grsecurity forums

And another annoying topic from me (seems to be my posts maybe ignored sometimes )
gradm often assigns +CAP_ALL without any reason. If program uses few capabilities (for example, CAP_DAC_*, CAP_SETU/GID), gradm in learning mode assigns +CAP_ALL without consulting me, what capabilities actually program requests.
P.S. Often there are same cases with objects too: program writes to it's own program configuration directory (/home/undine/.progname), but rights after learning are rwcd on whole home directory!
It is normal and I should see logs and manually rewrite subject?

Are you using the per-subject learning and forgot to add -CAP_ALL to the subject? If you leave out any capability rules it acts as though you want no capability restrictions to be learned and +CAP_ALL will appear in the learned policy. If that's not the case, I'd need to see your learning logs.

If you don't want /home/user being reduced, you can modify learn_config to reflect it.

-Brad

spender wrote:Are you using the per-subject learning and forgot to add -CAP_ALL to the subject? If you leave out any capability rules it acts as though you want no capability restrictions to be learned and +CAP_ALL will appear in the learned policy. If that's not the case, I'd need to see your learning logs.

If you don't want /home/user being reduced, you can modify learn_config to reflect it.

-Brad

Thanks. Perhaps I forgot to add -CAP_ALL before learning the subject. Problem solved.