[tomoyo-users-en 739] Re: Can't get Tomoyo to load policies on one of two (near identical systems) PCs..

アーカイブの一覧に戻る
Andre T andre****@sklbb*****
Tue Jun 14 05:20:12 JST 2022


Hei again. And thanks for your swift and very informative reply.

Also apologies for my delayed return reply (and no doubt visible 
unfamiliarity with partaking in email users' lists..)

I have included hopefully some info of use along with my reply.


On 10.06.2022 04:32, Tetsuo Handa wrote:
> Hello.
>
> On 2022/06/10 7:43, Andre T wrote:
>> However on the other PC (referring to it as *PC2*) , tomoyo will apparently
>> not load policies. This regardless of whatever i try. And i've now basically
>> ran out of thoughts as to what might be wrong and how to troubleshoot it any
>> further.
> I think that TOMOYO is not activated on PC2.
>
>>   * Tomoyo is reporting itself as being initialized and running on both
>>     trough
>>       o dmesg | grep -A 1 -B 1 TOMOYO
>>       o cat /sys/kernel/security/lsm
>>       o grep tomoyo_write_inet_network /proc/kallsyms
> These checks can tell you that TOMOYO is available in the kernel,
> but can not tell you that TOMOYO was activated in the kernel.
>
> When TOMOYO is loaded,
>
>    TOMOYO Linux initialized
>
> will appear in the dmesg output.
>
> When TOMOYO is activated,
>
>    Calling /sbin/tomoyo-init to load policy. Please wait.
>    TOMOYO: 2.6.0
>    Mandatory Access Control activated.
>
> will appear in the dmesg output.

Will definitely be mindful of that.

>
> /sbin/tomoyo-init (which is specified using CONFIG_SECURITY_TOMOYO_POLICY_LOADER
>   from the kernel config file, and can be overridden using TOMOYO_loader= from
> kernel command line) loads policy from /etc/tomoyo/ directory.
> If /sbin/tomoyo-init does not exist,
>
>    Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
>
> will appear in the dmesg output (and TOMOYO will not be activated).
>
> /sbin/tomoyo-init is called when /sbin/init (which is specified using
> CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER from the kernel config file, and
> can be overridden using TOMOYO_trigger= from kernel command line) is executed.
>
>> Hoping someone might have some ideas or clues as what is going on with PC2 if
>> even just things that might theoretically be the cause of it issue.
> For some reason a program to activate TOMOYO is not called on PC2.
> Please check that /sbin/tomoyo-init exists and can be manually executed from
> a shell on PC2. Then, please check that either
>
>    Calling /sbin/tomoyo-init to load policy. Please wait.
>
> or
>
>    Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.
>
> appears in the dmesg output when you reboot PC2.

 From what it seems so far neither of the two lines seems to appear on 
the PC. (dmesg output included furthest below)

However `/sbin/tomoyo-init` is indeed present and executable and 
returning from shell:

1 domain. 0 ACL entry.
15 KB used by policy.


With permits showing as:

-rwx------ 1 root root 18K juni   9 22:13 /sbin/tomoyo-init


And `file /sbin/tomoyo-init` will return:

/sbin/tomoyo-init: ELF 64-bit LSB pie executable, x86-64, version 1 
(SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, 
BuildID[sha1]=7242136766a9d9dde1898c5b2766980d267628de, for GNU/Linux 
4.4.0, stripped


>> I'm happy to provide any further info that might help identifying the causes.
> Providing output of
>
>    dmesg | grep -i tomoyo
>
> will tell us above.
Running `dmesg | grep -i tomoyo` returns:


[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-linux 
root=UUID=263364ce-4d62-4493-afed-385eb3f87653 rw 
lsm=landlock,lockdown,yama,tomoyo,bpf
[    0.088739] Kernel command line: BOOT_IMAGE=/vmlinuz-linux 
root=UUID=263364ce-4d62-4493-afed-385eb3f87653 rw 
lsm=landlock,lockdown,yama,tomoyo,bpf
[    0.251974] TOMOYO Linux initialized


Also taking the liberty of including excerpt lines of their appearing 
and the surrounding lines:

##### EXCERPTS #####
....
[    0.000000] microcode: microcode updated early to revision 0x411, 
date = 2019-04-23
[    0.000000] Linux version 5.18.3-arch1-1 (linux at archlinux) (gcc (GCC) 
12.1.0, GNU ld (GNU Binutils) 2.38) #1 SMP PREEMPT_DYNAMIC Thu, 09 Jun 
2022 16:14:10 +0000
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-linux 
root=UUID=263364ce-4d62-4493-afed-385eb3f87653 rw 
lsm=landlock,lockdown,yama,tomoyo,bpf
[    0.000000] x86/fpu: x87 FPU will use FXSAVE
[    0.000000] signal: max sigframe size: 1440
[    0.000000] BIOS-provided physical RAM map:
....
[    0.088724] Fallback order for Node 0: 0
[    0.088733] Built 1 zonelists, mobility grouping on.  Total pages: 
4105833
[    0.088736] Policy zone: Normal
[    0.088739] Kernel command line: BOOT_IMAGE=/vmlinuz-linux 
root=UUID=263364ce-4d62-4493-afed-385eb3f87653 rw 
lsm=landlock,lockdown,yama,tomoyo,bpf
[    0.088817] Unknown kernel command line parameters 
"BOOT_IMAGE=/vmlinuz-linux", will be passed to user space.
[    0.093096] Dentry cache hash table entries: 2097152 (order: 12, 
16777216 bytes, linear)
[    0.095247] Inode-cache hash table entries: 1048576 (order: 11, 
8388608 bytes, linear)
....
[    0.251895] pid_max: default: 32768 minimum: 301
[    0.251948] LSM: Security Framework initializing
[    0.251961] landlock: Up and running.
[    0.251964] Yama: becoming mindful.
[    0.251974] TOMOYO Linux initialized
[    0.251985] LSM support for eBPF active
[    0.252093] Mount-cache hash table entries: 32768 (order: 6, 262144 
bytes, linear)
[    0.252161] Mountpoint-cache hash table entries: 32768 (order: 6, 
262144 bytes, linear)
[    0.252623] CPU0: Thermal monitoring enabled (TM1)
....
##### EXCERPTS #####

(I'm noticing the "Unknown kernel command line parameters ..." line so 
whether or not that might affect tomoyo i'm not sure, but it's definetly 
to be checked out what's going on there none the less)

>
> Regards.
>

Thanks again for the useful hints.

cheers



More information about the tomoyo-users-en mailing list
アーカイブの一覧に戻る