Horvath Andras wrote:
> I guess it's on purpose to avoid other processes to change system policy.
> Sounds logic.
Right. Only programs or domains registered to
/sys/kernel/security/tomoyo/manager are permitted to modify policy via
/sys/kernel/security/tomoyo/ interface.
> So is there any other proper way without using the external binaries?
You can do
# echo /path/to/your/program >> /etc/tomoyo/manager.conf
# tomoyo-loadpolicy -m < /etc/tomoyo/manager.conf
Please note that /sys/kernel/security/tomoyo/ interface interprets input as
append operation unless a line starts with "delete " keyword.
To delete a domain from your program, you need to do like
fprintf(fp, "delete %s\n", domainname);
fflush(fp);
and to delete an entry in a domain, you need to do like
fprintf(fp, "select %s\n", domainname);
fprintf(fp, "delete %s\n", entry);
fflush(fp);
("select " tells the kernel not to create a domain if not found).
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
