[grsec] learning ACL mode

Andrzej Wisniewski awisniewski at axit.pl
Tue Aug 10 09:13:57 EDT 2004


Hi,

I have some problem with special ACL mode  - learn mode.

There are two futures:

1. I can run gradm with option -F (full learning mode) and in this case
I can make a one big subject "/". There we can find a lot of line and in
my case +CAP_ALL. As you know, gradm don't want to run with +CAP_ALL in
default subject because this is a big hole :) and in this way I can't
use my new learning config.

2. Second future is more interesting I think.As I understand it (maybe
I'm wrong) I can add "l" option to all my subject and in this way when I
run gradm -E on my machine I have a grate information in my learning log
- where, some executable files, want to read , write etc ...
I make my learning file :

----------------
role admin sA
subject / r
        / rwcdmxi

role default G
role_transitions admin
subject / lo {
        / h
        -CAP_ALL
}
subject /dev/MAKEDEV lo {
     /      h
}
subject /etc/sysconfig/network-scripts/ifdown-aliases lo {
     /      h
}
subject /etc/sysconfig/network-scripts/ifdown-ipsec lo {
     /      h
}
subject /etc/sysconfig/network-scripts/ifdown-ippp lo {
     /      h
}

(...)

----------------

where (...) means configuration like other line but with ALL executable
files in my machine. I thought that it is be great idea and after
lerning time I will have beautiful config for my acl system. So, I was
wrong :/
My config (default subject has already +CAP_ALL line), and when I
restart machines some services can't up because they have a problem with
grsec permissions :/ (in my learnig time I restart machines a lot of
times).

Please send me some info where I've done mistake(s) :(
Maybe you have a learning file which I can run with gradm -L file.txt -E
mode please :/

-- 
AndY



More information about the grsecurity mailing list