On 09/14/14 08:28, Michel Arboi wrote:
I have some troubles with GrSecurity learning mode and did not find
any answer in
https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode
Their ML appears to be dead, or restricted to announces now.
1) I let "gradm -F -L ..." run for a couple of weeks, then threw the
logs to "gradm -F -L ... -O ...".
It generated a rather restrictive policy, I twiked some rules, and
when I implemented the policy, some programs were blocked although
they had been seen many times (for example, Postfix components).
I added "l" (learn) flags to the impacted "subjects", ran the learning
process again and fixed most problems.
Anyway, I still saw bizarre messages, e.g.:
(default:D:/) denied access to hidden file /etc/localtime by
/usr/sbin/fetchnews[fetchnews:22855] uid/euid:9/9 gid/egid:13/13,
parent /etc/cron.daily/fetchnews[fetchnews:22854] uid/euid:0/0
gid/egid:0/0 /usr/sbin/fetchnews
I don't understand why the default role complains here: I have a role
for the "news" user and all programs than run under its UID avec an
associated subject.
2) (incremental) learning of the news logs is awfully slow.
# gradm -L /tmp/learning.logs -O /tmp/policy
Beginning full learning object reduction for subject /usr/sbin/uptimed...done.
[snip]
Beginning full learning object reduction for subject /...
The first subjects appeared quickly. Now, gradm has spend days on /
using 100% CPU (on one core) and 1 GB.
What mistake did I make?
I don't see any, to be honest. 1) are you sure fetchnews ran at least
once during the learning? A couple of weeks is certainly long enough.
I wonder if its too long? 2) The cpu problems seems like a genuine bug.
We should probably open a proper bug reprot for this, but let me send
this upstream now.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
