summaryrefslogtreecommitdiff
path: root/kernels/gradm
diff options
context:
space:
mode:
authorLuke Shumaker <LukeShu@sbcglobal.net>2014-01-06 00:36:04 -0500
committerLuke Shumaker <LukeShu@sbcglobal.net>2014-01-06 00:36:04 -0500
commit462bbf7f306f0c1c3f4da24e15747a088d71be42 (patch)
tree562fff2ce7123e656e7bad03149156a3ff576363 /kernels/gradm
parent66c00a074b8c7de57a75dc683b00d29391bdf3a9 (diff)
parent993cb8ec3fd807471035038106825b4c915a33a8 (diff)
downloadabslibre-462bbf7f306f0c1c3f4da24e15747a088d71be42.tar.gz
abslibre-462bbf7f306f0c1c3f4da24e15747a088d71be42.tar.bz2
abslibre-462bbf7f306f0c1c3f4da24e15747a088d71be42.zip
Merge branch 'master' of https://projects.parabolagnulinux.org/abslibre
Diffstat (limited to 'kernels/gradm')
-rw-r--r--kernels/gradm/PKGBUILD39
-rw-r--r--kernels/gradm/learn_config169
-rw-r--r--kernels/gradm/policy487
-rw-r--r--kernels/gradm/usr.patch115
4 files changed, 810 insertions, 0 deletions
diff --git a/kernels/gradm/PKGBUILD b/kernels/gradm/PKGBUILD
new file mode 100644
index 000000000..52e0582b7
--- /dev/null
+++ b/kernels/gradm/PKGBUILD
@@ -0,0 +1,39 @@
+# Contributors:
+# Jonathan Liu <net147@gmail.com>
+# henning mueller <henning@orgizm.net>
+# s1gma, Ahmad24, maxrp
+
+pkgname=gradm
+pkgver=3.0
+_timestamp=201311242038
+pkgrel=2
+pkgdesc='Administrative interface for the grsecurity Role Based Access Control system'
+arch=(i686 x86_64 mips64el)
+url=http://grsecurity.net/
+license=(GPL2)
+depends=(pam)
+source=(
+ http://grsecurity.net/stable/$pkgname-$pkgver-$_timestamp.tar.gz
+ usr.patch
+ learn_config
+ policy
+)
+
+build() {
+ cd "$srcdir/$pkgname"
+ patch -Np1 < ../usr.patch
+ sed -i -e 's/^CFLAGS :=/CFLAGS +=/' -e 's:sbin:usr/bin:' Makefile
+ make
+}
+
+package() {
+ cd "$srcdir/$pkgname"
+ make DESTDIR="$pkgdir" install
+ cp "$startdir"/{learn_config,policy} "$pkgdir/etc/grsec"
+ rm -rf "$pkgdir/dev"
+}
+
+sha256sums=('9d9040ef2be90b6a4db5b68ba5b7bc658cbbcdb8c71c643b8f95373e4a892e55'
+ '7342323d2da3724afe745506690a1a5b194f3f0e959811ca320d820bf74c9ffa'
+ 'ec8e824e8a29a67be76bf853814ee85e80c4063009e5693d5db8cdb45bd45813'
+ '61c0e84098e8386e5496dafce559558adef32e2a4a1241a9fa3bd56eab192dcd')
diff --git a/kernels/gradm/learn_config b/kernels/gradm/learn_config
new file mode 100644
index 000000000..24c4cbc25
--- /dev/null
+++ b/kernels/gradm/learn_config
@@ -0,0 +1,169 @@
+#This configuration file aids the learning process by tweaking
+#the learning algorithm for specific paths.
+#
+#It accepts lines in the form of <command> <pathname>
+#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
+#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
+#read-protected-path, and always-reduce-path
+#
+#inherit-learn, no-learn, and inherit-no-learn operate only with
+#full learning
+#
+#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
+#and high-protected-path operate on both full and and regular learning
+#(subject and role learning)
+#
+#inherit-learn changes the learning process for the specified path
+#by throwing all learned accesses for every binary executed by the
+#processes contained in the pathname into the subject specified
+#by the pathname. This is useful for cron in the case of full
+#system learning, so that scripts that eventually end up executing
+#mv or rm with privilege don't cause the root policy to grant
+#that privilege to mv or rm in all cases.
