Page 1 of 1

RBAC Learning Issue?

PostPosted: Sun Dec 07, 2014 5:08 pm
by tjh
I've had full system learning enabled on my system for the last week. I've made sure I sent a few emails from my webmail client.
Today I completed the policy generation from the full logs and turned it on to test with.

When I try to send a mail via my webmail client, it didn't work. I got the following RBAC message:

Code: Select all
grsec: (root:U:/usr/lib/postfix/smtpd) denied socket(inet,stream,ip) by /usr/lib/postfix/smtpd[smtpd:21728] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/postfix/master[master:5872] uid/euid:0/0 gid/egid:0/0


This struck me as odd, because I'd made sure I did a lot of learning of sending mail. No worries, I stuck the following in my policy file:

Code: Select all
# Role: root
subject /usr/lib/postfix/smtpd ol {


I ran gradm -E -L /tmp/pf.log

And now I can send mail. I sent a few and checked the pf.log file. It's 0 bytes, it's empty. So I can't learn from it.
I realise I can fix this manually, but I am now worried - are there going to be a lot of other things I haven't learnt?

It seems GRSEC isn't learning this? Am I doing something wrong?

I am using the version of grsecurity available for 3.17.4 on the 27th November, and gradm-3.0-201408301734.tar.gz

Tim

Re: RBAC Learning Issue?

PostPosted: Sun Dec 07, 2014 6:35 pm
by spender
You can't go by the size of the log file while learning is enabled as a gauge for if it's learned anything -- it'll cache some information in memory and only write it out to disk when learning is stopped or its buffers are full.

-Brad

Re: RBAC Learning Issue?

PostPosted: Sun Dec 07, 2014 6:39 pm
by spender
When grepping the learning log for /usr/lib/postfix/smtpd, do you see any IP addresses (suggesting learned network rules)? Did that subject have any bind/connect rules at all in the learned policy?

I don't recommend such long learning periods -- it produces very large logs and is generally unnecessary. With focused testing, you should be able to exercise any needed functionality in 15 minutes or so.

-Brad

Re: RBAC Learning Issue?

PostPosted: Sun Dec 07, 2014 6:52 pm
by tjh
I should have clarified that it was 0 bytes after I'd disabled the RBAC system again.

I can't get anything to appear in the file now, however, at the moment I'm having no problems now sending mail even with learning removed from the policy.

So I must have been doing something really silly.

Re learning for a long time: I find that my cron jobs etc don't run if I haven't run learning for at least 24 hours.

Tim