Thank you so much for these detailed explanations and examples! I am now
able to reliably edit Caitsith policy without rebooting.
> Darrell wrote:
>> Thanks for the response. My question stemmed from what is probably just
>> some confusion on my part. I have been attempting to make changes
>> directly to /etc/caitsith/policy/current and then load those changes by
>> issuing command
>>
>> # /usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current
>>
>> . What I found is that this seems to append /etc/caitsith/policy/current to
>> /sys/kernel/security/caitsith/policy.
> Yes, TOMOYO / CaitSith's policy interface deletes a line (and lines which
> depend on that line) when that line starts with "delete " keyword, and
> appends that line when that line does not start with "delete " keyword.
>
> But there is an exception. The "delete " keyword is ignored for lines which
> start with "POLICY_VERSION=" or "stat " or "quota " or "audit ".
>
> Lines which start with "POLICY_VERSION=" or "quota " or "audit " can be
> updated by overwriting that line.
>
> # echo 'quota audit[1] allowed=1024' | caitsith-loadpolicy
> # echo 'quota memory audit 16777216' | caitsith-loadpolicy
> # caitsith-savepolicy -
>
> Lines which start with "quota " will not be printed if its quota value is 0.
>
> # echo 'quota audit[1] allowed=0 denied=0 unmatched=0' | caitsith-loadpolicy
> # echo 'quota memory audit 0' | caitsith-loadpolicy
> # caitsith-savepolicy -
>
>> If I had made some deletions to
>> /etc/caitsith/policy/current,
>>
>> # cat /sys/kernel/security/caitsith/policy
>>
>> would still show some of the policy I had deleted.
> You need to replace /sys/kernel/security/caitsith/policy with
> /etc/caitsith/policy/current using commands shown below.
>
>> I tried the command
>>
>> # /usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current
>>
>> , but that didn't work. In hindsight, I should have asked if there is
>> a way to completely replace /sys/kernel/security/caitsith/policy with
>> /etc/caitsith/policy/current without rebooting?
> You can use below commands to completely replace in-memory policy
> configuration
> without rebooting.
>
> # caitsith-savepolicy - | awk ' { print "delete " $0 }' | caitsith-loadpolicy
> # caitsith-loadpolicy < /etc/caitsith/policy/current
>
> But please be aware that there is a moment where all access requests are
> unconditionally granted (and/or domain transition does not occur as expected)
> due to lack of in-memory policy configuration.
>
> If you care about such moment, you can edit in-memory policy configuration
> using caitsith-loadpolicy and then save in-memory policy configuration using
> caitsith-savepolicy .
>
> # edit a_temporary_file_which_contains_changes
> # caitsith-loadpolicy < a_temporary_file_which_contains_changes
> # caitsith-savepolicy
> # rm a_temporary_file_which_contains_changes
>
> Content of a_temporary_file_which_contains_changes would look like below.
>
> Append entries without deletion.
> ----------
> 10 acl execute
> 10 allow path="/path/to/old_executable"
>
> 20 acl read
> audit 0
> 10 allow path="/path/to/old_file"
> ----------
>
> Append entries with some deletion.
> ----------
> 10 acl execute
> 10 allow path="/path/to/new_executable"
> delete 10 allow path="/path/to/old_executable"
>
> 21 acl read
> audit 1
> 10 allow path="/path/to/file"
>
> delete 20 acl read
> ----------
>
>>> Hello.
>>>
>>> Darrell wrote:
>>>> Do you have any plans to create an ncurses caitsith-editpolicy similar
>>>> to ccs-editpolicy? I've been contemplating migrating from CCS to
>>>> Caitsith and miss the ncurses editor for in-memory policy editing.
>>> Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
>>> for editing in-memory policy configuration ( /proc/caitsith/policy or
>>> /sys/kernel/security/caitsith/policy ), I don't have a plan to create
>>> caitsith-editpolicy .
>>>
>>> Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
>>> or tomoyo-editpolicy for browsing and editing in-memory policy
>>> configuration.
>>> But since CaitSith does not, there is little need for browsing and editing
>>> in-memory policy configuration using a dedicated tool.
>>>
>>> You can run caitsith-savepolicy when you modified in-memory policy
>>> configuration
>>> using caitsith-loadpolicy or caitsith-queryd .
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en@lists.osdn.me
http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