+#
+#no-learn allows processes within the path to perform any operation
+#that normal system usage would allow without restriction. If
+#a process is generating a huge number of learning logs, it may be
+#best to use this command on that process and configure its policy
+#manually.
+#
+#inherit-no-learn combines the above two cases, such that processes
+#within the specified path will be able to perform any normal system
+#operation without restriction as will any binaries executed by
+#these processes.
+#
+#high-reduce-path modifies the heuristics of the learning process
+#to weight in favor of reducing accesses for this path
+#
+#dont-reduce-path modifies the heuristics of the learning process
+#so that it will never reduce accesses for this path
+#
+#always-reduce-path modifies the heuristics of the learning process
+#so that the path specified will always have all files and directories
+#within it reduced to the path specified.
+#
+#protected-path specifies a path on your system that is considered an
+#important resource. Any process that modifies one of these paths
+#is given its own subject in the learning process, facilitating
+#a secure policy.
+#
+#read-protected-path specifies a path on your system that contains
+#sensitive information. Any process that reads one of these paths is
+#given its own subject in the learning process, facilitating a secure
+#policy.
+#
+#high-protected-path specifies a path that should be hidden from
+#all processes but those that access it directly. It is recommended
+#to use highly sensitive files for this command.
+#
+#regular expressions are not supported for pathnames in this config file
+#
+#
+# uncomment this next line if you don't wish to generate a policy that
+# restricts roles to specific IP ranges:
+# dont-learn-allowed-ips
+#
+# to write out your generated policy such that roles are split into separate
+# files by the name of the role (within user/group directories), uncomment
+# the next line:
+# split-roles
+
+always-reduce-path /dev/pts
+always-reduce-path /var/spool/qmailscan/tmp
+always-reduce-path /var/spool/exim4
+always-reduce-path /var/run/screen
+always-reduce-path /usr/share/locale
+always-reduce-path /usr/share/zoneinfo
+always-reduce-path /usr/share/terminfo
+always-reduce-path /tmp
+always-reduce-path /var/tmp
+
+high-reduce-path /dev/.udev
+high-reduce-path /dev/mapper
+high-reduce-path /dev/snd
+high-reduce-path /proc
+high-reduce-path /usr/lib
+high-reduce-path /usr/lib/tls
+high-reduce-path /usr/lib/libreoffice
+high-reduce-path /usr/lib32
+high-reduce-path /usr/lib32/tls
+high-reduce-path /usr/lib64
+high-reduce-path /usr/lib64/tls
+high-reduce-path /var/lib
+high-reduce-path /usr/bin
+high-reduce-path /usr/sbin
+high-reduce-path /usr/local/share
+high-reduce-path /usr/local/bin
+high-reduce-path /usr/local/sbin
+high-reduce-path /usr/local/etc
+high-reduce-path /usr/local/lib
+high-reduce-path /usr/share
+high-reduce-path /usr/X11R6/lib
+high-reduce-path /var/lib/openldap-data
+high-reduce-path /var/lib/krb5kdc
+
+dont-reduce-path /
+dont-reduce-path /home
+dont-reduce-path /dev
+dont-reduce-path /usr
+dont-reduce-path /var
+dont-reduce-path /opt
+
+protected-path /boot
+protected-path /dev/log
+protected-path /etc
+protected-path /opt
+protected-path /root
+protected-path /run
+protected-path /sys
+protected-path /usr
+protected-path /var
+
+read-protected-path /etc/ssh
+read-protected-path /proc/kallsyms
+read-protected-path /proc/kcore
+read-protected-path /proc/slabinfo
+read-protected-path /proc/modules
+read-protected-path /usr/lib/modules
+read-protected-path /usr/lib64/modules
+read-protected-path /boot
+read-protected-path /etc/shadow
