Tomoyo linux wiki page

Jasper1984 · 2014-02-26 13:25:04

Tomoyo linux wiki page seems to use the old init system? Trying it, it failed to boot for me saying /sbin/init not found, changing it to use systemd as in i mentioned in the talk page looks like it should fix it.

Barring that failing, the next boot, or comments here or there i will update the wiki to reflect this. However, earlier wiki discussion entries didnt seem to attract attention to themselves, which is why i post here so the chance of me putting wrong shit in the wiki is decreased.

On another point of(potential) discussion, isnt it about time we all start using Mandatory Access Control?

0strodamus · 2014-03-02 17:55:57

I'm still using /sbin/init in /etc/default/grub and everything is working fine. There, of course, are symlinks completing the path to /usr/lib/systemd/systemd. Will they be going away at some point? Did you get TOMOYO working with TOMOYO_trigger=/usr/lib/systemd/systemd? I'm going to leave things as they are until something breaks.

$ dmesg | grep -A 1 -B 1 TOMOYO
[    0.000000] Linux version 3.13.5-1-ARCH (nobody@var-lib-archbuild-extra-x86_64-thomas) (gcc version 4.8.2 20140206 (prerelease) (GCC) ) #1 SMP PREEMPT Sun Feb 23 00:25:24 CET 2014
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-linux root=UUID=xxxxxxxx-xxxxxxxxx-xxxx-xxxxxxxxxxxx rw cryptdevice=/dev/sdax:sdax_crypt:allow-discards security=tomoyo TOMOYO_trigger=/sbin/init ipv6.disable=1
[    0.000000] e820: BIOS-provided physical RAM map:
--
[    0.000000] Policy zone: Normal
[    0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz-linux root=UUID=xxxxxxxx-xxxxxxxxx-xxxx-xxxxxxxxxxxx rw cryptdevice=/dev/sdax:sdax_crypt:allow-discards security=tomoyo TOMOYO_trigger=/sbin/init ipv6.disable=1
[    0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
--
[    0.000019] Security Framework initialized
[    0.000026] TOMOYO Linux initialized
[    0.000029] AppArmor: AppArmor disabled by boot time parameter
--
[   13.196753] Calling /usr/bin/tomoyo-init to load policy. Please wait.
[   13.271443] TOMOYO: 2.5.0
[   13.271470] Mandatory Access Control activated.

You have a great point regarding Mandatory Access Control. TOMOYO makes it so easy, there is no reason not to use it for internet-facing applications.

Last edited by 0strodamus (2014-03-13 18:41:57)

Jasper1984 · 2014-03-12 11:10:46

Using 2.X and `TOMOYO_trigger=/usr/lib/systemd/systemd` works for me.

Still have it in learning mode. But if i press 's' in editpolicy, only one changes, not the children? Not sure how to turn on enforcing mode yet..

Jasper1984 · 2014-03-16 01:52:11

How do you develop policy.. Really it seems like a PITA to me. Learning mode works, but it doesnt seem to `initialize_domain` at smart points, nor are there easy ways to allow for instance firefox to read any *.html, *.htm *HTML *.png etcetera. Similarly gimp, inkscape... All of them need to know what the regular plain old files are. Well, there are easy ways, but it is too damn much work to specify them..

Even if i just decided they are allowed to read/write `/home/*/\{\*\}\*, most of them, not really, but willing to compromise a bit..

I tried to specify them and put it into learning mode but instead of \{\*\}/\*.html i did \{*\}.html, so it learned the .html shit anyway.. (why escapes anyway...)

I suppose i might have to do with more caurse-grained allow/deny system...

0strodamus · 2014-03-16 05:50:07

I'm using TOMOYO as an "application firewall" for all apps. I do this by using a default policy that only blocks network access. Then for applications that I want to restrict further (such as Firefox, Thunderbird, etc.), I have a policy that enforces everything. Because the rulesets can get rather lengthy, I've added these applications to the Exception Policy Editor with "initialize_domain /path/application from any". I imagine this is similar to what you're referring to as a more course-grained allow/deny system.

I'm not sure what the harm is in allowing file reads, so I've allowed my enforced applications to "file read @ANY_PATHNAME". It's the file write operations that I'm concerned with restricting.

If I had to create full rulesets for my whole system (especially without allowing all file read access requests), I would share your opinion of it being a PITA. The way I'm doing things, it's not bad at all. I actually like using TOMOYO because in addition to the security it provides, I am learning what the apps I'm adding to my enforcement policy are doing.

In my experience, tomoyo-queryd makes it easier to configure policy than using learning mode. Another nice thing about tomoyo-queryd is that if you get your regex wrong, it will ignore it and keep prompting you until you get it right. Another good learning experience courtesy of TOMOYO.

Have you tried using tomoyo-patternize? It might help when using learning mode to consolidate your rules. I've never used it because I don't use learning mode, so I'm not sure how effective it is.

The only way I've found to change multiple items is to press the space bar for each item and then make the change. This still means selecting each item one by one. I haven't found a way to shift-select multiple items which would make things much easier. If you find a way, please let me know.

Arch Linux

#1 2014-02-26 13:25:04

Tomoyo linux wiki page

#2 2014-03-02 17:55:57

Re: Tomoyo linux wiki page

#3 2014-03-12 11:10:46

Re: Tomoyo linux wiki page

#4 2014-03-16 01:52:11

Re: Tomoyo linux wiki page

#5 2014-03-16 05:50:07

Re: Tomoyo linux wiki page

Board footer