On Sat, Jan 09, 2010 at 11:24:15AM +0900, Tetsuo Handa wrote: > > Iustin Pop wrote: > > > Note that I didn't actually install the tools on my machine, just compiled and > > > testing from the build directory. Do the tools need installation to fix the > > > below problem? > > > > I think /sbin/tomoyo-init (which is installed by "make install") is missing and > > therefore TOMOYO is not yet activated. Please create /sbin/tomoyo-init by > > "cp -p tomoyo-init /sbin/" from the build directory. > > Additional info: > > TOMOYO is activated when "/sbin/init is executed" && "/sbin/tomoyo-init exists". > Thus, you need to reboot the system (or at least, execute /sbin/init) after > creating /sbin/tomoyo-init in order to activate TOMOYO. /sbin/tomoyo-init loads > policy from /etc/tomoyo/ directory when /sbin/init is executed. Ah, I understand now - without /sbin/tomoyo-init, TOMOYO stays in uninitialized mode, and I found this is my kernel dmesg: "Not activating Mandatory Access Control now since /sbin/tomoyo-init doesn't exist." > Before TOMOYO is activated, all programs can modify policy via > /sys/kernel/security/tomoyo/ interface. But after TOMOYO is activated, only > programs or domainnames listed in /sys/kernel/security/tomoyo/manager can. > Therefore, you will see error messages like "$domainname ( $programname ) is > not permitted to update policies." from /bin/dmesg output. > Please append $domainname or $programname to /etc/tomoyo/manager.conf and > reboot the system so that /sbin/tomoyo-init copies /etc/tomoyo/manager.conf > to /sys/kernel/security/tomoyo/manager. Thank you for the detailed explanation. This makes sense, and I also found out in the kernel that one can force initialization via /sbin/tomoyo-start (after the system has booted). Maybe it would be good to add the requirement of /sbin/tomoyo-init to the quick-start documentation. Thank you, I will play now more with TOMOYO! iustin
TOMOYO
Fork