+read-protected-path /etc/shadow-
+read-protected-path /etc/gshadow
+read-protected-path /etc/gshadow-
+read-protected-path /sys
+
+high-protected-path /etc/ssh
+high-protected-path /proc/kcore
+high-protected-path /proc/sys
+high-protected-path /proc/bus
+high-protected-path /proc/slabinfo
+high-protected-path /proc/modules
+high-protected-path /proc/kallsyms
+high-protected-path /etc/passwd
+high-protected-path /etc/shadow
+high-protected-path /var/backups
+high-protected-path /etc/shadow-
+high-protected-path /etc/gshadow
+high-protected-path /etc/gshadow-
+high-protected-path /var/log
+high-protected-path /dev/mem
+high-protected-path /dev/kmem
+high-protected-path /dev/port
+high-protected-path /dev/log
+high-protected-path /sys
+high-protected-path /etc/ppp
+high-protected-path /etc/samba/smbpasswd
+#to protect kernel images
+high-protected-path /boot
+high-protected-path /usr/lib/modules
+high-protected-path /usr/lib64/modules
+high-protected-path /usr/src
+
+inherit-learn /etc/cron.d
+inherit-learn /etc/cron.hourly
+inherit-learn /etc/cron.daily
+inherit-learn /etc/cron.weekly
+inherit-learn /etc/cron.monthly
+inherit-learn /etc/init.d
+inherit-learn /etc/rc.d/init.d
diff --git a/kernels/gradm/policy b/kernels/gradm/policy
new file mode 100644
index 000000000..55a5811c8
--- /dev/null
+++ b/kernels/gradm/policy
@@ -0,0 +1,487 @@
+#sample default policy for grsecurity
+#
+# Role flags:
+# A -> This role is an administrative role, thus it has special privilege normal
+# roles do not have. In particular, this role bypasses the
+# additional ptrace restrictions
+# N -> Don't require authentication for this role. To access
+# the role, use gradm -n <rolename>
+# s -> This role is a special role, meaning it does not belong to a
+# user or group, and does not require an enforced secure policy
+# base to be included in the ruleset
+# u -> This role is a user role
+# g -> This role is a group role
+# G -> This role can use gradm to authenticate to the kernel
+# A policy for gradm will automatically be added to the role
+# T -> Enable TPE for this role
+# l -> Enable learning for this role
+# P -> Use PAM authentication for this role.
+# R -> Enable persistence of special role. Normal special roles will
+# be removed upon exit of the process that entered the role, or
+# upon unauth (this is what changes the apache process' role back
+# to its normal role after being restarted from the admin role, for
+# instance). Role persistence allows a special role to be used for
+# system shutdown, as the point at which the admin's shell/SSH
+# session is terminated won't cause the rest of the shutdown
+# sequence to execute with reduced privilege. Do *NOT* use this
+# flag with any role that does anything but shut the system down.
+# This role will also be transferred to the init process upon
+# writing to /dev/initctl. This allows init to execute the rc
+# scripts for shutdown with the necessary privilege.
+# For usability reasons, we allow the removal of persistence through
+# the normal unauth process (so persistence only survives exit).
+#
+# a role can only be one of user, group, or special
+#
+# role_allow_ip IP/optional netmask
+# eg: role_allow_ip 192.168.1.0/24
+# You can have as many of these per role as you want
+# They restrict the use of a role to a list of IPs. If a user
+# is on the system that would normally get the role does not
+# belong to those lists of IPs, the system falls back through
+# its method of determining a role for the user
+#
+# Role hierarchy
+# user -> group -> default
+# First a user role attempts to match, if one is not found,
+# a group role attempts to match, if one is not found,
+# the default role is used.
