TOMOYO
ForkHello.
Torsten Ww wrote:
> I want to restrict all programs, which were executing from /home/*/ but
> something like
>
> exception_policy.conf
> <kernel> initialize_domain /home/\*/\*\-.xinitrc from any
> <kernel> initialize_domain /home/\*/\{\*\}/\* from any
>
> does not work, it seems as if there are no wildcards allowed
> in exception_policy.conf
If wildcards were allowed in domain transition control directives, calculation
of the domainname to transit to becomes fuzzy. In order to avoid fuzziness,
wildcards are not allowed in domain transition control directives.
You can instead do
aggregator /home/\*/\*\-.xinitrc /user-defined-programs
aggregator /home/\*/\{\*\}/\* /user-defined-programs
initialize_domain /user-defined-programs from any
which the user defined programs will be jumped to
<kernel> /user-defined-programs
domain. You may also want to specify
keep_domain any from <kernel> /user-defined-programs
in order to simplify permissions for user defined programs by (by default)
suppressing domain transitions from user defined programs.
> and secondly it looks like tomoyo-checkpolicy has a bug while checking
> the exception_policy.conf
>
> # tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
> 1: ERROR: '<kernel>' is a bad argument.
> 2: ERROR: '<kernel>' is a bad argument.
> 3: ERROR: '<kernel>' is a bad argument.
> ...
> 35: ERROR: '<kernel>' is a bad argument.
> 36: ERROR: '<kernel>' is a bad argument.
> 37: ERROR: '<kernel>' is a bad argument.
> Total: 37 Lines 37 Errors 0 Warning
Indeed. This is a bug in ccs-checkpolicy and was copied to tomoyo-checkpolicy.
I've just commited the fix
http://sourceforge.jp/projects/tomoyo/scm/svn/commits/6111
and I will release updated tools packages. Thank you for finding this bug.