1. Yesterday I did my first full learning mode run and generated the policy afterwards. Upon inspecting the result I spotted lots of cases where filename were used that seemed to be generated. I most of these cases I replaced the specific filename with a wildcard version.
Example before:
- Code: Select all
role root uG
subject / {
/
...
/tmp/cyrus-daily-cronjob.XXXXuf6MjP rwc
...
}
after:
- Code: Select all
role root uG
subject / {
/
...
/tmp/cyrus-daily-cronjob.* rwc
...
}
Any thoughts?
2. I've checked out the example config in gradm2 for information about the role based policy file format. As I understood it, a role is defined by "role <rolename> <role modes>" followed by a number of subject definitions and terminated by the next role definition or EOF. Is that correct?