+#
+# role_transitions <special role 1> <special role 2> ... <special role n>
+# eg: role_transitions www_admin dns_admin
+#
+# role transitions specify which special roles a given role is allowed
+# to authenticate to. This applies to special roles that do not
+# require password authentication as well. If a user tries to
+# authenticate to a role that is not within his transition table, he
+# will receive a permission denied error
+#
+# Nested subjects
+# subject /bin/su:/bin/bash:/bin/cat
+# / rwx
+# +CAP_ALL
+# grant privilege to specific processes if they are executed
+# within a trusted path. In this case, privilege is
+# granted if /bin/cat is executed from /bin/bash, which is
+# executed from /bin/su.
+#
+# Configuration inheritance on nested subjects
+# nested subjects inherit rules from their parents. In the
+# example above, the nested subject would inherit rules
+# from the nested subject for /bin/su:/bin/bash,
+# and the subject /bin/su
+# View the 1.9.x documentation for more information on
+# configuration inheritance
+#
+# new object modes:
+# m -> allow creation of setuid/setgid files/directories
+# and modification of files/directories to be setuid/setgid
+# M -> audit the setuid/setgid creation/modification
+# c -> allow creation of the file/directory
+# C -> audit the creation
+# d -> allow deletion of the file/directory
+# D -> audit the deletion
+# p -> reject all ptraces to this object
+# l -> allow a hardlink at this path
+# (hardlinking requires at a minimum c and l modes, and the target
+# link cannot have any greater permission than the source file)
+# L -> audit link creation
+# f -> needed to mark the pipe used for communication with init
+# to transfer the privilege of the persistent role; only valid
+# within a persistent role. Transfer only occurs when the file is
+# opened for writing
+#
+# new subject modes:
+# O -> disable "writable library" restrictions for this task
+# t -> allow this process to ptrace any process (use with caution)
+# r -> relax ptrace restrictions (allows process to ptrace processes
+# other than its own descendants)
+# i -> enable inheritance-based learning for this subject, causing
+# all accesses of this subject and anything it executes to be placed
+# in this subject, and inheritance flags added to executable objects
+# in this subject
+# a -> allow this process to talk to the /dev/grsec device
+# s -> enable AT_SECURE when entering this subject
+# (enables the same environment sanitization that occurs in glibc
+# upon execution of a suid binary)
+# x -> allows executable anonymous shared memory for this subject
+#
+# user/group transitions:
+# You may now specify what users and groups a given subject can
+# transition to. This can be done on an inclusive or exclusive basis.
+# Omitting these rules allows a process with proper privilege granted by
+# capabilities to transition to any user/group.
+#
+# Examples:
+# subject /bin/su
+# user_transition_allow root spender
+# group_transition_allow root spender
+# subject /bin/su
+# user_transition_deny evilhacker
+# subject /bin/su
+# group_transition_deny evilhacker1 evilhacker2
+#
+# Domains:
+# With domains you can combine users that don't share a common
+# GID as well as groups so that they share a single policy
+# Domains work just like roles, with the only exception being that
+# the line starting with "role" is replaced with one of the following:
+# domain somedomainname u user1 user2 user3 user4 ... usern
+# domain somedomainname g group1 group2 group3 group4 ... groupn
+#
+# Inverted socket policies:
+# Rules such as
+# connect ! www.google.com:80 stream tcp
+# are now allowed, which allows you to specify that a process can connect to anything
+# except to port 80 of www.google.com with a stream tcp socket
+# the inverted socket matching also works on bind rules
+#
+# INADDR_ANY overriding
+# You can now force a given subject to bind to a particular IP address on the machine
+# This is useful for some chrooted environments, to ensure that the source IP they
+# use is one of your choosing
+# to use, add a line like:
+# ip_override 192.168.0.1
+#
+# Per-interface socket policies:
+# Rules such as
+# bind eth1:80 stream tcp
+# bind eth0#1:22 stream tcp
+# are now allowed, giving you the ability to tie specific socket rules
+# to a single interface (or by using the inverted rules, all but one
+# interface). Virtual interfaces are specified by the <ifname>#<vindex>
+# syntax. If an interface is specified, no IP/netmask or host may be
+# specified for the rule.
