Policy tuning

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Policy tuning

Postby derez » Sun Oct 10, 2004 11:56 am

After using the full learning system I still had some issues relating to an
irc server which was running as user ircd (and with a role of ircd).

Instead of manually troubleshooting the messages I wanted to use the new
(iterative?) learning system as documented in the sample default policy
found in gradm2.

I put a l (lowercase L) next to the ircd role and attempted to run "gradm -L
/etc/grsec/learning.logs -E". I got the error "Subjects are not allowed for
a role with learning enabled, as they are generated by the learning mode".
The ircd role had some acls defined by the original full learning mode. I
then proceeded to remove the l (lowercase L) from the role and place it on
the subject /usr/local/sbin/ircd. I then did the same command "gradm -L
/etc/grsec/learning.logs -E" and attempted to connect to the server and
perform everything I could think of that might access modules or other
resources (Several errors for denied access came up during this time). Then
I disabled gradm and used "gradm -L /etc/grsec/learning.logs -O
/etc/grsec/ircd-acl" but nothing was added. In fact nothing was in the
learning.logs file. Any idea what I am doing wrong? Any suggestions?

Danny
derez
 
Posts: 2
Joined: Sun Oct 10, 2004 11:43 am
Location: Virginia, USA

Re: Policy tuning

Postby Hue-Bond » Mon Dec 13, 2004 5:27 pm

>I put a l (lowercase L) next to the ircd role and attempted to run "gradm -L
>/etc/grsec/learning.logs -E". I got the error "Subjects are not allowed for
>a role with learning enabled, as they are generated by the learning mode".
>The ircd role had some acls defined by the original full learning mode. I
>then proceeded to remove the l (lowercase L) from the role and place it on
>the subject /usr/local/sbin/ircd.

Try the other way, that is, commenting out all subjects and leaving the role in learning mode without any subject. Then generate a new ACL, compare both and apply changes manually as needed.
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm


Return to RBAC policy development

cron