# Note that policy.pl will probably choke on this due to all the strange user
# and group names. It's just an example...

# If not otherwise specified, audit processes that get extra caps
default_audit on

# let anything running gid/egid (crypto|realtime) lock memory
ipc_lock {
   path any
   group crypto,realtime
   # use the default audit value
}

# let anyone lock memory if they're running gpg; don't audit this
ipc_lock {
   path /usr/bin/gpg # doesn't need to be setuid anymore
   audit off
}

net_raw {
   path /bin/ping   # normally setuid root; not needed anymore
   audit off        # don't bother auditing everyone who uses ping
}

# let people in the admins group do network-related stuff
net_raw,net_admin {
   group admins
   audit on
   # implicit 'path any'
}

# let me do all kinds of stuff
net_admin,sys_admin,chown,setuid,setgid,net_raw {
   user lloyd
   path any # same as not setting it at all
   audit off # I'm invisible!
}

sys_admin {
   user bob     # presumably not in the admins group (otherwise the rule would
                # always be true for him, which would be bad)
   group admins # let bob do stuff, if the binary is setgid admins
   audit on
   # implicit 'path any'
}

# let any admin start a few servers without privs
#   (note that many of them need access to root-owned files, so this doesn't
#    work as-is).
net_bind {
   group admins # assumes there are one or more real users in this group
   path /usr/sbin/httpd
   path /usr/sbin/sshd
   path /usr/sbin/xinetd
   path /usr/sbin/snmpd
   # use the default audit value
}