+#
+# Allowing additional socket families:
+# Before v2.2.1 of the RBAC system, a subject that specified
+# connect/bind rules limited only the socket usage of IPv4, allowing
+# any other socket families to be used. Starting with v2.2.1 of the
+# RBAC system, when connect/bind rules are used, additional rules
+# will be required to unlock the use of additional socket families
+# (outside of the common unix family). Multiple families can be
+# specified per line.
+# To enable use of IPv6, add the line:
+# sock_allow_family ipv6
+# To enable use of netlink, add the line:
+# sock_allow_family netlink
+# To enable all other families, add the line:
+# sock_allow_family all
+#
+# New learning system:
+# To learn on a given subject: add l (the letter l, not the number 1)
+# to the subject mode
+# If you want to learn with the most restrictive policy, use the
+# following:
+# subject /path/to/bin lo
+# / h
+# -CAP_ALL
+# connect disabled
+# bind disabled
+# Resource learning is also supported, so lines like
+# RES_AS 0 0
+# can be used to learn a particular resource
+#
+# To learn on a given role, add l to the role mode
+# For both of these, to enable learning, enable the system like:
+# gradm -L /etc/grsec/learning.logs -E
+# and then generate the rules after disabling the system after the
+# learning phase with:
+# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
+# To use full system learning, enable the system like:
+# gradm -F -L /etc/grsec/learning.logs
+# and then generate the rules after disabling the system after the
+# learning phase with:
+# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
+#
+# New PaX flag format (replaces PaX subject flags):
+# PaX flags can be forced on or off, regardless of the flags on the
+# binary, by using + or - before the following PaX flag names:
+# PAX_SEGMEXEC
+# PAX_PAGEEXEC
+# PAX_MPROTECT
+# PAX_RANDMMAP
+# PAX_EMUTRAMP
+#
+# New feature for easier policy maintenance:
+# replace <variable name> <replace string>
+# e.g.:
+# replace CVSROOT /home/cvs
+# now $(CVSROOT) can be used in any subject or object pathname, like:
+# $(CVSROOT)/grsecurity r
+# This will translate to /home/cvs/grsecurity r
+# This feature makes it easier to update policies by naming specific
+# paths by their function, then only having to update those paths once
+# to have it affect a large number of subjects/objects.
+#
+# capability auditing / log suppression
+# use of a capability can be audited by adding "audit" to the line, eg:
+# +CAP_SYS_RAWIO audit
+# log suppression for denial of a capbility can be done by adding "suppress":
+# -CAP_SYS_RAWIO suppress
+#
+# Per-role umask enforcement:
+# If you have a user that you want to be assured cannot accidentally
+# create a file that others can read (a confidentiality issue)
+# add the following under the role declaration:
+# role_umask 077
+# any normal octal umask may be specified
+# Note that unlike the normal umask, this umask will also apply
