You are not logged in.

Pages: 1

#1 2011-06-14 16:10:27

nixscripter
Member
Registered: 2011-06-08
Posts: 9

Tomoyo: Basic Setup Question [SOLVED]

This is long and detailed, because I don't know whether I missed a step, or if the packages are busted, or what. It has been considerable frustration getting this set up. I have been trying to follow the directions on the Tomoyo site without much success, using the 1.8.x kernel and ccs-tools packages on AUR (I need to track network activity, so 2.3.x won't do it).

I got it installed and running (ccsecurity=on, saw the message at boot-up, and ran ccs-init prior to that), and then did as they specified to create the first domain:

1. ccs-editpolicy
2. Find the application (repeating their example I chose firefox)
3. Type S (set profile), and then 1.

Except it didn't change, even after a refresh.  Looking at /proc/ccs/profile there was no profile 1, contrary to their instructions; only zero was there.  So I created one, based on their example, and added it to the end of profile.conf: 

1-COMMENT=learning
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=learning grant_log=no reject_log=no }

I loaded the profile with ccs-loadpolicy -p.  It seemed to like it, but when I checked proc/ccs/profile, nothing had changed. It took a reboot for that to update -- again, contrary to what the tools like "load policy" seem to suggest.

Once the reboot was finished, I did a ccs-savepolicy, and then edited firefox to "use profile 1". I tried a ccs-loadpolicy -df on the new policy, and it still didn't take effect. So,  I made sure I had edited the current one, and rebooted again. This time, it worked.

So, I did a bunch of things in firefox, and did another ccs-savepolicy. None of my actions appeared in the policy!

At this point, I am about to give up. Am I missing something?

Last edited by nixscripter (2011-06-15 14:45:59)

Offline

#2 2011-06-14 18:28:50

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: Tomoyo: Basic Setup Question [SOLVED]

Hi nixscripter. It sounds strange what is going on (and is definitely not what should be happening). I can't reproduce using the packages from AUR.

Can you try deleting your policy files, re-initializing policy and rebooting:

rm -rf /etc/ccs/
/usr/lib/ccs/init_policy
reboot

After the reboot, can you post what is contained within each of these files:
/etc/ccs/domain_policy.conf
/etc/ccs/exception_policy.conf
/etc/ccs/manager.conf
/etc/ccs/profile.conf

And maybe post your "dmesg" up as well, for good measure.

edit: by the way, are you using systemd by any chance?

Last edited by jnguyen (2011-06-14 19:58:58)

TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#3 2011-06-15 14:45:13

nixscripter
Member
Registered: 2011-06-08
Posts: 9

Re: Tomoyo: Basic Setup Question [SOLVED]

Well, that was easy. It works now!

And I found my mistake. You said to use:

/usr/lib/ccs/init_policy

Whereas I ran /sbin/ccs-init -- which, when I look it up, is the init script wrapper.

Thanks for your help. And now you know what strange things happen if you don't do an init_policy.

Last edited by nixscripter (2011-06-15 14:45:43)

Offline

#4 2011-06-15 14:48:13

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: Tomoyo: Basic Setup Question [SOLVED]

Glad you got it working smile

If you have any further questions or queries, feel free to post in our Mailing List. I might miss your post in the forum.

TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

Pages: 1

Board footer

Powered by FluxBB