You are not logged in.
Pages: 1
... I installed the packages from repository and initialise the policy
as described in the wiki.
I rebooted, check dmesg to see if everything is loaded and then tried
to activate the learning mode profile ... no way.
From what i saw, the problem is that the profiles avaible are not
the usual list but only the 0 profile.
So, even if I try to activated profile 1 (learning) nothing happens
and the policy remain void whatever you do.
Is this a bug?
Is there a misconfiguration in the package?
For the sake of completeness
/usr/sbin/tomoyo-editpolicy -> w -> p
<<< Profile Editor >>> 1 entry '?' for help
<kernel>
0: PROFILE_VERSION=20110903
/usr/sbin/tomoyo-editpolicy
<<< Domain Transition Editor >>> 2 domains '?' for help
<kernel>
0: 0 <kernel>
1: 0 * /sbin/modprobe
And yes, I tried to enable profile 1 for kernel domain but nothing happened.
I try to save the policy, I try to edit it manually ....
but it keeps rolling back to 0: 0 after reboot
and however .... even if it's active ... it doesn't work .... prbably because
it doesn't exist as a profile.
And in the current policy (under /etc/tomoyo/policy/current/ everything seems fine ...
for example profile.conf and domain_policy.conf:
PROFILE_VERSION=20110903
0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
<kernel>
use_profile 1
use_group 0<kernel> /sbin/modprobe
use_profile 1
use_group 0
So, it seems as it ignores the current policy
Last edited by saronno (2013-03-07 21:26:25)
Offline
From what I understood nobody uses tomoyo ...
Offline
I use it :-)
And it works wonderful.
Here a little introduction:
https://cubicarch.wordpress.com/2013/01 … oyo-howto/
(and have a look to the skype section)
But you are right, there are too few documentations.
A little hint: the ncurse interface is very limited, use the config files instead
Offline
I use TOMOYO on my home server and it works fine there. But today I decided to install it on my laptop too and encountered the same problem as described in the first post. TOMOYO just resets the contents of "/sys/kernel/security/tomoyo/profile" to "0: PROFILE_VERSION=20110903" after reboot. I'll try to check the configuration on the server to find any differences.
upd: Found the solution. I have "init=/bin/systemd" in grub.cfg on both computers, so it seems I should write "TOMOYO_trigger=/bin/systemd" instead of "TOMOYO_trigger=/sbin/init".
upd2: I suppose the correct solution is not to change the value of TOMOYO_trigger but to remove "init=/bin/systemd" as it's not required anymore. Anyway, I think that this information should be added to the wiki (by somebody who knows English better than me, of course ).
upd3: On my server /sbin/init is not a symlink to /usr/lib/systemd but a binary file owned by sysvinit 2.88-9. If somebody is going to remove "init" from grub.cfg, check this first and replace sysvinit with systemd-sysvcompat.
Last edited by Atragor (2013-03-16 22:16:10)
Offline
After an upgrade:
# tomoyo-editpolicy
Please mount securityfs on /sys/kernel/security/ .
You can't use this editor for this kernel.
I think I will never get it works ....
Last edited by saronno (2013-04-07 00:27:35)
Offline
Solved ...
TOMOYO_trigger=/sbin/init security tomoyo
did the job done.
I don't know why I have never worked before.
Obviously my /sbin/init is a symlink to systemd
Offline
TOMOYO_trigger=/sbin/init
Hi mate,
I decided to really have a go at Tomoyo tonight, and this screwed me for an hour or so.
Thanks for the post, was it only me thinking that the logical thing to do was:
TOMOYO_trigger=/sbin/systemd
??
Docs are few and far between, but at least you've given me a start.
Cheers.
Offline
After the latest update of tomoyo-tools I'm experiencing this same problem... Can't enable learning mode. The file with the policy is ok, but no matter if I edit the file or use tomoyo-savepolicy, after reboot learning mode is not enabled...
Offline
Pages: 1