Mauras Olivier wrote: > Thanks Jamie, i now better understand how to manage these containers. > So i added an exception like said, then added a new domain "<kernel> > /path/to/container/sbin/init" and set it to learning mode. Made the > container reboot, have activities but the domain doesn't list anything and > in the process view init is still listed as <kernel> /sbin/init > I've never set up container environments. But since TOMOYO uses pathnames seen outside the chroot() environment, I think TOMOYO will recognize like file execute /path/to/container/sbin/init rather than file execute /sbin/init . Please check grep '^<kernel>' /proc/ccs/domain_policy | grep -F /path/to/container/sbin/init and the domain has learning mode profile (e.g. "use_profile 1").
TOMOYO
Fork