You are not logged in.

#1 2014-04-13 21:34:48

0strodamus
Member
Registered: 2014-01-22
Posts: 92

[Solved] Why was TOMOYO removed from kernel 3.14?

I was wondering why TOMOYO and APPARMOR were removed from kernel 3.14.

3.14 config:

# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set

3.13 config:

CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/usr/bin/tomoyo-init"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
CONFIG_SECURITY_APPARMOR_HASH=y

I've never compiled a kernel before, so this is proving to be a good opportunity for me to learn how to do that. smile

I'm wondering why these security options were removed though. Were they causing issues with the new kernels? Am I just headed for trouble by adding TOMOYO back to the kernel? Any advice would be appreciated!

Last edited by 0strodamus (2014-04-14 00:52:47)


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

#2 2014-04-13 21:45:22

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [Solved] Why was TOMOYO removed from kernel 3.14?

There's a discussion about this on the mailing list...

https://mailman.archlinux.org/pipermail … 26028.html


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#3 2014-04-13 21:47:30

0strodamus
Member
Registered: 2014-01-22
Posts: 92

Re: [Solved] Why was TOMOYO removed from kernel 3.14?

Thanks slithery! I'll check that out.


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

#4 2014-04-13 21:55:59

0strodamus
Member
Registered: 2014-01-22
Posts: 92

Re: [Solved] Why was TOMOYO removed from kernel 3.14?

It would be nice if the option

CONFIG_SECURITY_NETWORK=y

was left in place. I tried switching to AKARI to avoid compiling a custom kernel, but the AKARI module's network security wasn't working.

EDIT: I was able to get TOMOYO working by installing the linux-lts kernel and also by custom compiling the latest 3.14 kernel. I'll mark this as solved and decide which method will work best for me long-term.

Thanks again to Slithery for pointing me to the information I was seeking. And thanks to the Arch Linux community for providing the lts kernel, the wiki which helped me learn how to compile the kernel, and this forum where I could ask my question. Arch is the best! smile

Last edited by 0strodamus (2014-04-14 00:59:47)


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

#5 2014-04-14 10:41:57

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: [Solved] Why was TOMOYO removed from kernel 3.14?

0strodamus wrote:

EDIT: I was able to get TOMOYO working by installing the linux-lts kernel...

I don't know whether these changes will also be applied to the linux-lts kernel or not. It was mentioned on the mailing list that the discussions should include and apply to linux-lts, but nothing else was mentioned. I say this because I maintain the linux-lts-ck and linux-lts312 packages (in the AUR).

I'll wait and see what happens, but I'm tempted to make them an toggle on/off option in the PKGBUILDs if I decided to turn off the SELinux and TOMOYO stuff by default (in the same way that NUMA is default off with the toggle option in those PKGBUILDs).


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#6 2014-04-14 22:32:22

0strodamus
Member
Registered: 2014-01-22
Posts: 92

Re: [Solved] Why was TOMOYO removed from kernel 3.14?

I'm curious to see if the changes make it to linux-lts too. I was hoping that MAC is more important for servers and that TOMOYO will therefore have a much longer lifespan in the linux-lts kernel. Using AKARI is an option, but I like network security, so without the CONFIG_SECURITY_NETWORK option being enabled by default, a recompile is still needed. I'm just glad that recompiling the linux kernel didn't take too awfully long, TOMOYO was easily re-enabled with an adjustment to the config files, and using ABS was a pretty painless affair.

If I wasn't such a noob, I would create and maintain a linux-tomoyo package to go along with tomoyo-tools in the AUR. However, I couldn't even get the akari or ccs-tools packages to install correctly after trying to update them locally for the new versions. I was able to follow the directions on AKARI's website to install them manually, but would prefer them to be under pacman's watchful eye. All my playing was in Virtualbox - I would never subject my real system to anything new without testing there first. Hopefully someday I'll be equipped to help more in this way. Until then, I'll just keep making donations so I can feel like I'm contributing something. smile

EDIT: I updated the ArchWiki to reflect the kernel changes noted in this thread.

Last edited by 0strodamus (2014-04-16 05:38:52)


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

#7 2014-05-01 11:03:49

webmeister
Member
Registered: 2014-04-18
Posts: 1

Re: [Solved] Why was TOMOYO removed from kernel 3.14?

There is a feature request to reenable TOMOYO in Arch's default kernel, as disabling it in the current configuration does not seem to have any apparent benefit.

Also, linux-grsec is now in [community], providing a different solution to harden your system.

Offline

Board footer

Powered by FluxBB