Tetsuo Handa wrote: > Thank you for testing. No problem. I would just like to mention that I will be mostly unavailable over the next 2 months, so my contributions will be scarce, sorry. I will continue to perform minor website maintenance (e.g. new/changelogs etc.).
>> 1) After a fresh initialization of policy, I have all domains set to >> profile=0 but <kernel> domain keeps having "transition_failed". I >> can't quite figure out why this is appearing. > > When a domain is marked as "transition_failed" (please see > http://tomoyo.sourceforge.jp/1.8/policy-specification/domain-policy-syntax.html.en#transition_failed > for meaning, and at the bottom of ccs_find_next_domain() in > http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/domain.c#L695 > for implementation), TOMOYO will print the > > ERROR: Domain '%s' not defined. > > line. Can you find the domainname from dmesg command's output? The error is dmesg is: ERROR: Domain '<kernel> /sbin/modprobe' not defined. The "<kernel> /sbin/modprobe" does exist however. >> 4) There is a way to create a new namespace, but no way to delete an >> existing namespace within ccs-editpolicy. > > Maybe the offline editor should support deleting namespaces. But since adding > namespaces using awk scripts is easy, deleting namespaces using awk scripts > will be easy. Yep, I'm happy with awk. >> 5) I added "reset_domain /usr/bin/firefox from any" to exception >> policy. When the domain or profile is not yet defined, the error >> message described on chapter-15.html.en looks like this: >> >> ERROR: Domain '</usr/sbin/httpd>' not ready. > > Yes. But recent distributions tend to suppress kernel messages by adding > "quiet" option upon boot or changing /proc/sys/kernel/printk settings. > In that case, the > > ERROR: Domain '</usr/bin/firefox>' not ready. > > line will not be printed on the console. > The line should be found from dmesg command's output or /var/log/messages . > >> Should tomoyo be intercepting this execution and providing an error >> message similar to the one in chapter-15.html.en? > > Please check dmesg or syslog, and you will find the error message. I didn't think to look in dmesg. I'm happy with current implementation, so no need to change :-) _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
