grsecurity forums

I cannot execute gradm in the learning mode because of "missing" default role. But where shoud I put a default role ? I have one in /etc/grsec/policy (used from default install) but does the learning mode really use this file?
Where should I put the default role ? It happened only with latest grsec & gradm


>gradm -F -L /root/grsec/initial_raw_log

There is no default role present in your configuration.
Please read the RBAC documentation and create a default role before attempting to enable the RBAC system.

uname -a
Linux gate 2.6.18-grsec #1

gradm -v
gradm v2.1.9
(gradm-2.1.9-200609230939.tar.gz used)

>cat /etc/grsec/policy

role admin sA
subject / rvka
/ rwcdmlxi

role default G
role_transitions admin
subject /
/ r
......

Petr

Your problem is what the error message is: You don't have default role

For example, my learning policy look like this:

Code: Select all

role admin sAl
subject / rvka
        / rwcdmlxi

role default Gl
role_transitions admin

subject something_prg1 lo
        / h

        -CAP_ALL
        RES_FSIZE 0 0
        RES_DATA 0 0
        RES_RSS 0 0
        RES_NOFILE 0 0
        RES_MEMLOCK 0 0
        RES_STACK 0 0
        RES_AS 0 0
        RES_NPROC 0 0
        RES_LOCKS 0 0

        connect disabled
        bind disabled

subject something_prg2 lo
        / h

        -CAP_ALL
        RES_FSIZE 0 0
        RES_DATA 0 0
        RES_RSS 0 0
        RES_NOFILE 0 0
        RES_MEMLOCK 0 0
        RES_STACK 0 0
        RES_AS 0 0
        RES_NPROC 0 0
        RES_LOCKS 0 0

        connect disabled
        bind disabled


And from the def. install I have a learn_config too.

>Your problem is what the error message is: You don't have default role
> For example, my learning policy look like this:


I tried to test the learning mode with fonya's pasted configuration file and I got the same error, it seems that the problem is somwhere else (my policy file has already has the default role)

I am using gradm-2.1.9-200609230939 source, do you use the same one ?


Let's look through the program logic
suppose params -F -L "file"
I will get these steps:

gradm.l
int main(...)
....
variable initialization
parse_args(...) ->

-> parse_args():gradm_arg.c
----------------------------
parse_args()
in CASE F: {
gr_fulllearn = 1;
gr_enable = 1;
}

in CASE -L {
getting the file with checking ...
gr_learn = 1;
}
...

if (gr_enable)
analyze_acls() ... finishes with the error
-------------------------------------------------

analyze_acls() is executed before any cofiguration file is parsed, or am I wrong ?

Petr

You must tell grsec what to do with your programs, which programs must be checkd etc. This what You must give them with policy.
Put this what I send before to the policy file. I can find those from mail list, docs, and forum, so You can find those info too:

For learning mode, You must have 3 "config" file:
pw: gradm -P
gradm -P admin

learn_config: from the begining the file:
#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.

policy:
You must create this file some info, which program You are using, which program must be learned. This is documented in the file inside, from source.

I hope this was usefull.

And what is in the policy file?

Do You have somthing like this?

Code: Select all

role admin sAl
subject / rvka
        / rwcdmlxi

role default Gl
role_transitions admin


It's been fixed in the latest version on the website.

-Brad

simple fix works :-)

thanks Brad

Petr