Hi! try to add a new profile for these settings with a new number (4 or other)
2014-06-05 10:29 GMT+04:00 Ryan Seu <[email protected]>: > Hi tomoyo-users, > > I'm seeing some quirky behavior that, on retrospect, might make sense but > isn't really documented anywhere. > > I have a domain policy that I've applied an acl group and profile on: > <kernel> blah/blah/blah > use_profile 3 > use_group 1 > > I've also created it so the profile will selective enforce based on the > syscall types: > > 3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes } > 3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no } > 3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no } > 3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no } > 3-CONFIG::network={ mode=disabled grant_log=no reject_log=no } > *3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 > enforcing_penalty=0 }* > > I've created the profile and domain policy under /etc/tomoyo and restart > the system, with an expectation that policy #3 will be applied to that > particular domain. > > Unfortunately, once booted (after tomoyo-init has been envoked), and I > check the current profile setting I see this: > > 10: 3-COMMENT=-----Enforcing Mode ----- > 11: 3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no } > 12: 3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no } > 13: 3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes } > 14: 3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no } > 15: 3-CONFIG::network={ mode=disabled grant_log=no reject_log=no } > * 16: 3-CONFIG={ mode=disabled grant_log=yes reject_log=yes }* > * 17: 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }* > > Notice that upon restart, it seems like the preference gets overwritten > and a mode=disabled (16) entry gets created. So the question is, if > according to the man page for tomoyo-init all that's done is load the > /etc/tomoyo/profile (along with the other policy files) into the kernel > memory, where does these extra entries get added? Does tomoyo disable > enforcement mode by default? Or rather, is it because profile #3 implicitly > includes the syscall types and not explicitly declares the parent it gets > automatically added? > > I apologize in advance if this is addressed somewhere. > > R2 > > _______________________________________________ > tomoyo-users-en mailing list > [email protected] > http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en > >
_______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
