Learning mode's policy is insufficient

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Learning mode's policy is insufficient

Postby emostar » Mon Apr 24, 2006 11:12 pm

Hello, I've been working on getting a policy that works for me. Perhaps I'm missing something important though. I've had some problems with gradm creating a good policy to work with. For example, I set the policy to be most restrictive and then start gradm in full learning mode. I refresh a browser window of one of my websites on the server. I disable gradm, then create a policy. I add the policy to my existing one, start gradm and try to view my webpage again, but it fails.

I don't have the logs at the moment (I'm at work), but was just wondering if anyone knew what I could be doing wrong..

Thanks!

Jon
emostar
 
Posts: 7
Joined: Mon Apr 24, 2006 11:09 pm

Postby emostar » Thu Apr 27, 2006 5:47 am

Well, I found the root of my problems...

in my httpd.conf the setting was for it to run as User nobody and Group #-1
So, in the learning log, the GID was 0xFFFFFFFF and would not be shown in the policy that -O creates.

I modified the httpd.conf file to set the Group to nobody and then it fixed the issues I have... now time to work on getting a solid policy built!

Jon
emostar
 
Posts: 7
Joined: Mon Apr 24, 2006 11:09 pm

Re: Learning mode's policy is insufficient

Postby taheria » Wed Sep 03, 2008 4:00 am

Did you ever build out a solid web policy that you would be willing to share ?
taheria
 
Posts: 2
Joined: Fri Aug 22, 2008 6:21 pm


Return to RBAC policy development

cron