+# to the permissions one can chmod/fchmod a file to
+#
+# Note that the omission of any feature of a role or subject
+# results in a default-allow
+# For instance, if no capability rules are added, an implicit +CAP_ALL is used
+#
+# Commonly-used objects can be defined and used in multiple subjects
+# As an example, we'll create a variable out of a list of objects
+# and their associated permissions that RBAC enforces
+define grsec_denied {
+ /boot h
+ /dev/grsec h
+ /dev/kmem h
+ /dev/mem h
+ /dev/port h
+ /etc/grsec h
+ /proc/kcore h
+ /proc/slabinfo h
+ /proc/modules h
+ /proc/kallsyms h
+ # hide and suppress logs about accessing this path
+ /usr/lib/modules hs
+ /etc/ssh h
+}
+# usage:
+# $grsec_denied
+
+role shutdown sARG
+subject / rvka
+ /
+ /dev
+ /dev/urandom r
+ /dev/random r
+ /etc r
+ /usr rx
+ /proc r
+ $grsec_denied
+ -CAP_ALL
+ connect disabled
+ bind disabled
+
+subject /usr/lib/systemd/systemd rvkao
+ / rwcdmlxi
+subject /usr/bin/systemctl rvkao
+ / rwcdmlxi
+ /dev/initctl rwf
+ /run/initctl rwf
+
+# Make sure to unauthenticate with gradm -u from
+# the admin role after restarting a service
+# The service started will run with admin
+# privileges until you run gradm -u or your shell exits
+
+role admin sA
+subject / rvka
+ / rwcdmlxi
+
+role default G
+role_transitions admin shutdown
+subject /
+ / r
+ /opt rx
+ /home rwxcd
+ /mnt rw
+ /dev
+ /dev/urandom r
+ /dev/random r
+ /dev/zero rw
+ /dev/input rw
+ /dev/psaux rw
+ /dev/null rw
+ /dev/tty? rw
+ /dev/console rw
+ /dev/tty rw
+ /dev/pts rw
+ /dev/ptmx rw
+ /dev/dsp rw
+ /dev/mixer rw
+ /dev/initctl rw
+ /dev/fd0 r
+ /dev/cdrom r
+ /usr rx
+# compilation of kernel code should be done within the admin role
+ /usr/src h
+ /etc rx
+ /proc rwx
+ /proc/sys r
+ /sys h
+ /root r
+ /run r
+ /tmp rwcd
+ /var rwxcd
+ /var/tmp rwcd
+ /var/log r
+# hide the kernel images and modules
+ $grsec_denied
+
+# if sshd needs to be restarted, it can be done through the admin role
+# restarting sshd should be followed immediately by a gradm -u
+ /usr/sbin/sshd
+
+ /home/*/.gem/ruby/2.0.0/bin rx
+ /home/*/.rbenv/shims rx
+ /home/*/.rbenv/versions*/bin rx
+ /home/*/.cabal/bin rx
+ /home/*/dev/env rx
+
+ -CAP_KILL
+ -CAP_SYS_TTY_CONFIG
+ -CAP_LINUX_IMMUTABLE
+ -CAP_NET_RAW
+ -CAP_MKNOD
+ -CAP_SYS_ADMIN
+ -CAP_SYS_RAWIO
+ -CAP_SYS_MODULE
+ -CAP_SYS_PTRACE
+ -CAP_NET_ADMIN
+ -CAP_NET_BIND_SERVICE
+ -CAP_NET_RAW
+ -CAP_SYS_CHROOT
+ -CAP_SYS_BOOT
+ -CAP_SETFCAP
+ -CAP_SYSLOG
+
+# RES_AS 100M 100M
+
+# connect 192.168.1.0/24:22 stream tcp
+# bind 0.0.0.0 stream dgram tcp udp
+
+# the d flag protects /proc fd and mem entries for sshd
+# all daemons should have 'p' in their subject mode to prevent
+# an attacker from killing the service (and restarting it with trojaned
+# config file or taking the port it reserved to run a trojaned service)
+
+subject /usr/sbin/sshd dpo
+ /
+ /* h
+ /bin/bash x
+ /dev h
+ /dev/log rw
+ /dev/random r
+ /dev/urandom r
+ /dev/null rw
+ /dev/ptmx rw
