[grsec] Questions about full learning / feature wish for learn_config

Brad Spengler spender at grsecurity.net
Thu Mar 10 18:28:53 EST 2005


> * Does the full learning mode read the current policy file?

No, since it creates an entire policy.

>   Do I have to rename /etc/grsec/policy or empty it to make grsec
>   learn anything with -F or does that mode not care about the current
>   policy file?

You can leave the policy as is, since full learning doesn't use it.

>   Would it perhaps be better to just use role based learning for every
>   system user one after another?

Grsecurity has that.  Adding "l" to a role's mode learns for that role 
and creates subjects for it facilitating least privilege.

> * Or is there a way to tell the full learning system what roles to
>   create?

It will create a user role for any user that performs an operation on 
the system.  If a number of users with the same GID have roles created, 
they will be reduced to a single group role.

>   I want it to build a role for any system user being used (www-run,
>   amavis, root, ...) and one group role for all users belonging to a
>   special role.

The full learning system doesn't know about any special roles you plan 
to create, though I do think it would be nice to be able to specify 
domains in the learn_config so that the roles for user1/user2/user3 (if 
they don't share the same GID) could be merged into one role.
I'll add it to my TODO list.

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050310/deca64b3/attachment.pgp


More information about the grsecurity mailing list