Hello from San Diego. I'm attending LinuxCon North America 2012 / Linux Security Summit 2012 and yesterday / today I had a presentation about CaitSith. florian.lissandres wrote: > I have some questions about how use Tomoyo in a production environment. Guessing from your past posts, I assume you are talking about TOMOYO 2.5. > If I have 2 systems : > - A development system on which I can define my policy ; > - A production system on which I want to set up the policy defined on the > development environment. I just want to protect some processes. For example > I only want to protect a web server and a web browser. > > I would like to know : > > 1- Which files I have to set in the production system ? I don't need any > tools, I only need minimum files to protect the production system. /etc/tomoyo/*.conf which will be loaded by /sbin/tomoyo-init are needed. Also, /sbin/tomoyo-init is needed for loading /etc/tomoyo/*.conf when /sbin/init starts. If you are building your kernel for the production system, you can embed policy files under /etc/tomoyo/ directory into the kernel by copying /etc/tomoyo/*.conf to security/tomoyo/policy/ directory under your kernel source tree. Also, using CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y eliminates the need for locating /sbin/tomoyo-init (but you might need to adjust policy configuration a bit if you are using CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=n in the development system). > 2- If I could disable the fact that Tomoyo learns domains in the Domain > Transition Editor (I do not need this on the production system) ? You don't need to copy /usr/sbin/tomoyo-* nor /usr/lib/tomoyo/* to the production system if you don't use these programs. > > One last question, how can I comment lines in the domain_policy.conf file? Well, comment lines are not supported. But since unparsable lines are simply ignored, you can embed lines like #some comment into your policy files. (Such lines are dropped upon load and therefore do not appear when reading /sys/kernel/security/tomoyo/ interface.) Regards.
TOMOYO
Fork