An initrd would have been nicer, but I managed without it (I don't remember ever making an initrd in my life). This is what I did to enable grsecurity learning from boot:
-- # Assuming /dev/sda5 is your / mkdir /mnt/sda5 mount /dev/sda5 /mnt/sda5/ mknod -m 0622 /mnt/sda5/dev/grsec c 1 13 umount /mnt/sda5/ rmdir /mnt/sda5 # gradm wants to write to /etc/grsec/.grlearn.pid for its pid file, # so work around this: mv -v /etc/grsec/ /etc/grsec.bak mkdir -v -m 700 /root/grsec ln -sv /root/grsec /etc/grsec # Then add this to /etc/rc.d/init.d/mountkernfs after /proc is mounted. mount -n -o mode=700 -t tmpfs tmpfs /root/grsec; cp /etc/grsec.bak/* /root/grsec; rm -f /root/grsec/.grlearn.pid; gradm -F -L /root/grsec/learning.log; # gradm needs /proc to readlink(1) the pid/exe files. # I added the ;'s in hope that they will let the script # continue even if the commands fail. # After rebooting, gradm -S does not seem to work, and I can't authenticate. # Never the less, I can get the new policy: gradm -F -L /etc/grsec/learning.log -O /root/learning_policy.roles # Remove the stuff in /etc/rc.d/init.d/mountkernfs and reboot again. # Then cleanup: rm /etc/grsec mv /etc/grsec.bak /etc/grsec/ rmdir /root/grsec # Our fruits rest in /root/learning_policy.roles. -- So, the end policy needs a lot of touching up, and udevd wasn't considered an object... gradm considers udevd the script it ran from. This should get cleaned up so each boot script has its own rules. gradm sorted them all together. I got what I wanted, rules for /sbin/init say it needs CAP_SYS_ADMIN and read-write access to /dev/console, /dev/initctl, /var/run/utmp, write-only to /var/log/wtmp, execute permission on /etc/rc.d/init.d/rc, read to /etc/localtime, and read on /bin/bash. Nothing else. /sbin/agetty doesn't need capabilities, just some read and write to some files and tty devices. It should be very easy to run agetty as a regular user. /bin/login needs some capabilities, and might be a little tricky to run as a normal user (bash --login) without capabilities. I hope to enable gradm on the reboot, to control processes that are normally powerfull. robert
pgplOhguTBdkf.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
