grsecurity forums

[Thomas80]

Hi there,

I've got the following problem: After having run gradm in full learning mode for two days, I tried to pass the log over to the policy file, but at a certain point, the process appears to hang (I waited for several minutes). I don't even think I have used 'find' during the learning period.

The system is used as a webserver only.

Thanx in advance,

Thomas

root@www:/ # gradm -F -L /etc/grsec/learning.log -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user http://www...done.
Beginning full learning subject reduction for user mail...done.
Beginning full learning subject reduction for user thomas...done.
Beginning full learning subject reduction for user www-data...done.
Beginning full learning subject reduction for user absolutelynobody...done.
Beginning full learning subject reduction for user mysql...done.
Beginning full learning subject reduction for user nobody...done.
Beginning full learning subject reduction for user man...done.
Beginning full learning 3rd pass...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/bash...done.
Beginning full learning object reduction for subject /bin/chgrp...done.
Beginning full learning object reduction for subject /bin/chmod...done.
Beginning full learning object reduction for subject /bin/chown...done.
Beginning full learning object reduction for subject /bin/cp...done.
Beginning full learning object reduction for subject /bin/gzip...done.
Beginning full learning object reduction for subject /bin/ln...done.
Beginning full learning object reduction for subject /bin/ls...done.
Beginning full learning object reduction for subject /bin/mv...done.
Beginning full learning object reduction for subject /bin/rm...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /bin/touch...done.
Beginning full learning object reduction for subject /etc/cron.daily/exim...done.
Beginning full learning object reduction for subject /etc/cron.daily/standard...done.
Beginning full learning object reduction for subject /sbin/insmod...done.
Beginning full learning object reduction for subject /sbin/start-stop-daemon...done.
Beginning full learning object reduction for subject /sbin/syslogd...done.
Beginning full learning object reduction for subject /usr/bin/find...

P.S.: The size of learning.log is about 25 MBs

[fre]

Well, indeed...
Many of grsec-users have been encountering such a problem.
Try a top and watch memory-usage; it gets filled up, swapping and so on untill it's pretty full and at a certain moment the process just got killed.

As I know, until now there isn't a solution yet, though they are busy developping a fixed tool/better learning-abilities.