-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ritesh,
I have added the code to manage domains and rules marked as '(deleted)'. I also changed the code to check for only 1 package according to you mentioning, that Debian has a Tomoyo enabled kernel by default. Thanks for the contribution. I don't add wheezy as a supported platform yet, it needs further investigation on which kernel it will have and with which tomoyo version. Have to make it compatible with that. Changelog here: http://log69.com/downloads/changelog_tomld.txt New version is out there v0.16. Andras On Mon, 21 Mar 2011 23:15:14 +0530 Ritesh Raj Sarraf <[email protected]> wrote: > On 03/21/2011 12:05 AM, Horvath Andras wrote: > > I'd like to announce my new project that i created recently > > buuilding on Tomoyo module. > > > > The goal is a fully automatic MAC configuration solution. > > > Thanks a ton. This is really going to make tomoyo rock. > > Comments: > > * No Exception: > > 22:21:29 rrs@champaran:~$ sudo ./tomld.py --reset -c > tomld (tomoyo learning daemon) 0.15 > platform is debian wheezy/sid > tomoyo kernel mode is active > * resetting domain configurations on demand > are you sure? [yes/No] yes > * exception domains > /bin/sh /bin/bash /bin/dash /usr/sbin/sshd > * processes using network > /usr/sbin/vpnc > * checking policy and rules > /usr/sbin/vpnc, no domain, create domain (restart needed), no > rule, create rule with learning mode on > * whole running cycle took 0.24s, sleeping 10s between every cycle > * new processes using network > /usr/bin/ktorrent > ..* new processes using network > /usr/sbin/exim4 > .* new processes using network > /usr/sbin/dnsmasq > /usr/bin/host > ./usr/bin/host, no domain, create domain, no rule, create rule > with learning mode on > ..............* new processes using network > /usr/bin/fdm > Traceback (most recent call last): > File "./tomld.py", line 1316, in <module> > d5 = os.readlink(d4) > *OSError: [Errno 2] No such file or directory: '/proc/5113/fd/3' > > * > > * I changed this to make it work with debian wheezy/sid > * supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."]* > > * There's no need to install the patch package, > *linux-patch-tomoyo1.7*. tomoyo is already enabled in the Debian > kernel. > > 23:01:11 rrs@champaran:/tmp$ diff tomld.py /home/rrs/tomld.py > 30d29 > < # - show statistics about active > domains and rules on exit > 153c152 > < supp = ["debian 6.", "ubuntu 10.10."] > --- > > supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."] > 612,615d610 > < # stat > < d = re.findall("^<kernel>.*$\n+use_profile +[1-3] *$", > tdomf, re.M) > < r = re.findall("^allow_", tdomf, re.M) > < color(str(len(d)) + " active domains, " + str(len(r)) + " > rules") > 1160c1155 > < if not (package_d(tpak1) and package_d(tpak2)): > --- > > if not package_d(tpak2): > 1162c1157 > < color("install packages (" + tpak1 + ", " + tpak2 + ") and > reboot the system with " \ > --- > > color("install packages (" + tpak2 + ") and reboot the > system with " \ > 1172c1167 > < os.system(comm + " install " + tpak1 + " " + > tpak2) --- > > os.system(comm + " install " + tpak2) > > > * After running step 2, you ask the user to stop and reboot to boot in > 'enforcing mode'. Many things are breaking here. For me: exim4, > dnsmasq, dbus, ktorrent - all broke. These are the errors I got > (not complete, there'll be many many more) > > [ 96.910337] ERROR: Access read/write > /var/spool/exim4/input/1Q1i7G-00014r-0m-D denied > for /usr/sbin/exim4 [ 121.620620] ERROR: Access > read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq > [ 121.620726] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 154.144437] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 154.144477] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 174.277939] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 174.278047] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 186.918465] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 186.918571] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/sbin/dnsmasq > [ 201.839392] ERROR: Access read /etc/nsswitch.conf denied for > /usr/bin/fdm > [ 201.839501] ERROR: Access read /etc/host.conf denied > for /usr/bin/fdm [ 201.839626] ERROR: Access read > /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm > [ 201.839992] ERROR: Access read > /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm > [ 201.840746] ERROR: Access read /etc/hosts denied > for /usr/bin/fdm [ 201.840905] ERROR: Access read /etc/nsswitch.conf > denied for /usr/bin/fdm > [ 201.841417] ERROR: Access read /etc/nsswitch.conf denied for > /usr/bin/fdm > [ 201.841747] ERROR: Access read /etc/passwd denied > for /usr/bin/fdm [ 201.841854] ERROR: Access read /etc/passwd denied > for /usr/bin/fdm [ 207.862719] ERROR: Access ioctl /dev/null 0x5401 > denied for /usr/sbin/exim4 > [ 207.862800] ERROR: Access read > /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4 > [ 207.863908] ERROR: Access create /var/log/exim4/paniclog 0640 > denied for /usr/sbin/exim4 > [ 233.684510] ERROR: Access ioctl /dev/null 0x5401 denied for > /usr/sbin/exim4 > [ 233.684712] ERROR: Access read > /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4 > [ 233.688033] ERROR: Access create /var/log/exim4/paniclog 0640 > denied for /usr/sbin/exim4 > [ 349.302234] ERROR: Access ioctl /dev/null 0x5401 denied for > /usr/sbin/exim4 > [ 349.302341] ERROR: Access read > /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4 > [ 349.306666] ERROR: Access create /var/log/exim4/paniclog 0640 > denied for /usr/sbin/exim4 > [ 501.869845] ERROR: Access read /etc/nsswitch.conf denied for > /usr/bin/fdm > [ 501.869954] ERROR: Access read /etc/host.conf denied > for /usr/bin/fdm [ 501.870078] ERROR: Access read > /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm > [ 501.870432] ERROR: Access read > /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm > [ 501.871082] ERROR: Access read /etc/hosts denied > for /usr/bin/fdm [ 501.871236] ERROR: Access read /etc/nsswitch.conf > denied for /usr/bin/fdm > [ 501.871726] ERROR: Access read /etc/nsswitch.conf denied for > /usr/bin/fdm > [ 501.872163] ERROR: Access read /etc/passwd denied > for /usr/bin/fdm [ 501.872274] ERROR: Access read /etc/passwd denied > for /usr/bin/fdm [ 737.411262] start_kdeinit > (5972): /proc/5974/oom_adj is deprecated, please > use /proc/5974/oom_score_adj instead. [ 744.237066] EXT4-fs (dm-0): > re-mounted. Opts: acl,user_xattr,delalloc,errors=remount-ro,commit=0 > [ 760.405858] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/bin/pidgin > [ 760.405900] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied > for /usr/bin/pidgin > [ 774.398148] ERROR: Access read /usr/share/davmail/davmail.jar > denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.464194] ERROR: Access read /usr/lib/java/swt-gtk-3.5.1.jar > denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.464842] ERROR: Access read > /usr/share/davmail/lib/activation-1.1.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.465038] ERROR: Access read > /usr/share/davmail/lib/commons-codec-1.3.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.465235] ERROR: Access read > /usr/share/davmail/lib/commons-collections-3.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.465432] ERROR: Access read > /usr/share/davmail/lib/commons-httpclient-3.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.465631] ERROR: Access read > /usr/share/davmail/lib/commons-logging-1.0.4.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.465824] ERROR: Access read > /usr/share/davmail/lib/htmlcleaner-2.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.466019] ERROR: Access read > /usr/share/davmail/lib/jackrabbit-webdav-1.4.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.466206] ERROR: Access read > /usr/share/davmail/lib/jcharset-1.3.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.466395] ERROR: Access read > /usr/share/davmail/lib/jcifs-1.3.14.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.466579] ERROR: Access read > /usr/share/davmail/lib/jdom-1.0.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.466773] ERROR: Access read > /usr/share/davmail/lib/junit-3.8.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.466965] ERROR: Access read > /usr/share/davmail/lib/log4j-1.2.15.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.467151] ERROR: Access read > /usr/share/davmail/lib/mail-1.4.3.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.467346] ERROR: Access read > /usr/share/davmail/lib/slf4j-api-1.3.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.467553] ERROR: Access read > /usr/share/davmail/lib/slf4j-log4j12-1.3.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.467744] ERROR: Access read > /usr/share/davmail/lib/stax-api-1.0.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.467935] ERROR: Access read > /usr/share/davmail/lib/stax2-api-3.0.3.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.468184] ERROR: Access read > /usr/share/davmail/lib/woodstox-core-asl-4.0.9.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 774.468391] ERROR: Access read > /usr/share/davmail/lib/xercesImpl-2.8.1.jar denied for > /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java > [ 801.925413] ERROR: Access read /etc/nsswitch.conf denied for > /usr/bin/fdm > [ 801.925526] ERROR: Access read /etc/host.conf denied > for /usr/bin/fdm [ 801.925651] ERROR: Access read > /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm > [ 801.926078] ERROR: Access read > /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm > [ 801.926791] ERROR: Access read /etc/hosts denied > for /usr/bin/fdm [ 801.926957] ERROR: Access read /etc/nsswitch.conf > denied for /usr/bin/fdm > [ 801.927477] ERROR: Access read /etc/nsswitch.conf denied for > /usr/bin/fdm > [ 801.927836] ERROR: Access read /etc/passwd denied > for /usr/bin/fdm [ 801.927944] ERROR: Access read /etc/passwd denied > for /usr/bin/fdm [ 825.935742] ERROR: Access > read /usr/lib/libktcore.so.11.0.4 denied for /usr/bin/ktorrent > [ 825.935899] ERROR: Access read /usr/lib/libktcore.so.11.0.4 > denied for /usr/bin/ktorrent > > Is there an equivalent of *setenforce* ? We should use something like > that to easily switch it to learning mode until the user feels the > full and final policy is ready. Another approach could be to run > tomld right after init on first setup (during system start) in > learning mode. That'll allow it to learn all services and other apps > behavior and create the correct policy. > > * There should also be a '-u' switch which should allow addition of > new learnt rules without discarding all the old rules. Or is it > already there? > > That's all for now. Again, thank you for creating this. Please put > some git repo so that no history is lost. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk2I0HcACgkQAx9+mHylNBhPdgCgvHZqMgR9TzsJDl/Kq3ZkltLy SdwAoK9HzxhLxILDGc0pMoF7O4AGx1Pd =z4+/ -----END PGP SIGNATURE----- _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
