Horvath Andras wrote:
> > You can do
> >
> > # echo /path/to/your/program >> /etc/tomoyo/manager.conf
> > # tomoyo-loadpolicy -m < /etc/tomoyo/manager.conf
> >
> > Please note that /sys/kernel/security/tomoyo/ interface interprets
> > input as append operation unless a line starts with "delete " keyword.
>
> I would like to replace the whole policy every time. Not only manage a
> domain or a domain's entry. Is that possible too?
>
It is possible to delete all domains (except the <kernel> domain) by doing
awk ' { $1 = "delete"; print $0 }' /sys/kernel/security/tomoyo/.domain_status
| tomoyo-loadpolicy -d
but is not recommended, for deleting a domain and recreating the same domain
does not let processes which is in the deleted domain to jump to the recreated
domain. "tomoyo-loadpolicy df" tries to avoid deleting domains when replacing
the whole policy.
Replacing the whole policy by deleting/recreating domains makes processes to
remain the deleted domains, which I think users do not want.
Also, be sure to mount securityfs on /sys/kernel/security/ if not yet mounted,
for distributions that do not support AppArmor unlikely mount
/sys/kernel/security/ automatically. tomoyo-editpolicy etc. are automatically
mounting /sys/kernel/security/ as needed.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
