Hello all, I have spent some time testing TOMOYO as provided in 2.6.32.3 and the 2.2.x tools as downloaded from the sourceforge web site. Note that I didn't actually install the tools on my machine, just compiled and testing from the build directory. Do the tools need installation to fix the below problem? Using the 'learning' profile, I can get TOMOYO to record the domain hierarchy, but it doesn't record any any ACLs in the Domain Policy Editor. For example: # cat /sys/kernel/security/tomoyo/domain_policy ... <kernel> /usr/sbin/gdm /bin/dash use_profile 1 <kernel> /usr/sbin/gdm /bin/dash /sbin/runlevel use_profile 1 <kernel> /usr/sbin/gdm /usr/bin/X use_profile 1 <kernel> /usr/sbin/gdm /usr/bin/X /usr/bin/Xorg use_profile 1 <kernel> /usr/sbin/gdm /usr/bin/X /usr/bin/Xorg /bin/dash use_profile 1 <kernel> /usr/sbin/gdm /usr/bin/X /usr/bin/Xorg /bin/dash /usr/bin/xkbcomp use_profile 1 <kernel> /usr/sbin/gdm /etc/gdm/Init/Default use_profile 1 <kernel> /usr/sbin/gdm /etc/gdm/Init/Default /bin/uname use_profile 1 ... But no ACLs are present in the file. Furthermore, if I switch to enforcing profile, no actual operations are denied. My exception policy: initialize_domain /sbin/hotplug initialize_domain /sbin/modprobe initialize_domain /usr/sbin/gdm And my profiles: 0-COMMENT=disabled 0-MAC_FOR_FILE=disabled 0-MAX_ACCEPT_ENTRY=2048 0-TOMOYO_VERBOSE=enabled 1-COMMENT=learning 1-MAC_FOR_FILE=learning 1-MAX_ACCEPT_ENTRY=131072 1-TOMOYO_VERBOSE=enabled 2-COMMENT= 2-MAC_FOR_FILE=permissive 2-MAX_ACCEPT_ENTRY=2048 2-TOMOYO_VERBOSE=enabled 3-COMMENT=enforcing 3-MAC_FOR_FILE=enforcing 3-MAX_ACCEPT_ENTRY=2048 3-TOMOYO_VERBOSE=enabled Sorry if this is a beginner question and I have missed some basic settings. Thank you in advance, Iustin
TOMOYO
Fork