[tomoyo-users-en 123] Question/problem with TOMOYO from mainline kernel

Back to archive index
Iustin Pop iusty****@k1024*****
Fri Jan 8 23:19:08 JST 2010


Hello all,

I have spent some time testing TOMOYO as provided in 2.6.32.3 and the 2.2.x
tools as downloaded from the sourceforge web site.

Note that I didn't actually install the tools on my machine, just compiled and
testing from the build directory. Do the tools need installation to fix the
below problem?

Using the 'learning' profile, I can get TOMOYO to record the domain hierarchy,
but it doesn't record any any ACLs in the Domain Policy Editor.

For example:

# cat /sys/kernel/security/tomoyo/domain_policy
...
<kernel> /usr/sbin/gdm /bin/dash
use_profile 1


<kernel> /usr/sbin/gdm /bin/dash /sbin/runlevel
use_profile 1


<kernel> /usr/sbin/gdm /usr/bin/X
use_profile 1


<kernel> /usr/sbin/gdm /usr/bin/X /usr/bin/Xorg
use_profile 1


<kernel> /usr/sbin/gdm /usr/bin/X /usr/bin/Xorg /bin/dash
use_profile 1


<kernel> /usr/sbin/gdm /usr/bin/X /usr/bin/Xorg /bin/dash /usr/bin/xkbcomp
use_profile 1


<kernel> /usr/sbin/gdm /etc/gdm/Init/Default
use_profile 1


<kernel> /usr/sbin/gdm /etc/gdm/Init/Default /bin/uname
use_profile 1
...

But no ACLs are present in the file. Furthermore, if I switch to
enforcing profile, no actual operations are denied.

My exception policy:
initialize_domain /sbin/hotplug
initialize_domain /sbin/modprobe
initialize_domain /usr/sbin/gdm

And my profiles:
0-COMMENT=disabled
0-MAC_FOR_FILE=disabled
0-MAX_ACCEPT_ENTRY=2048
0-TOMOYO_VERBOSE=enabled
1-COMMENT=learning
1-MAC_FOR_FILE=learning
1-MAX_ACCEPT_ENTRY=131072
1-TOMOYO_VERBOSE=enabled
2-COMMENT=
2-MAC_FOR_FILE=permissive
2-MAX_ACCEPT_ENTRY=2048
2-TOMOYO_VERBOSE=enabled
3-COMMENT=enforcing
3-MAC_FOR_FILE=enforcing
3-MAX_ACCEPT_ENTRY=2048
3-TOMOYO_VERBOSE=enabled

Sorry if this is a beginner question and I have missed some basic settings.

Thank you in advance,
Iustin




More information about the tomoyo-users-en mailing list
Back to archive index