[grsec] Contribution: Script to split the policy

[Marc Schiffbauer]

Hi,

I wrote this little script which splits a generated policy file into
several files to make it easier to maintain.

The script will make one directory for every role prefixed by
"role.user_", "role.group_" or "role.special_" dependend on the role type.

Under that there will be a directory structure for the subjects
where the "/" subject is represented by the file called _root

The main policy file includes all include files found in the
subdirectories which themselves include the single subject files

The Script will produce a hierarchy like:

policy
policy.d/
policy.d/role.default
policy.d/role.default/include
policy.d/role.default/_root
policy.d/role.user_list
policy.d/role.user_list/include
policy.d/role.user_list/_root
policy.d/role.user_list/usr
policy.d/role.user_list/usr/bin
policy.d/role.user_list/usr/bin/python2.2
policy.d/role.user_list/usr/lib
policy.d/role.user_list/usr/lib/mailman
policy.d/role.user_list/usr/lib/mailman/bin
policy.d/role.user_list/usr/lib/mailman/bin/mailmanctl
policy.d/role.user_list/usr/lib/mailman/cron
policy.d/role.user_list/usr/lib/mailman/cron/checkdbs
policy.d/role.user_list/usr/lib/mailman/cron/disabled
policy.d/role.user_list/usr/lib/mailman/cron/nightly_gzip
policy.d/role.user_root
policy.d/role.user_root/include
policy.d/role.user_root/_root
policy.d/role.user_root/bin
policy.d/role.user_root/bin/bash
policy.d/role.user_root/bin/cat
policy.d/role.user_root/bin/mkdir
policy.d/role.user_root/bin/mktemp
policy.d/role.user_root/bin/mv
policy.d/role.user_root/bin/ps
policy.d/role.user_root/bin/rm
policy.d/role.user_root/bin/su
policy.d/role.user_root/etc
policy.d/role.user_root/etc/cron.daily
policy.d/role.user_root/home
policy.d/role.user_root/home/backup
policy.d/role.user_root/home/htdocs
[...]

-Marc

---------------------------------------------------------
#!/bin/bash
#
# split frone-file-policy into several files, one dir per role, one
# file per subject
#
# Marc Schiffbauer <marc at schiffbauer.net>, 2005
#

test "$1" || {
  echo "Syntax: $(basename $0) <policy file>"
  exit 1
}

test -f "$1" || {
  echo "File not found: $1"
  exit 1
}

POLICY="$1"
P_DIR="/etc/grsec/new.policy.d"
P_FILE="/etc/grsec/new.policy"

mkdir -p $P_DIR
echo "# master policy file for split policies - created by
$(basename $0)" > $P_FILE
echo "#" >> $P_FILE
echo ""  >> $P_FILE
mv $POLICY ${POLICY}.big

IFS=""
cat "${POLICY}.big" | while read LINE; do
  # test for start of new role

  test "${LINE:0:5}" == "role " && {
    unset S_NAME

    R_TYPE="$(echo "$LINE"|cut -d' ' -f3)"
    R_NAME="$(echo "$LINE"|cut -d' ' -f2)"

    if [ "${R_TYPE:0:1}" == "u" ]; then
      R_DIR="$P_DIR/role.user_$R_NAME"
    elif [ "${R_TYPE:0:1}" == "g" ]; then
      R_DIR="$P_DIR/role.group_$R_NAME"
    elif [ "${R_TYPE:0:1}" == "s" ]; then
      R_DIR="$P_DIR/role.special_$R_NAME"
    elif [ "$R_NAME" == "default" ]; then
      R_DIR="$P_DIR/role.default"
    fi

    echo "Creating policy directory $R_DIR"
    mkdir -p $R_DIR

    echo "include <$R_DIR/include>" >> $P_FILE

    echo "# include file for role '$R_NAME' - created by $(basename $0)" > $R_DIR/include
    echo "#" >> $R_DIR/include
    echo ""  >> $R_DIR/include
  }

  test "${LINE:0:8}" == "subject " && {
    S_NAME="$(echo "$LINE"|cut -d' ' -f2)"
    mkdir -p "$R_DIR/$(dirname $S_NAME)"
    #S_NAME_FILE="$(echo "$S_NAME" | sed 's|/|_|g')"
    if [ "$S_NAME" == "/" ]; then
      S_NAME_FILE="$(dirname $S_NAME)/_root"
    else
      S_NAME_FILE="$S_NAME"
    fi
    echo "include <$R_DIR/$S_NAME_FILE>" >> $R_DIR/include
    echo "Created new subject file subject $R_DIR/$S_NAME_FILE"
  }                                            
---------------------------------------------------------


-- 
<NES> *lol* I download something from Napster
<NES> And the same guy I downloaded it from starts downloading it from me when I'm done
<NES> I message him and say "What are you doing? I just got that from you"
<NES> "getting my song back fscker"