On Sat, 14 May 2011 23:27:23 +0900 Tetsuo Handa <from-****@I-lov*****> wrote: > It is possible to delete all domains (except the <kernel> domain) by > doing > > awk ' { $1 = "delete"; print > $0 }' /sys/kernel/security/tomoyo/.domain_status | tomoyo-loadpolicy > -d > > but is not recommended, for deleting a domain and recreating the same > domain does not let processes which is in the deleted domain to jump > to the recreated domain. "tomoyo-loadpolicy df" tries to avoid > deleting domains when replacing the whole policy. > > Replacing the whole policy by deleting/recreating domains makes > processes to remain the deleted domains, which I think users do not > want. I'm developing a daemon that dynamically adjusts policy and changes the rules of all domains "on-the-fly", meaning wildcarding and other stuff. I create my full policy based on the older one, then i want to reload it replacing the one in the kernel. But i don't change domain paths at all. I don't remove or rename any domain either, only add one. Maximum i change use_profile value. Do you think it has any performance, security or stability issue during the time phase i would be deleting the policy with the delete keyword, then reload my formerly created full policy? And if so, then you think it would be therefore better for me to save my policy file first to /etc/tomoyo/domain_policy.conf and run "tomoyo-loadpolicy d" instead? > Also, be sure to mount securityfs on /sys/kernel/security/ if not yet > mounted, for distributions that do not support AppArmor unlikely mount > /sys/kernel/security/ automatically. tomoyo-editpolicy etc. are > automatically mounting /sys/kernel/security/ as needed. Yes, i check it in /proc/mounts, and if not yet mounted, then i mount it from my code with "rw" option. Thanks.
TOMOYO
Fork