Hello. Daniel Thau wrote: > First of all, thank you for TOMOYO Linux! It is absolutely wonderful so far.
Thank you for trying TOMOYO. > I would like certain programs, for example Firefox, to have certain > permissions when launched from different situations. > > One situation in which I may launch Firefox, for example, would be if Firefox > is launched directly from my window manager. Another would be if it is > launched from bash in an xterm in my window manager. > > My problem is that my window manager often changes. For example, Firefox > normally launches in this domain: > > <kernel> /sbin/getty /bin/login/ /bin/bash /usr/bin/startx /usr/bin/xinit > /bin/sh /usr/local/bin/dwm /usr/bin/firefox > > After changing my window manager (for example, from dwm to openbox), the > domain changes: > > <kernel> /sbin/getty /bin/login/ /bin/bash /usr/bin/startx /usr/bin/xinit > /bin/sh /usr/local/bin/dwm /usr/bin/openbox /usr/bin/firefox > > After a few more changes, this quickly becomes messy: > > <kernel> /sbin/getty /bin/login/ /bin/bash /usr/bin/startx /usr/bin/xinit > /bin/sh /usr/local/bin/dwm /usr/bin/openbox /usr/bin/compiz /usr/bin/dwm > /usr/bin/openbox /usr/bin/firefox > Oh, no... > This is a problem when launching Firefox from bash in an xterm as well, since > the middle of the domain also changes when switching window managers. > > One near-solution I've found is to simply use "initialize_domain > /usr/bin/firefox". > If I understand correctly, this would force Firefox to launch in the > "<kernel> /usr/bin/firefox" domain irrelevant of what launches it. However, > this means that if I launch it from bash in an xterm, it will have the same > permissions as if it were launched from the window manager directly. You can cancel the effect of "initialize_domain" using "no_initialize_domain". initialize_domain /usr/bin/firefox causes /usr/bin/firefox to launch in the "<kernel> /usr/bin/firefox" domain irrelevant of what launches it. However, no_initialize_domain /usr/bin/firefox from /bin/bash causes /usr/bin/firefox to launch in the child domain of /bin/bash domain. For example, if /usr/bin/firefox is executed from "<kernel> /usr/bin/xterm /bin/bash" domain, /usr/bin/firefox will run in the "<kernel> /usr/bin/xterm /bin/bash /usr/bin/firefox" domain. Therefore, you may want to add initialize_domain /usr/bin/firefox no_initialize_domain /usr/bin/firefox from /bin/bash etc. > What I would like to do is to force the section of the domain which has all > the window managers to all be the same thing. I believe that some > combination of "aggregate" and "keep_domain" could do this, but after playing > with it for quite some time I am unable to figure out exactly how to use them > to accomplish this. > You may want to add aggregator /usr/local/bin/dwm /./window-managers aggregator /usr/bin/openbox /./window-managers aggregator /usr/bin/compiz /./window-managers initialize_domain /./window-managers so that all window managers starts from "<kernel> /./window-managers" domain. You may also want to add keep_domain <kernel> /./window-managers so that all applications executed from window managers stay at "<kernel> /./window-managers" domain (unless explicitly specified using "initialize_domain" or "no_keep_domain"). > Any recommendations or suggestions? > > I am running TOMOYO Linux 1.7.2 Regards. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
