1 |
Konstantin V. Arkhipov wrote:
|
2 |
|
3 |
>>Еще вопрос - никто не пробовал скрестить Grsecurity и Vserver? |
4 |
>> |
5 |
>> |
6 |
> |
7 |
>afair, это забросили в середине 2004го. впрочем, могу ошибаться. |
8 |
> |
9 |
> |
10 |
У-у-у-у...
|
11 |
Жаль...
|
12 |
|
13 |
Последний вопрос, понимаю что не в тему рассылки, но правда последний:
|
14 |
|
15 |
пытаюсь обучить gradm:
|
16 |
|
17 |
Выдержка из оффдоки:
|
18 |
|
19 |
Using the learning mode is very simple. All you have to do is add “l” to
|
20 |
the subject mode of the process, you want to enable learning for. Enable
|
21 |
the ACL system with gradm –E. Run the application(s) you enabled
|
22 |
learning mode for several times. This is important, since the learning
|
23 |
mode uses a threshold–based system to determine when access should be
|
24 |
given to a file or whether it should be given to a directory. If 4 or
|
25 |
more similar accesses are made in a single directory (such as writing to
|
26 |
several files in /tmp), access is granted to that directory instead of
|
27 |
the individual files. This reduces the amount of rules you have and
|
28 |
ensures that the application will work correctly after the final ACLs
|
29 |
are compiled.
|
30 |
Once you feel you’ve given the application the normal usage it would see
|
31 |
in real life, disable the ACL system with gradm -D (or alternatively, go
|
32 |
into admin mode with gradm -a), and use This will place the new learned
|
33 |
ACLs at the end of your ruleset. Simply remove the old ACLs and you’re
|
34 |
ready to go.
|
35 |
|
36 |
http://www.grsecurity.net/gracldoc.htm#Using_Gradm_and_the_Learning_Mode
|
37 |
|
38 |
Делаю все как написано - добавляю в /etc/grsec/policy:
|
39 |
|
40 |
subject /usr/sbin/metalog lo
|
41 |
/ h
|
42 |
-CAP_ALL
|
43 |
|
44 |
|
45 |
# gradm -E
|
46 |
# /usr/sbin/metalog
|
47 |
# gradm -D
|
48 |
# gradm -L -O /etc/grsec/acl
|
49 |
# cat /etc/grsec/acl
|
50 |
а там пусто...
|
51 |
|
52 |
???
|
53 |
|
54 |
Заранее спасибо!
|
55 |
--
|
56 |
gentoo-user-ru@g.o mailing list |