+ /dev/pts rw
+ /dev/tty rw
+ /dev/tty? rw
+ /etc r
+ /etc/grsec h
+ /home
+ /home/*/.ssh/authorized_keys r
+ /root
+ /proc r
+ /proc/*/oom_adj rw
+ /proc/kcore h
+ /proc/sys h
+ /proc/sys/kernel/ngroups_max r
+ /selinux r
+ /usr/lib rx
+ /usr/share/zoneinfo r
+ /var/log
+ /var/mail
+ /var/log/lastlog rw
+ /var/log/wtmp w
+ /var/run
+ /run
+ /var/run/sshd
+ /var/run/utmp rw
+ /var/run/utmpx rw
+ /var/run/.nscd_socket rw
+
+ -CAP_ALL
+ +CAP_CHOWN
+ +CAP_SETGID
+ +CAP_SETUID
+ +CAP_SYS_CHROOT
+ +CAP_SYS_RESOURCE
+ +CAP_SYS_TTY_CONFIG
+ +CAP_AUDIT_WRITE
+ # to access user keys
+ +CAP_DAC_OVERRIDE
+
+subject /usr/bin/Xorg
+ /dev/mem rw
+
+ +CAP_SYS_ADMIN
+ +CAP_SYS_TTY_CONFIG
+ +CAP_SYS_RAWIO
+
+subject /usr/bin/ssh
+ /etc/ssh/ssh_config r
+
+subject /usr/bin/postgres
+ /dev/log rw
+
+subject /usr/bin/exim
+ /dev/log rw
+
+subject /usr/sbin/syslog-ng
+ +CAP_SYS_ADMIN
+
+subject /usr/sbin/rsyslogd
+ +CAP_SYS_ADMIN
+
+subject /usr/sbin/cron
+ /dev/log rw
+
+subject /usr/sbin/crond
+ /dev/log rw
+
+subject /bin/login
+ /dev/log rw
+ /var/log/wtmp w
+ /var/log/faillog rwcd
+
+subject /bin/su
+ /dev/log rw
+
+subject /usr/bin/sudo
+ /dev/log rw
+
+subject /sbin/agetty
+ /var/log/wtmp w
+
+subject /sbin/init
+ /var/log/wtmp w
+
+subject /usr/bin/xauth
+ /home r
+ /home/*/.Xauthority-* rwcdl
+
+# prevent ld.so breakouts of subjects with /lib rx
+
+# many distros clutter up /lib with shell scripts
+# that can be easily hijacked for malicious purposes
+subject /usr/lib o
+ / h
+ -CAP_ALL
+ connect disabled
+ bind disabled
+
+subject /usr/lib32 o
+ / h
+ -CAP_ALL
+ connect disabled
+ bind disabled
+
+subject /usr/lib/ld-linux.so.2 o
+ / h
+ -CAP_ALL
+ connect disabled
+ bind disabled
+
+subject /usr/lib/ld-linux-x86-64.so.2 o
+ / h
+ -CAP_ALL
+ connect disabled
+ bind disabled
diff --git a/kernels/gradm/usr.patch b/kernels/gradm/usr.patch
new file mode 100644
index 000000000..b3e5e77ab
--- /dev/null
+++ b/kernels/gradm/usr.patch
@@ -0,0 +1,115 @@
+diff --git a/gradm_adm.c b/gradm_adm.c
+index bdcfd7d..9681b3c 100644
+--- a/gradm_adm.c
++++ b/gradm_adm.c
+@@ -72,12 +72,13 @@ add_gradm_acl(struct role_acl *role)
+
+ gradm_name = gr_strdup(gradm_realpath);
+ if (gr_enable && strcmp(gradm_name, GRADM_PATH)) {
+- printf("You are attempting to use a gradm binary other "
+- "than the installed version. Depending on your "
++ printf("You are attempting to use a gradm binary (%s) other "
++ "than the installed version (%s). Depending on your "
+ "policy, you could be locking yourself out of "
+ "your machine by enabling the RBAC system with "
+ "this binary. Press \'y\' if you wish to ignore "
+- "this warning, or any other key to cancel.\n>");
++ "this warning, or any other key to cancel.\n>",
++ gradm_name, GRADM_PATH);
+ if (getchar() != 'y')
+ exit(EXIT_FAILURE);
+ }
+@@ -259,11 +260,6 @@ static void add_fulllearn_shutdown_acl(void)
+ ADD_OBJ("/dev/urandom", "r");
+ ADD_OBJ("/dev/random", "r");
+ ADD_OBJ("/etc", "r");
+- ADD_OBJ("/bin", "rx");
