[grsec] Contribution: Script to split the policy
Marc Schiffbauer
marc at schiffbauer.net
Wed Mar 30 12:11:32 EST 2005
Hi,
I wrote this little script which splits a generated policy file into
several files to make it easier to maintain.
The script will make one directory for every role prefixed by
"role.user_", "role.group_" or "role.special_" dependend on the role type.
Under that there will be a directory structure for the subjects
where the "/" subject is represented by the file called _root
The main policy file includes all include files found in the
subdirectories which themselves include the single subject files
The Script will produce a hierarchy like:
policy
policy.d/
policy.d/role.default
policy.d/role.default/include
policy.d/role.default/_root
policy.d/role.user_list
policy.d/role.user_list/include
policy.d/role.user_list/_root
policy.d/role.user_list/usr
policy.d/role.user_list/usr/bin
policy.d/role.user_list/usr/bin/python2.2
policy.d/role.user_list/usr/lib
policy.d/role.user_list/usr/lib/mailman
policy.d/role.user_list/usr/lib/mailman/bin
policy.d/role.user_list/usr/lib/mailman/bin/mailmanctl
policy.d/role.user_list/usr/lib/mailman/cron
policy.d/role.user_list/usr/lib/mailman/cron/checkdbs
policy.d/role.user_list/usr/lib/mailman/cron/disabled
policy.d/role.user_list/usr/lib/mailman/cron/nightly_gzip
policy.d/role.user_root
policy.d/role.user_root/include
policy.d/role.user_root/_root
policy.d/role.user_root/bin
policy.d/role.user_root/bin/bash
policy.d/role.user_root/bin/cat
policy.d/role.user_root/bin/mkdir
policy.d/role.user_root/bin/mktemp
policy.d/role.user_root/bin/mv
policy.d/role.user_root/bin/ps
policy.d/role.user_root/bin/rm
policy.d/role.user_root/bin/su
policy.d/role.user_root/etc
policy.d/role.user_root/etc/cron.daily
policy.d/role.user_root/home
policy.d/role.user_root/home/backup
policy.d/role.user_root/home/htdocs
[...]
-Marc
---------------------------------------------------------
#!/bin/bash
#
# split frone-file-policy into several files, one dir per role, one
# file per subject
#
# Marc Schiffbauer <marc at schiffbauer.net>, 2005
#
test "$1" || {
echo "Syntax: $(basename $0) <policy file>"
exit 1
}
test -f "$1" || {
echo "File not found: $1"
exit 1
}
POLICY="$1"
P_DIR="/etc/grsec/new.policy.d"
P_FILE="/etc/grsec/new.policy"
mkdir -p $P_DIR
echo "# master policy file for split policies - created by
$(basename $0)" > $P_FILE
echo "#" >> $P_FILE
echo "" >> $P_FILE
mv $POLICY ${POLICY}.big
IFS=""
cat "${POLICY}.big" | while read LINE; do
# test for start of new role
test "${LINE:0:5}" == "role " && {
unset S_NAME
R_TYPE="$(echo "$LINE"|cut -d' ' -f3)"
R_NAME="$(echo "$LINE"|cut -d' ' -f2)"
if [ "${R_TYPE:0:1}" == "u" ]; then
R_DIR="$P_DIR/role.user_$R_NAME"
elif [ "${R_TYPE:0:1}" == "g" ]; then
R_DIR="$P_DIR/role.group_$R_NAME"
elif [ "${R_TYPE:0:1}" == "s" ]; then
R_DIR="$P_DIR/role.special_$R_NAME"
elif [ "$R_NAME" == "default" ]; then
R_DIR="$P_DIR/role.default"
fi
echo "Creating policy directory $R_DIR"
mkdir -p $R_DIR
echo "include <$R_DIR/include>" >> $P_FILE
echo "# include file for role '$R_NAME' - created by $(basename $0)" > $R_DIR/include
echo "#" >> $R_DIR/include
echo "" >> $R_DIR/include
}
test "${LINE:0:8}" == "subject " && {
S_NAME="$(echo "$LINE"|cut -d' ' -f2)"
mkdir -p "$R_DIR/$(dirname $S_NAME)"
#S_NAME_FILE="$(echo "$S_NAME" | sed 's|/|_|g')"
if [ "$S_NAME" == "/" ]; then
S_NAME_FILE="$(dirname $S_NAME)/_root"
else
S_NAME_FILE="$S_NAME"
fi
echo "include <$R_DIR/$S_NAME_FILE>" >> $R_DIR/include
echo "Created new subject file subject $R_DIR/$S_NAME_FILE"
}
---------------------------------------------------------
--
<NES> *lol* I download something from Napster
<NES> And the same guy I downloaded it from starts downloading it from me when I'm done
<NES> I message him and say "What are you doing? I just got that from you"
<NES> "getting my song back fscker"
More information about the grsecurity
mailing list