Jamie Nguyen wrote: > Thanks very much for implementing. I will test out tonight, and also > give namespace functionality a thorough testing. I testing ccs-patch and ccs-tools from revision 5106. I'm enjoying policy namespaces a lot! I don't actually use LXC or anything that requires linux namespaces, but policy namespaces makes it easy to reorganize policy and cut down things to a more manageable size. My exception policy is very very large, with several different acl_group entries. Now I can separate for example my exception policy entries related to Firefox to a separate namespace, and Qemu/KVM to another namespace etc. Much less scrolling when viewing exception policy now! :-) Things I noticed: 1) After a fresh initialization of policy, I have all domains set to profile=0 but <kernel> domain keeps having "transition_failed". I can't quite figure out why this is appearing. I tried adding "keep_domain any from <kernel>" to exception policy but this didn't solve it. This does not occur in 1.8.1. Perhaps you have an idea of how to debug? 2) The profile editor screen doesn't work as expected when doing "ccs-editpolicy /etc/ccs". Pressing "s" to edit for example the "3-PREFERENCE" line to have "enforcing_penalty=5" results in two lines that start with "3-PREFERENCE", instead of replacing the line that is being edited. 3) After creating a new profile line as in point (2), viewing profile.conf in a text editor reveals that the line we just added has the <kernel> prefix, whereas other lines for <kernel> namespace do not have this prefix. It should probably only have <kernel> prefix if other entries already have <kernel> prefix. 4) There is a way to create a new namespace, but no way to delete an existing namespace within ccs-editpolicy. It currently requires manually deleting entries from exception/domain/profile policy files. If that is actually what you intended then I can just add a paragraph to chapter-15.html.en about how to delete (using a text editor) a namespace that has been added. 5) I added "reset_domain /usr/bin/firefox from any" to exception policy. When the domain or profile is not yet defined, the error message described on chapter-15.html.en looks like this: ERROR: Domain '</usr/sbin/httpd>' not ready. But when I run firefox from console, I instead got something that looks like this: bash: /usr/bin/firefox: Cannot allocate memory Should tomoyo be intercepting this execution and providing an error message similar to the one in chapter-15.html.en? Apart from the above, everything seems to be working nicely :-)
TOMOYO
Fork