+- ADD_OBJ("/sbin", "rx");
+- ADD_OBJ("/lib", "rx");
+- ADD_OBJ("/lib32", "rx");
+- ADD_OBJ("/lib64", "rx");
+ ADD_OBJ("/usr", "rx");
+ ADD_OBJ("/proc", "r");
+ ADD_OBJ("/boot", "h");
+@@ -276,9 +272,9 @@ static void add_fulllearn_shutdown_acl(void)
+ ADD_OBJ("/proc/slabinfo", "h");
+ ADD_OBJ("/proc/modules", "h");
+ ADD_OBJ("/proc/kallsyms", "h");
+- ADD_OBJ("/lib/modules", "hs");
+- ADD_OBJ("/lib32/modules", "hs");
+- ADD_OBJ("/lib64/modules", "hs");
++ ADD_OBJ("/usr/lib/modules", "hs");
++ ADD_OBJ("/usr/lib32/modules", "hs");
++ ADD_OBJ("/usr/lib64/modules", "hs");
+ ADD_OBJ("/etc/ssh", "h");
+ add_cap_acl(current_subject, "-CAP_ALL", NULL);
+
+diff --git a/gradm_analyze.c b/gradm_analyze.c
+index 74ec86f..da365a4 100644
+--- a/gradm_analyze.c
++++ b/gradm_analyze.c
+@@ -778,17 +778,17 @@ analyze_acls(void)
+ errs_found++;
+ }
+
+- if (!stat("/lib/modules", &fstat) && !check_permission(role, def_acl, "/lib/modules", &chk)) {
++ if (!stat("/usr/lib/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib/modules", &chk)) {
+ fprintf(stderr,
+- "Writing access is allowed by role %s to /lib/modules, the directory which "
++ "Writing access is allowed by role %s to /usr/lib/modules, the directory which "
+ "holds kernel modules.\n\n",
+ role->rolename);
+ errs_found++;
+ }
+
+- if (!stat("/lib64/modules", &fstat) && !check_permission(role, def_acl, "/lib64/modules", &chk)) {
++ if (!stat("/usr/lib64/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib64/modules", &chk)) {
+ fprintf(stderr,
+- "Writing access is allowed by role %s to /lib64/modules, the directory which "
++ "Writing access is allowed by role %s to /usr/lib64/modules, the directory which "
+ "holds kernel modules.\n\n",
+ role->rolename);
+ errs_found++;
+diff --git a/gradm_defs.h b/gradm_defs.h
+index 961a7b9..56d6378 100644
+--- a/gradm_defs.h
++++ b/gradm_defs.h
+@@ -4,9 +4,9 @@
+ #ifndef GRSEC_DIR
+ #define GRSEC_DIR "/etc/grsec"
+ #endif
+-#define GRLEARN_PATH "/sbin/grlearn"
+-#define GRADM_PATH "/sbin/gradm"
+-#define GRPAM_PATH "/sbin/gradm_pam"
++#define GRLEARN_PATH "/usr/bin/grlearn"
++#define GRADM_PATH "/usr/bin/gradm"
++#define GRPAM_PATH "/usr/bin/gradm_pam"
+ #define GRDEV_PATH "/dev/grsec"
+ #define GR_POLICY_PATH GRSEC_DIR "/policy"
+ #define GR_PW_PATH GRSEC_DIR "/pw"
+diff --git a/gradm_fulllearn.c b/gradm_fulllearn.c
+index 4d10060..6ce744d 100644
+--- a/gradm_fulllearn.c
++++ b/gradm_fulllearn.c
+@@ -449,8 +449,8 @@ static const char *initial_roles_str =
+ "\t/proc/slabinfo\th\n"
+ "\t/proc/modules\th\n"
+ "\t/proc/kallsyms\th\n"
+-"\t/lib/modules\ths\n"
+-"\t/lib64/modules\ths\n"
++"\t/usr/lib/modules\ths\n"
++"\t/usr/lib64/modules\ths\n"
+ "\t/etc/ssh\th\n"
+ "}\n\n"
+ "role admin sA\n"
+@@ -463,10 +463,6 @@ static const char *initial_roles_str =
+ "\t/dev/urandom r\n"
+ "\t/dev/random r\n"
+ "\t/etc r\n"
+-"\t/bin rx\n"
+-"\t/sbin rx\n"
+-"\t/lib rx\n"
+-"\t/lib64 rx\n"
+ "\t/usr rx\n"
+ "\t/proc r\n"
+ "\t$grsec_denied\n"