445434 – sys-apps/gradm-2.9.1.201206091838-r1 can't use split_roles

Bug 445434 - sys-apps/gradm-2.9.1.201206091838-r1 can't use split_roles

Summary: sys-apps/gradm-2.9.1.201206091838-r1 can't use split_roles

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Anthony Basile

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-01 07:00 UTC by Marcin Mirosław
Modified:	2013-02-12 03:34 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcin Mirosław 2012-12-01 07:00:13 UTC

gradm --help displays:
[...]
-O <filename|directory>, --output
                        Specify where to place policies generated from
                        learning mode.  Should be a directory only if
                        "split-roles" is specified in learn_config.
[...]

So:
# grep split /etc/grsec/learn_config
# to write out your generated policy such that roles are split into separate
split-roles

but:
# gradm -L grlearn -O b
Unable to open b for writing.
Error: Is a directory


Reproducible: Always

Comment 1 Anthony Basile gentoo-dev

2012-12-01 13:47:10 UTC

What version of gradm?

Comment 2 Anthony Basile gentoo-dev

2012-12-01 14:23:36 UTC

(In reply to comment #1)
> What version of gradm?

Sorry. Its in the title.  I've confirmed this.

Comment 3 Anthony Basile gentoo-dev

2013-01-10 13:40:15 UTC

I added gradm-2.9.1.201301041755 to the tree.  Can you test?

Comment 4 Marcin Mirosław 2013-01-10 14:34:33 UTC

No, still doesn't work. If I don't create output dir then output should be created as file. But I'm lookong into gradm_fulllearn.c file and there is:

        if (grlearn_options & GR_SPLIT_ROLES) {
                if (stream) {
                        fprintf(stderr, "Error: Output path must be a directory when \"split-roles\" is used in learn-config.\n");
                        exit(EXIT_FAILURE);
                }
                current_output_file = alloca(strlen(output_log) + 16384);
                sprintf(current_output_file, "%s/policy", output_log);
                stream = fopen(current_output_file, "w");
                if (stream == NULL) {
                        fprintf(stderr, "Unable to open %s for writing.\n"
                                        "Error: %s\n", current_output_file, strerror(errno));
                        exit(EXIT_FAILURE);
                }
        } else {
                if (stream == NULL) {
                        fprintf(stderr, "Error: Output path must be a file when \"split-roles\" is not used in learn-config.\n");
                        exit(EXIT_FAILURE);
                }
        }

And I didn't got message "Output path must be a directory when...". So maybe:
a) gradm doesn't noticed I configured "split-roles"
b) something is wrong with "if" statement above
c) something else, (I don't have C skills) ;)

Comment 5 Marcin Mirosław 2013-01-10 14:51:25 UTC

man 8 gradm says:
-O <filename|stream>
             Specifies  output  mode.  Requires a single argument that can be
              "stdout", "stderr", or a regular file.  Only used with -L or -F.

So it looks option with "directory" was removed, but gradmfullearn.c says something diffrent.

Comment 6 Anthony Basile gentoo-dev

2013-01-13 23:48:11 UTC

(In reply to comment #5)
> man 8 gradm says:
> -O <filename|stream>
>              Specifies  output  mode.  Requires a single argument that can be
>               "stdout", "stderr", or a regular file.  Only used with -L or
> -F.
> 
> So it looks option with "directory" was removed, but gradmfullearn.c says
> something diffrent.

Yep. Upstream is not supporting this.

Comment 7 Marcin Mirosław 2013-01-14 09:26:22 UTC

Uhm, thanks.