Learning mode - no default role present

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Learning mode - no default role present

Postby humlik » Sat Oct 07, 2006 10:29 am

I cannot execute gradm in the learning mode because of "missing" default role. But where shoud I put a default role ? I have one in /etc/grsec/policy (used from default install) but does the learning mode really use this file?
Where should I put the default role ? It happened only with latest grsec & gradm


>gradm -F -L /root/grsec/initial_raw_log

There is no default role present in your configuration.
Please read the RBAC documentation and create a default role before attempting to enable the RBAC system.

uname -a
Linux gate 2.6.18-grsec #1

gradm -v
gradm v2.1.9
(gradm-2.1.9-200609230939.tar.gz used)

>cat /etc/grsec/policy

role admin sA
subject / rvka
/ rwcdmlxi

role default G
role_transitions admin
subject /
/ r
......

Petr
humlik
 
Posts: 3
Joined: Fri Sep 12, 2003 9:03 am

Re: Learning mode - no default role present

Postby fonya » Sun Oct 08, 2006 4:01 am

Your problem is what the error message is: You don't have default role :)

For example, my learning policy look like this:
Code: Select all
role admin sAl
subject / rvka
        / rwcdmlxi

role default Gl
role_transitions admin

subject something_prg1 lo
        / h

        -CAP_ALL
        RES_FSIZE 0 0
        RES_DATA 0 0
        RES_RSS 0 0
        RES_NOFILE 0 0
        RES_MEMLOCK 0 0
        RES_STACK 0 0
        RES_AS 0 0
        RES_NPROC 0 0
        RES_LOCKS 0 0

        connect disabled
        bind disabled

subject something_prg2 lo
        / h

        -CAP_ALL
        RES_FSIZE 0 0
        RES_DATA 0 0
        RES_RSS 0 0
        RES_NOFILE 0 0
        RES_MEMLOCK 0 0
        RES_STACK 0 0
        RES_AS 0 0
        RES_NPROC 0 0
        RES_LOCKS 0 0

        connect disabled
        bind disabled

And from the def. install I have a learn_config too.
--
Fonya
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am
Location: Hungary

Postby humlik » Sun Oct 08, 2006 10:22 am

>Your problem is what the error message is: You don't have default role
> For example, my learning policy look like this:


I tried to test the learning mode with fonya's pasted configuration file and I got the same error, it seems that the problem is somwhere else (my policy file has already has the default role)

I am using gradm-2.1.9-200609230939 source, do you use the same one ?


Let's look through the program logic
suppose params -F -L "file"
I will get these steps:

gradm.l
int main(...)
....
variable initialization
parse_args(...) ->

-> parse_args():gradm_arg.c
----------------------------
parse_args()
in CASE F: {
gr_fulllearn = 1;
gr_enable = 1;
}

in CASE -L {
getting the file with checking ...
gr_learn = 1;
}
...

if (gr_enable)
analyze_acls() ... finishes with the error
-------------------------------------------------

analyze_acls() is executed before any cofiguration file is parsed, or am I wrong ?

Petr
humlik
 
Posts: 3
Joined: Fri Sep 12, 2003 9:03 am

Postby fonya » Mon Oct 09, 2006 4:51 am

You must tell grsec what to do with your programs, which programs must be checkd etc. This what You must give them with policy.
Put this what I send before to the policy file. I can find those from mail list, docs, and forum, so You can find those info too:

For learning mode, You must have 3 "config" file:
pw: gradm -P
gradm -P admin

learn_config: from the begining the file:
#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.

policy:
You must create this file some info, which program You are using, which program must be learned. This is documented in the file inside, from source.

I hope this was usefull.
--
Fonya
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am
Location: Hungary

Postby fonya » Mon Oct 09, 2006 10:05 am

And what is in the policy file?

Do You have somthing like this?
Code: Select all
role admin sAl
subject / rvka
        / rwcdmlxi

role default Gl
role_transitions admin
--
Fonya
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am
Location: Hungary

Postby spender » Mon Oct 09, 2006 10:15 am

It's been fixed in the latest version on the website.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby humlik » Mon Oct 09, 2006 5:25 pm

simple fix works :-)

thanks Brad

Petr
humlik
 
Posts: 3
Joined: Fri Sep 12, 2003 9:03 am


Return to RBAC policy development

cron