[grsec] Questions about full learning / feature wish for learn_config

Marc Schiffbauer marc at schiffbauer.net
Thu Mar 10 17:33:35 EST 2005


Hi Brad,

* Does the full learning mode read the current policy file?

  I want the learning system to learn anything on a production server
  running many services.

  Do I have to rename /etc/grsec/policy or empty it to make grsec
  learn anything with -F or does that mode not care about the current
  policy file?

  Would it perhaps be better to just use role based learning for every
  system user one after another?


* Or is there a way to tell the full learning system what roles to
  create?

  I want it to build a role for any system user being used (www-run,
  amavis, root, ...) and one group role for all users belonging to a
  special role.

  If not:
  Perhaps that would be a cool new feature for learn_config?
  create-role g group1
  create-role u user1
  create-domain u user2 user3 user4
  create-domain g group2 group3 group4
  ...

  That way one had perfect control over what roles would be
  generated by the full learning system...

Brad, what do you think?

-Marc
-- 
****************************************************
*   (morganj): 0 is false and 1 is true, correct?  *
*   (alec_eso): 1, morganj                         *
*   (morganj): bastard.                            *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050310/a5d73a3e/attachment.pgp


More information about the grsecurity mailing list