gradm learning mode

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

gradm learning mode

Postby ryan » Sun Nov 24, 2002 3:23 am

Ok well im having but one issue with gradm, i manualy configured most of my ACL's but i think its all borken my email. In anycase i tryed enabling the learning mode with just

/ l {
}

Obviously that didnt work so i did

/ l {
/ rwx
}

Then i got errors that gradm wont start insecurly (basicly).

so anyways i grabed default acl's, set learning mode and fixed a few small things gradm complained about (mainly /lib).

Now -- i enabled learning mode and proceed to check my email but it still wont work with gradm in learning mode. It only works with ACL completleyl off (gradm -D). So im assuming some ACL restrictions are staying inplace while in learning mode. How could i get gradm to do more verbose learning as in watch everything and learn from EVERYTHING going on, on the system (from every process). I know it would be a tad intensive but this way il beable to pick around the ACL it generates and work out were my email is messing up.

I use a rather intrusive control panel system called Ensim so allot of things are not very visable to the naked eye at a glance.

Any comments would be of help.
ryan
 
Posts: 13
Joined: Tue Mar 26, 2002 6:48 am

Postby ryan » Sun Nov 24, 2002 3:38 am

Ok i found that the problem is, gradm wont allow writable libs to load. Lib in this case is /lib/security/pam_ensimvwh.so

My issue now is that the pam_ensimvwh.so file is located in each virtual site on 'Ensim' (chroot enviroment), under /home/virtual/site#/fst/lib/security/pam_ensimvwh.so

is it possible to define wild cards in acl rules ? so i could do something like

/ {
/home/virtual/site*/fst/lib/ rx
}
ryan
 
Posts: 13
Joined: Tue Mar 26, 2002 6:48 am

Postby ryan » Sun Nov 24, 2002 4:20 pm

another question, whats a use for 'RES_CRASH'. It seems vaugly documented.
ryan
 
Posts: 13
Joined: Tue Mar 26, 2002 6:48 am

Postby spender » Sun Nov 24, 2002 5:42 pm

we don't support wildcards, though it's something we could do in the future. When it is supported, you'll have to remember that it won't work dynamically. eg. if you are using a wildcard that is supposed to represent 30 user directories, if you add another user directory while the ACL system is enabled, it won't include that new directory.

As for RES_CRASH, it's useful for if you're using PaX. It prevents daemons from being the target of exploit bruteforcing.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby ryan » Sun Nov 24, 2002 5:45 pm

ya i just made a script to generate some rules for all my virtual sites. it works pretty well i guess and i love the ACL as is so all is good :).
ryan
 
Posts: 13
Joined: Tue Mar 26, 2002 6:48 am

Postby spender » Sun Nov 24, 2002 5:50 pm

as for the system-wide learning, it's going to be developed when we support nested ACLs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron