Robert Connolly robert at
Tue Nov 4 17:25:19 PST 2008

An initrd would have been nicer, but I managed without it (I don't remember 
ever making an initrd in my life). This is what I did to enable grsecurity 
learning from boot:

# Assuming /dev/sda5 is your /

mkdir /mnt/sda5
mount /dev/sda5 /mnt/sda5/
mknod -m 0622 /mnt/sda5/dev/grsec c 1 13
umount /mnt/sda5/
rmdir /mnt/sda5

# gradm wants to write to /etc/grsec/ for its pid file,
# so work around this:

mv -v /etc/grsec/ /etc/grsec.bak
mkdir -v -m 700 /root/grsec
ln -sv /root/grsec /etc/grsec

# Then add this to /etc/rc.d/init.d/mountkernfs after /proc is mounted.

mount -n -o mode=700 -t tmpfs tmpfs /root/grsec;
cp /etc/grsec.bak/* /root/grsec;
rm -f /root/grsec/;
gradm -F -L /root/grsec/learning.log;

# gradm needs /proc to readlink(1) the pid/exe files.

# I added the ;'s in hope that they will let the script
# continue even if the commands fail.

# After rebooting, gradm -S does not seem to work, and I can't authenticate.
# Never the less, I can get the new policy:

gradm -F -L /etc/grsec/learning.log -O /root/learning_policy.roles

# Remove the stuff in /etc/rc.d/init.d/mountkernfs and reboot again.

# Then cleanup:

rm /etc/grsec
mv /etc/grsec.bak /etc/grsec/
rmdir /root/grsec

# Our fruits rest in /root/learning_policy.roles.

So, the end policy needs a lot of touching up, and udevd wasn't considered an 
object... gradm considers udevd the script it ran from. This should get 
cleaned up so each boot script has its own rules. gradm sorted them all 

I got what I wanted, rules for /sbin/init say it needs CAP_SYS_ADMIN and 
read-write access to /dev/console, /dev/initctl, /var/run/utmp, write-only 
to /var/log/wtmp, execute permission on /etc/rc.d/init.d/rc, read 
to /etc/localtime, and read on /bin/bash. Nothing else.

/sbin/agetty doesn't need capabilities, just some read and write to some files 
and tty devices. It should be very easy to run agetty as a regular user.

/bin/login needs some capabilities, and might be a little tricky to run as a 
normal user (bash --login) without capabilities.

I hope to enable gradm on the reboot, to control processes that are normally 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list