• GrSecurity: slow learning mode & incomplete policy

    From Michel Arboi@110:300/11 to All on Mon Sep 15 13:00:54 2014
    I have some troubles with GrSecurity learning mode and did not find any
    answer in https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mo de
    Their ML appears to be dead, or restricted to announces now.

    1) I let "gradm -F -L ..." run for a couple of weeks, then threw the
    logs to "gradm -F -L ... -O ...".
    It generated a rather restrictive policy, I twiked some rules, and
    when I implemented the policy, some programs were blocked although they
    had been seen many times (for example, Postfix components).
    I added "l" (learn) flags to the impacted "subjects", ran the learning
    process again and fixed most problems.

    Anyway, I still saw bizarre messages, e.g.:
    (default:D:/) denied access to hidden file /etc/localtime by /usr/sbin/fetchnews[fetchnews:22855] uid/euid:9/9 gid/egid:13/13,
    parent /etc/cron.daily/fetchnews[fetchnews:22854] uid/euid:0/0
    gid/egid:0/0 /usr/sbin/fetchnews

    I don't understand why the default role complains here: I have a role
    for the "news" user and all programs than run under its UID avec an
    associated subject.

    2) (incremental) learning of the news logs is awfully slow.

    # gradm -L /tmp/learning.logs -O /tmp/policy
    Beginning full learning object reduction for subject /usr/sbin/uptimed...done. [snip]
    Beginning full learning object reduction for subject /...

    The first subjects appeared quickly. Now, gradm has spent days on /
    using 100% CPU (on one core) and 1 GB.

    What mistake did I make?

    --
    http://ma75.blogspot.com/
    PGP key ID : 0x85A1C6A1 - 0x05054F8485A1C6A1
    Fingerprint: 1DC3 8857 B930 0B6B 9420 5D56 0505 4F84 85A1 C6A1

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Guest of ProXad - France (110:300/11@linuxnet)