| 1 |
On 09/14/14 08:28, Michel Arboi wrote: |
| 2 |
> I have some troubles with GrSecurity learning mode and did not find |
| 3 |
> any answer in https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode |
| 4 |
> Their ML appears to be dead, or restricted to announces now. |
| 5 |
> |
| 6 |
> 1) I let "gradm -F -L ..." run for a couple of weeks, then threw the |
| 7 |
> logs to "gradm -F -L ... -O ...". |
| 8 |
> It generated a rather restrictive policy, I twiked some rules, and |
| 9 |
> when I implemented the policy, some programs were blocked although |
| 10 |
> they had been seen many times (for example, Postfix components). |
| 11 |
> I added "l" (learn) flags to the impacted "subjects", ran the learning |
| 12 |
> process again and fixed most problems. |
| 13 |
> |
| 14 |
> Anyway, I still saw bizarre messages, e.g.: |
| 15 |
> (default:D:/) denied access to hidden file /etc/localtime by |
| 16 |
> /usr/sbin/fetchnews[fetchnews:22855] uid/euid:9/9 gid/egid:13/13, |
| 17 |
> parent /etc/cron.daily/fetchnews[fetchnews:22854] uid/euid:0/0 |
| 18 |
> gid/egid:0/0 /usr/sbin/fetchnews |
| 19 |
> |
| 20 |
> I don't understand why the default role complains here: I have a role |
| 21 |
> for the "news" user and all programs than run under its UID avec an |
| 22 |
> associated subject. |
| 23 |
> |
| 24 |
> 2) (incremental) learning of the news logs is awfully slow. |
| 25 |
> |
| 26 |
> # gradm -L /tmp/learning.logs -O /tmp/policy |
| 27 |
> Beginning full learning object reduction for subject /usr/sbin/uptimed...done. |
| 28 |
> [snip] |
| 29 |
> Beginning full learning object reduction for subject /... |
| 30 |
> |
| 31 |
> The first subjects appeared quickly. Now, gradm has spend days on / |
| 32 |
> using 100% CPU (on one core) and 1 GB. |
| 33 |
> |
| 34 |
> What mistake did I make? |
| 35 |
> |
| 36 |
|
| 37 |
I don't see any, to be honest. 1) are you sure fetchnews ran at least |
| 38 |
once during the learning? A couple of weeks is certainly long enough. |
| 39 |
I wonder if its too long? 2) The cpu problems seems like a genuine bug. |
| 40 |
|
| 41 |
We should probably open a proper bug reprot for this, but let me send |
| 42 |
this upstream now. |
| 43 |
|
| 44 |
-- |
| 45 |
Anthony G. Basile, Ph. D. |
| 46 |
Chair of Information Technology |
| 47 |
D'Youville College |
| 48 |
Buffalo, NY 14201 |
| 49 |
(716) 829-8197 |
Archives