Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

How to use Policy Editor

Common Operations

(0) Before you use this editor

TOMOYO Linux includes a CUI based Policy Editor.

You need to register either "the domainname that this editor belongs to" or "the pathname of this editor (usually /usr/sbin/ccs-editpolicy)" with /proc/ccs/manager before you use this editor.

You can start this editor by typing "/usr/sbin/ccs-editpolicy" at the prompt.

(1) To quit policy editor

Press "Q" key to quit.

(2) To refresh the contents

Press "R" key.

(3) To move cursor in a vertical direction

Press "Up-Arrow"/"Down-Arrow" keys or "PageUp"/"PageDown" keys.

(4) To scroll screen in a horizontal direction

Press "Left-Arrow"/"Right-Arrow" keys or "Home"/"End" keys.

(5) To switch screen

The policy editor has 6 screens. Press "W" key to show the window list.
window-list.png

Screen for editing exception policy will appear if you press "E" key from the window list screen.
exception-policy.png

Screen for editing domain transition tree will appear if you press "D" key from the window list screen.
domain-list.png

Screen for editing specific domain's policy will appear if you press "A" key from the window list screen.
domain-policy.png

Screen for editing profiles will appear if you press "P" key from the window list screen.
profile-list.png

Screen for editing managers will appear if you press "M" key from the window list screen.
manager-list.png

Screen for browsing memory usage will appear if you press "U" key from the window list screen.
memusage.png

(6) To search strings

To start searching, press "F" and enter strings to search and press "Enter" key.
find-first.png

To continue searching in forward direction, press "N" key.

To continue searching in backward direction, press "P" key.

(7) To add an entry

To add an entry, press "A" and enter strings to add and press "Enter" key. The strings you entered are saved in the history buffer and you can see them by pressing "Insert" key. To load strings in the history buffer, press "Up-Arrow"/"Down-Arrow" keys.

An example operation in domain transition tree
add-domain-list.png

An example operation in exception policy
add-exception-policy.png

An example operation in specific domain's policy
add-domain-policy.png

(8) To select an entry

Move the cursor to the entry you want to select and then press "Space" key. When an entry is selected, "&" mark will appear at the top of the line.
select.png

To unselect an entry, press "Space" key again. When an entry is unselected, "&" mark will disappear.

(9) To select entries collectively

The selection state (the "&" mark at the top of the line) of the cursor line will be copied to all entries under the cursor line by pressing "C" key.
copy.png

To select specific range, mark "&" at the first entry of the range and press "C" key, then unmark "&" at the next of the last entry of the range and press "C" key.

(10) To delete an entry

Mark "&" for entries you want to delete and press "D" key. Press "Y" key to the confirmation message, and the entries will be deleted.
delete.png

Operations specific to screen for editing domain transition tree

(0) About this screen

This screen shows all domains and their transitions in a tree structure with indent. You can see possible domain transitions using this screen.

The "profile number" of the domain is shown on the right side of the "line number". The last "pathname of program" in the domainname is shown on the right side of the "profile number". The "#" "*" "!" marks may be shown between the "profile number" and the last "pathname of program" depending on the attribute of the domain.

(1) To change "profile number" of a domain

Select domains you want to change "profile number" and press "S" key. Enter "profile number" in the prompt and press "Enter" key.
profile.png

(2) About domains with "!" mark

A domain with "!" mark means that the domain in unreachable due to either "initialize_domain" or "keep_domain" directives. The reason is shown on the right side of the last "pathname of program".
unreachable.png

(3) About domains with "*" mark

A domain with "*" mark means that multiple domains might transit to this domain due to "initialize_domain" directive. A domain without "*" mark transits only from the domain's parent domain.
initialize_domain-dest.png

(4) About domains with "#" mark

A domain with "#" mark means that multiple programs might belong to this domain (a domain transition may not occur when a program is invoked) due to "keep_domain" directive.
keep_domain.png

(5) About domains with "( -> "line number" )" after the last "pathname of program"

This is not a real domain. The process transits to a domain with "line number" when the program is invoked from the parent domain since the last "pathname of program" is registered with "initialize_domain" directive.
initialize_domain-src.png

(6) About domains with "( -> Not Found )" after the last "pathname of program"

This is not a real domain. Although the last "pathname of program" is registered with "initialize_domain" directive, the destination domain is not created yet.
initialize_domain-nodest.png

(7) About domains with "( the last "pathname of program" )"

This means that this domain doesn't exist due to deletion of domains. This domain appears when the parent domain doesn't exist but descendant domains exist to not to break indent. To create this domain, move the cursor to this domain and press "Insert" -> "A" -> "UpArrow" -> "Enter" keys.
deleted-domain.png

(8) To initialize domain transition

TOMOYO Linux in principle transits domains whenever a program is invoked, and the next domain differs if the previous domain differs even if the two domains are invoking the same program. But it would be convenient that some programs, such as daemons, run in the same domain regardless of the previous domain. In such cases, you can run such programs just under the "<kernel>" domain regardless of the previous domain by using "initialize_domain" and "no_initialize_domain" directives.

For example, the following procedure makes /usr/sbin/sendmail.sendmail always run in the "<kernel> /usr/sbin/sendmail.sendmail" domain.

