Presuming if were already previously enabled via gradm -E
you will need to switch to admin mode gradm -a
if not then we can enable later.


Note: We can changed the flags on an acl at any given time when were are in admin mode.

To enable process-based learning mode on a subject we would 
first need to add it to our /etc/grsec/acl or using the include directive.

---------------------
/path/to/subject lo {
	/ h
	/etc/grsec h
	-CAP_ALL
	connect { disabled }
	bind { disabled }
}
---------------------
A more restrictive acl for learning mode might look like.
---------------------
/path/to/subject loXA {
	/		h
	/etc/grsec	h
	/dev/mem	h
	/dev/kmem	h
	/dev/port	h
	/proc/kcore	h

	-CAP_ALL

	RES_FSIZE	0	0        
	RES_DATA	0	0
	RES_RSS		0	0        
	RES_NOFILE	0	0
	RES_MEMLOCK	0	0        
	RES_STACK	0	0
	RES_AS		0	0        
	RES_NPROC	0	0
	RES_LOCKS	0	0

	connect {
		disabled
	}

	bind {
		disabled
	}
}
---
Then we reload the grsecurity acl system via gradm -R

At this point we should now use your subject-program. 
If your subject-program is something that uses authentication 
you should login/logout of that service. This would cause it to
do its stuff with passwd,shadow,pam or whatever is needed for 
the subject-program.

Also starting and stoping the subject-program is a good idea 
at point this as well.

/etc/init.d/subject-name start
/etc/init.d/subject-name stop

The reason we start the subject-program is if needs to read any 
configuration files at startup the acl system will be able to 
learn about them.

The reason we stop the subject-program is if the subject-program 
needs to unlink any files when shutting down the acl system will
be able to learn about them.

According to the grsecurity documentation its best to repeat this proccess
about 4 times.

##################
# Getting Output #
##################

syslog-ng example:
	/sbin/gradm -L /var/log/kern.log -O output.acl

Depending on your syslog service you may need to change the logfile name.
	/sbin/gradm -L /var/log/messages -O output.acl 
	/sbin/gradm -L /var/log/syslog -O output.acl 

Optionally -O stdout can be used

---
 Example output here..
---

######################
# Cleaning up output #
######################
If you know your service will be doing name service lookups you might want to
add something like 'connect { 0.0.0.0/0:53 stream dgram ip tcp udp }' to 
the final acls result.