[grsec] Questions about full learning / feature wish for
learn_config
Brad Spengler
spender at grsecurity.net
Thu Mar 10 18:28:53 EST 2005
> * Does the full learning mode read the current policy file?
No, since it creates an entire policy.
> Do I have to rename /etc/grsec/policy or empty it to make grsec
> learn anything with -F or does that mode not care about the current
> policy file?
You can leave the policy as is, since full learning doesn't use it.
> Would it perhaps be better to just use role based learning for every
> system user one after another?
Grsecurity has that. Adding "l" to a role's mode learns for that role
and creates subjects for it facilitating least privilege.
> * Or is there a way to tell the full learning system what roles to
> create?
It will create a user role for any user that performs an operation on
the system. If a number of users with the same GID have roles created,
they will be reduced to a single group role.
> I want it to build a role for any system user being used (www-run,
> amavis, root, ...) and one group role for all users belonging to a
> special role.
The full learning system doesn't know about any special roles you plan
to create, though I do think it would be nice to be able to specify
domains in the learn_config so that the roles for user1/user2/user3 (if
they don't share the same GID) could be merged into one role.
I'll add it to my TODO list.
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050310/deca64b3/attachment.pgp
More information about the grsecurity
mailing list