| 1 |
I have some troubles with GrSecurity learning mode and did not find |
| 2 |
any answer in https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode |
| 3 |
Their ML appears to be dead, or restricted to announces now. |
| 4 |
|
| 5 |
1) I let "gradm -F -L ..." run for a couple of weeks, then threw the |
| 6 |
logs to "gradm -F -L ... -O ...". |
| 7 |
It generated a rather restrictive policy, I twiked some rules, and |
| 8 |
when I implemented the policy, some programs were blocked although |
| 9 |
they had been seen many times (for example, Postfix components). |
| 10 |
I added "l" (learn) flags to the impacted "subjects", ran the learning |
| 11 |
process again and fixed most problems. |
| 12 |
|
| 13 |
Anyway, I still saw bizarre messages, e.g.: |
| 14 |
(default:D:/) denied access to hidden file /etc/localtime by |
| 15 |
/usr/sbin/fetchnews[fetchnews:22855] uid/euid:9/9 gid/egid:13/13, |
| 16 |
parent /etc/cron.daily/fetchnews[fetchnews:22854] uid/euid:0/0 |
| 17 |
gid/egid:0/0 /usr/sbin/fetchnews |
| 18 |
|
| 19 |
I don't understand why the default role complains here: I have a role |
| 20 |
for the "news" user and all programs than run under its UID avec an |
| 21 |
associated subject. |
| 22 |
|
| 23 |
2) (incremental) learning of the news logs is awfully slow. |
| 24 |
|
| 25 |
# gradm -L /tmp/learning.logs -O /tmp/policy |
| 26 |
Beginning full learning object reduction for subject /usr/sbin/uptimed...done. |
| 27 |
[snip] |
| 28 |
Beginning full learning object reduction for subject /... |
| 29 |
|
| 30 |
The first subjects appeared quickly. Now, gradm has spend days on / |
| 31 |
using 100% CPU (on one core) and 1 GB. |
| 32 |
|
| 33 |
What mistake did I make? |
Archives