1) I let "gradm -F -L ..." run for a couple of weeks, then threw the
logs to "gradm -F -L ... -O ...".
It generated a rather restrictive policy, I twiked some rules, and
when I implemented the policy, some programs were blocked although they
had been seen many times (for example, Postfix components).
I added "l" (learn) flags to the impacted "subjects", ran the learning
process again and fixed most problems.
Anyway, I still saw bizarre messages, e.g.:
(default:D:/) denied access to hidden file /etc/localtime by /usr/sbin/fetchnews[fetchnews:22855] uid/euid:9/9 gid/egid:13/13,
parent /etc/cron.daily/fetchnews[fetchnews:22854] uid/euid:0/0
I don't understand why the default role complains here: I have a role
for the "news" user and all programs than run under its UID avec an
2) (incremental) learning of the news logs is awfully slow.
# gradm -L /tmp/learning.logs -O /tmp/policy
Beginning full learning object reduction for subject /usr/sbin/uptimed...done. [snip]
Beginning full learning object reduction for subject /...
The first subjects appeared quickly. Now, gradm has spent days on /
using 100% CPU (on one core) and 1 GB.