You are not logged in.
This is long and detailed, because I don't know whether I missed a step, or if the packages are busted, or what. It has been considerable frustration getting this set up. I have been trying to follow the directions on the Tomoyo site without much success, using the 1.8.x kernel and ccs-tools packages on AUR (I need to track network activity, so 2.3.x won't do it).
I got it installed and running (ccsecurity=on, saw the message at boot-up, and ran ccs-init prior to that), and then did as they specified to create the first domain:
1. ccs-editpolicy
2. Find the application (repeating their example I chose firefox)
3. Type S (set profile), and then 1.
Except it didn't change, even after a refresh. Looking at /proc/ccs/profile there was no profile 1, contrary to their instructions; only zero was there. So I created one, based on their example, and added it to the end of profile.conf:
1-COMMENT=learning
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=learning grant_log=no reject_log=no }
I loaded the profile with ccs-loadpolicy -p. It seemed to like it, but when I checked proc/ccs/profile, nothing had changed. It took a reboot for that to update -- again, contrary to what the tools like "load policy" seem to suggest.
Once the reboot was finished, I did a ccs-savepolicy, and then edited firefox to "use profile 1". I tried a ccs-loadpolicy -df on the new policy, and it still didn't take effect. So, I made sure I had edited the current one, and rebooted again. This time, it worked.
So, I did a bunch of things in firefox, and did another ccs-savepolicy. None of my actions appeared in the policy!
At this point, I am about to give up. Am I missing something?
Last edited by nixscripter (2011-06-15 14:45:59)
Offline
Hi nixscripter. It sounds strange what is going on (and is definitely not what should be happening). I can't reproduce using the packages from AUR.
Can you try deleting your policy files, re-initializing policy and rebooting:
rm -rf /etc/ccs/
/usr/lib/ccs/init_policy
reboot
After the reboot, can you post what is contained within each of these files:
/etc/ccs/domain_policy.conf
/etc/ccs/exception_policy.conf
/etc/ccs/manager.conf
/etc/ccs/profile.conf
And maybe post your "dmesg" up as well, for good measure.
edit: by the way, are you using systemd by any chance?
Last edited by jnguyen (2011-06-14 19:58:58)
TOMOYO Linux: Mandatory Access Control.
My AUR packages
Offline
Well, that was easy. It works now!
And I found my mistake. You said to use:
/usr/lib/ccs/init_policy
Whereas I ran /sbin/ccs-init -- which, when I look it up, is the init script wrapper.
Thanks for your help. And now you know what strange things happen if you don't do an init_policy.
Last edited by nixscripter (2011-06-15 14:45:43)
Offline
Glad you got it working
If you have any further questions or queries, feel free to post in our Mailing List. I might miss your post in the forum.
TOMOYO Linux: Mandatory Access Control.
My AUR packages
Offline