Hello. On 2020/03/14 1:49, Manuel Bessler wrote: > 1. The learning-mode generated domain policy has a couple of combinations of > rules added like > file getattr <file> > file read/getattr <file> > file getattr/truncate <file> > file read/write/getattr <file> > file read/write <file> > file append/getattr <file> > > Can I just list these separately, or combine then in different ways to > make ? For example: > file getattr <any-file> > file create/append/write/truncate/rename <write-file> > file read <readonly-file> > > Or even just: > file > getattr/read/write/append/trucate/execute/unlink/symlink/rename/create <file> >
No, for these are grouped based on number/type of arguments each operation takes. For example, opening a file for read and/or write takes one pathname, creating a file takes one pathname and one permission, renaming a file takes two pathnames. > 2. There was a patch to ccs-patch in 2015 adding support for multiple > use_group <n> per domain. > Did this ever make it into Tomoyo? From a quick glance, it doesn't look > like it, but > I wanted to make sure before I get deep into policy writing. If you are talking about TOMOYO 2.x, it is available in TOMOYO 2.6 (Linux 5.1 and later). If you are talking about TOMOYO 1.x, it is available in TOMOYO 1.8 (Linux 2.4.37 / 2.6.27 and later). > > 3. Can the various groupings (path_group, number_group, address_group...) be > used recursively? > For example > path_group LIBS /lib/lib\*.so\* > path_group MYAPP /etc/myapp/\* > path_group MYAPP @LIBS No. Please use "multiple use_group <n> per domain" available in TOMOYO 2.6 / 1.8. > > > I was also wondering if there was a place (ie. github repo) where example > policies for common programs are kept? No. Since I'm not a member of Linux distributions, I can't afford providing ready-made policies. Contributions from users are welcomed. > For example, to run Nginx webserver, there are few things that are common > across all installs that would make it possible to reuse, and thus one does > not have to start from scratch... You can publish them in your repositories. Regards. _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me https://lists.osdn.me/mailman/listinfo/tomoyo-users-en
