Page 1 of 1

Policy tuning

PostPosted: Sun Oct 10, 2004 11:56 am
by derez
After using the full learning system I still had some issues relating to an
irc server which was running as user ircd (and with a role of ircd).

Instead of manually troubleshooting the messages I wanted to use the new
(iterative?) learning system as documented in the sample default policy
found in gradm2.

I put a l (lowercase L) next to the ircd role and attempted to run "gradm -L
/etc/grsec/learning.logs -E". I got the error "Subjects are not allowed for
a role with learning enabled, as they are generated by the learning mode".
The ircd role had some acls defined by the original full learning mode. I
then proceeded to remove the l (lowercase L) from the role and place it on
the subject /usr/local/sbin/ircd. I then did the same command "gradm -L
/etc/grsec/learning.logs -E" and attempted to connect to the server and
perform everything I could think of that might access modules or other
resources (Several errors for denied access came up during this time). Then
I disabled gradm and used "gradm -L /etc/grsec/learning.logs -O
/etc/grsec/ircd-acl" but nothing was added. In fact nothing was in the
learning.logs file. Any idea what I am doing wrong? Any suggestions?

Danny

Re: Policy tuning

PostPosted: Mon Dec 13, 2004 5:27 pm
by Hue-Bond
>I put a l (lowercase L) next to the ircd role and attempted to run "gradm -L
>/etc/grsec/learning.logs -E". I got the error "Subjects are not allowed for
>a role with learning enabled, as they are generated by the learning mode".
>The ircd role had some acls defined by the original full learning mode. I
>then proceeded to remove the l (lowercase L) from the role and place it on
>the subject /usr/local/sbin/ircd.

Try the other way, that is, commenting out all subjects and leaving the role in learning mode without any subject. Then generate a new ACL, compare both and apply changes manually as needed.