/ {
	/
	/opt	rx
	/home	rx
	/mnt	r
	/dev
	/dev/random     r
	/dev/urandom    r
	/dev/input      rw
	/dev/psaux      rw
	/dev/tty?	rw
	/dev/null       rw
	/dev/pts        rw
	/dev/ptmx       rw
	/dev/tty        rw
	/dev/dsp        rw
	/dev/mixer      rw
	/dev/console    rw
	/dev/mem        h
        /dev/kmem       h 
	/dev/port	h
        /dev/zero       rw
        /bin            rx
        /sbin           rx
        /lib            rx
        /usr            rx
        /etc            rx
        /etc/postfix    r 
        /etc/init.d     h 
        /etc/shadow-    h 
        /etc/shadow     h 
        /proc           rwx
        /proc/sys       r 
        /proc/kcore     h 
        /root           r
        /tmp            rw
        /var            rx
        /var/cache      rw
        /var/spool      rw
        /var/spool/postfix/lib rx
        /var/run        rw
	/var/tmp	rw
	/var/log
	/boot		r
	/etc/grsec	h

	-CAP_ALL
}

include </etc/grsec/debian_secure_acls>
