[grsec] GrSec doesn't work on CD based system / softmode, enforce policy

[Thomas Mueller]

Hi,

I am a GrSec beginner and try to use version 2.1.6 on a CD based Debian
Sarge with kernel 2.6.11.12.

The first very, very annoying problem I have: I can't find a softmode. I
wrote a policy, enabled it, and found out that I can't disable it
anymore - so I had to do a hard reset. On a remote system. Four times,
until I gave up.
How can I test a policy without enforcing it? I don't see a way to use
GrSec on a running production machine - I can't do regular resets there.

The second problem is the following:

# gradm -E
Viewing access is allowed by role default to /dev/grsec.
If you want this role to be able to authenticate to the kernel, add G to
its role mode.

How can I force GrSec to accept this policy?
The CD based distro has 2 ramdiscs, one containing among others
/ram1/dev and /ram1/etc. /dev is a symlink to a /ram1/dev.
After my third reset I found out that I have to use /ram1/dev/...
instead of /dev/... in my policy.
To make GrSec happy I tried to add both, /dev/ and /ram1/dev/ but that
doesn't work too:

Duplicate object found for "/ram1/dev/grsec" in role default, subject /,
on line 19 of /etc/grsec2/policy.
"/ram1/dev/grsec" references the same object as the following object(s):
/dev/grsec
specified on an earlier line.The RBAC system will not load until this
error is fixed.

Looks like a deadlock situation.


Thanks,
Thomas