I am playing around with tomoyo rulesets on a system with a RO squashfs
as root filesystem.

I noticed all rootfs binaries are prefixed with "squashfs:"

..... squashfs:/bin/cat' not defined

but i cant create a rule with that prefix, as the editor doesnt like
the prefix in his syntax.

"squashfs:/bin/cat is an invalid domainname"

the executed programs dont show up in the editor either.

the only way to get them to show up and create working rules is to
create aggregators like

aggregator squashfs:/bin/cat /bin/cat

with this set in exception_policies.conf, the /bin/cat shows up in the
editor and I can create rules for /bin/cat.

is there another way to get this working, without the need to create an
aggregator for every binary on the system?



