From: Michel Arboi Newsgroups: comp.os.linux.security Subject: GrSecurity: slow learning mode & incomplete policy Date: Mon, 15 Sep 2014 15:00:54 +0200 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) Cancel-Lock: sha1:+pH0tkSAbD9AgqScqh1hoz8EjBo= MIME-Version: 1.0 Content-Type: text/plain Lines: 39 Organization: Guest of ProXad - France NNTP-Posting-Date: 15 Sep 2014 15:00:54 CEST NNTP-Posting-Host: 81.57.108.63 X-Trace: 1410786054 news-2.free.fr 2235 81.57.108.63:51568 X-Complaints-To: abuse@proxad.net Path: csiph.com!usenet.pasdenom.info!bete-des-vosges.org!feed.ac-versailles.fr!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed2-b.proxad.net!nnrp5-1.free.fr!not-for-mail Xref: csiph.com comp.os.linux.security:548 I have some troubles with GrSecurity learning mode and did not find any answer in https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode Their ML appears to be dead, or restricted to announces now. 1) I let "gradm -F -L ..." run for a couple of weeks, then threw the logs to "gradm -F -L ... -O ...". It generated a rather restrictive policy, I twiked some rules, and when I implemented the policy, some programs were blocked although they had been seen many times (for example, Postfix components). I added "l" (learn) flags to the impacted "subjects", ran the learning process again and fixed most problems. Anyway, I still saw bizarre messages, e.g.: (default:D:/) denied access to hidden file /etc/localtime by /usr/sbin/fetchnews[fetchnews:22855] uid/euid:9/9 gid/egid:13/13, parent /etc/cron.daily/fetchnews[fetchnews:22854] uid/euid:0/0 gid/egid:0/0 /usr/sbin/fetchnews I don't understand why the default role complains here: I have a role for the "news" user and all programs than run under its UID avec an associated subject. 2) (incremental) learning of the news logs is awfully slow. # gradm -L /tmp/learning.logs -O /tmp/policy Beginning full learning object reduction for subject /usr/sbin/uptimed...done. [snip] Beginning full learning object reduction for subject /... The first subjects appeared quickly. Now, gradm has spent days on / using 100% CPU (on one core) and 1 GB. What mistake did I make? -- http://ma75.blogspot.com/ PGP key ID : 0x85A1C6A1 - 0x05054F8485A1C6A1 Fingerprint: 1DC3 8857 B930 0B6B 9420 5D56 0505 4F84 85A1 C6A1