You are not logged in.

#1 2013-03-07 21:18:33

saronno
Member
Registered: 2009-10-02
Posts: 193

Tomoyo problem ...

... I installed the packages from repository and initialise the policy
as described in the wiki.
I rebooted, check dmesg to see if everything is loaded and then tried
to activate the learning mode profile ... no way.

From what i saw, the problem is that the profiles avaible are not
the usual list but only the 0 profile.
So, even if I try to activated profile 1 (learning) nothing happens
and the policy remain void whatever you do.

Is this a bug?
Is there a misconfiguration in the package?



For the sake of completeness

/usr/sbin/tomoyo-editpolicy -> w -> p

<<< Profile Editor >>>      1 entry    '?' for help

<kernel>
    0: PROFILE_VERSION=20110903

/usr/sbin/tomoyo-editpolicy

<<< Domain Transition Editor >>>      2 domains    '?' for help

<kernel>
    0:  0     <kernel>
    1:  0  *      /sbin/modprobe

And yes, I tried to enable profile 1 for kernel domain but nothing happened.
I try to save the policy, I try to edit it manually ....
but it keeps rolling back to 0: 0 after reboot
and however .... even if it's active ... it doesn't work .... prbably because
it doesn't exist as a profile.

And in the current policy (under /etc/tomoyo/policy/current/ everything seems fine ...
for example profile.conf and domain_policy.conf:

PROFILE_VERSION=20110903
0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }

<kernel>
use_profile 1
use_group 0


<kernel> /sbin/modprobe
use_profile 1
use_group 0

So, it seems as it ignores the current policy

Last edited by saronno (2013-03-07 21:26:25)

Offline

#2 2013-03-10 11:32:30

saronno
Member
Registered: 2009-10-02
Posts: 193

Re: Tomoyo problem ...

From what I understood nobody uses tomoyo ... big_smile

Offline

#3 2013-03-15 18:10:13

kabolt
Member
Registered: 2012-03-31
Posts: 8

Re: Tomoyo problem ...

I use it :-)
And it works wonderful.
Here a little introduction:
https://cubicarch.wordpress.com/2013/01 … oyo-howto/
(and have a look to the skype section)

But you are right, there are too few documentations.

A little hint: the ncurse interface is very limited, use the config files instead

Offline

#4 2013-03-16 20:29:29

Atragor
Member
Registered: 2009-02-28
Posts: 59

Re: Tomoyo problem ...

I use TOMOYO on my home server and it works fine there. But today I decided to install it on my laptop too and encountered the same problem as described in the first post. TOMOYO just resets the contents of "/sys/kernel/security/tomoyo/profile" to "0: PROFILE_VERSION=20110903" after reboot. I'll try to check the configuration on the server to find any differences.

upd: Found the solution. I have "init=/bin/systemd" in grub.cfg on both computers, so it seems I should write "TOMOYO_trigger=/bin/systemd" instead of "TOMOYO_trigger=/sbin/init".

upd2: I suppose the correct solution is not to change the value of TOMOYO_trigger but to remove "init=/bin/systemd" as it's not required anymore. Anyway, I think that this information should be added to the wiki (by somebody who knows English better than me, of course smile ).

upd3: On my server /sbin/init is not a symlink to /usr/lib/systemd but a binary file owned by sysvinit 2.88-9. If somebody is going to remove "init" from grub.cfg, check this first and replace sysvinit with systemd-sysvcompat.

Last edited by Atragor (2013-03-16 22:16:10)

Offline

#5 2013-04-07 00:27:17

saronno
Member
Registered: 2009-10-02
Posts: 193

Re: Tomoyo problem ...

After an upgrade:

# tomoyo-editpolicy
Please mount securityfs on /sys/kernel/security/ .
You can't use this editor for this kernel.

I think I will never get it works .... big_smile

Last edited by saronno (2013-04-07 00:27:35)

Offline

#6 2013-04-07 00:46:08

saronno
Member
Registered: 2009-10-02
Posts: 193

Re: Tomoyo problem ...

Solved ...

TOMOYO_trigger=/sbin/init security tomoyo

did the job done.

I don't know why I have never worked before.

Obviously my /sbin/init is a symlink to systemd

Offline

#7 2013-05-07 09:52:20

pezz
Member
From: Geelong, Australia
Registered: 2010-05-23
Posts: 75

Re: Tomoyo problem ...

saronno wrote:

TOMOYO_trigger=/sbin/init

Hi mate,

I decided to really have a go at Tomoyo tonight, and this screwed me for an hour or so.

Thanks for the post, was it only me thinking that the logical thing to do was:

TOMOYO_trigger=/sbin/systemd

??

Docs are few and far between, but at least you've given me a start.

Cheers.

Offline

#8 2013-06-01 20:53:43

euoar
Member
Registered: 2013-05-08
Posts: 7

Re: Tomoyo problem ...

After the latest update of tomoyo-tools I'm experiencing this same problem... Can't enable learning mode. The file with the policy is ok, but no matter if I edit the file or use tomoyo-savepolicy, after reboot learning mode is not enabled...

Offline

Board footer

Powered by FluxBB