path /sys
+
+high-protected-path /etc/ssh
+high-protected-path /proc/kcore
+high-protected-path /proc/sys
+high-protected-path /proc/bus
+high-protected-path /proc/slabinfo
+high-protected-path /proc/modules
+high-protected-path /proc/kallsyms
+high-protected-path /etc/passwd
+high-protected-path /etc/shadow
+high-protected-path /var/backups
+high-protected-path /etc/shadow-
+high-protected-path /etc/gshadow
+high-protected-path /etc/gshadow-
+high-protected-path /var/log
+high-protected-path /dev/mem
+high-protected-path /dev/kmem
+high-protected-path /dev/port
+high-protected-path /dev/log
+high-protected-path /sys
+high-protected-path /etc/ppp
+high-protected-path /etc/samba/smbpasswd
+#to protect kernel images
+high-protected-path /boot
+high-protected-path /usr/lib/modules
+high-protected-path /usr/lib64/modules
+high-protected-path /usr/src
+
+inherit-learn /etc/cron.d
+inherit-learn /etc/cron.hourly
+inherit-learn /etc/cron.daily
+inherit-learn /etc/cron.weekly
+inherit-learn /etc/cron.monthly
+inherit-learn /etc/init.d
+inherit-learn /etc/rc.d/init.d