Before you specify "initialize_domain" directive, the same program is invoked from multiple domains, as shown below.
before-initialize_domain-1.png
before-initialize_domain-2.png

Switch to the screen for editing exception policy. Press "A" key and enter "initialize_domain /usr/sbin/sendmail.sendmail" and press "Enter" key. This entry means that "transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked".
adding-initialize_domain.png

Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail now marked with "!". Also, the domains with "( -> Not Found )" are appeared because the destination ("<kernel> /usr/sbin/sendmail.sendmail") domain doesn't exist.
after-initialize_domain.png

To correct "( -> Not Found )" part, press "A" key and enter "<kernel> /usr/sbin/sendmail.sendmail" and press "Enter" key.
adding-initialize_domain-target.png

And now, "( -> Not Found )" part has changed to "( -> "line number" )".
after-initialize_domain-target.png
added-initialize_domain-target.png

But regarding /usr/sbin/sendmail.sendmail invoked by /bin/mail, you may wish not to transit to "<kernel> /usr/sbin/sendmail.sendmail" domain because it is not invoked for daemons.
before-no_initialize_domain.png

In such case, switch to the screen for editing exception policy. Press "A" key and enter "no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail" and press "Enter" key. This entry means that "don't transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked by a domain whose the last "pathname of program" in the domainname is "/bin/mail".
adding-no_initialize_domain.png

Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail invoked by /bin/mail now not marked with "!".
after-no_initialize_domain.png

(9) To suppress domain transition

TOMOYO Linux in principle transits domains whenever a program is invoked. But it would be convenient that some programs run in the same domain. In such cases, you can suppress domain transitions by using "keep_domain" and "no_keep_domain" directives.

For example, the following procedure makes console login ( "<kernel> /sbin/mingetty /bin/login /bin/bash" ) domain suppress domain transition.

Before you specify "keep_domain" directive, domain transitions occur, as shown below.
before-keep_domain.png

Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash" and press "Enter" key.
adding-keep_domain-1.png

Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash" domain is marked with "#" and its descendant domains are marked with "!".
after-keep_domain-1.png

The "man" command is invoked after login. But the "man" command performs some complicated tasks. So, let's run "man" in a different domain.
before-no_keep_domain.png

Switch to the screen for editing exception policy. Press "A" key and enter "no_keep_domain /usr/bin/man from /bin/bash" (or no_keep_domain /usr/bin/man from <kernel> /sbin/mingetty /bin/login /bin/bash") and press "Enter" key.
adding-no_keep_domain.png

Return to the screen for editing domain transition tree. Now the "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain and its descendants are not marked with "!".
after-no_keep_domain.png

Some commands are invoked by "/usr/bin/man" command, but it doesn't worth doing domain transitions. So, let's make /usr/bin/man not to transit domains. Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain /usr/bin/man" (or "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man") and press "Enter" key.
adding-keep_domain-2.png

Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain is marked with "#" and its descendant domains are marked with "!".
after-keep_domain-2.png

It is meaningless to keep unreachable domains, let's delete them. Select domains that are marked with "!", and press "D" key and "Y" key.
before-delete.png

The following is the screen for editing domain transition tree after deleting unreachable domains.
after-delete.png

If you are going to apply access restrictions, be sure to use "learning mode" to add necessary ACLs and assign profile for "enforcing mode" to enforce.

Operations specific to screen for editing ACL entries given to the domain

(0) About this screen

This screen shows all ACL entries given to the selected domain. You can confirm and add/delete ACL entries as needed.

(1) To change sort order

You can toggle sort order (by operand or by keyword) by pressing "@" key.
sort-1.png
sort-2.png

(2) To remove redundant ACL entries

You can use "O" key to mark "&" to the entries that are implied by the entry at the cursor line, then you can press "D" key to delete redundant ACL entries after confirmation.

(A-1) The next picture is a screenshot which is before adding patterned entry.
optimize-1.png

(A-2) The next picture is a screenshot which is after adding patterned entry.
optimize-2.png

(A-3) The next picture is a screenshot which is after pressing "O" key on the line of patterned entry.
optimize-3.png

(A-4) The next picture is a screenshot which is after pressing "D" key.
optimize-4.png

(A-5) The next picture is a screenshot which is after pressing "Y" key.
optimize-5.png

(B-1) Same approach for network ACL entries. The next picture is a screenshot which is before adding patterned entry.
optimize-6.png

(B-2) The next picture is a screenshot which is after adding patterned entry.
optimize-7.png

(B-3) The next picture is a screenshot which is after pressing "O" key on the line of patterned entry.
optimize-8.png

(B-4) The next picture is a screenshot which is after pressing "D" key.
optimize-9.png

(B-5) The next picture is a screenshot which is after pressing "Y" key.
optimize-10.png

(C-1) Same approach for path_group entries. The next picture is a screenshot which is after adding path_group entry.
optimize-11.png

(C-2) The next picture is a screenshot which is before adding path_group entry.
optimize-12.png

(C-3) The next picture is a screenshot which is after adding path_group entry.
optimize-13.png

(C-4) The next picture is a screenshot which is after pressing "O" key on the line of path_group entry.
optimize-14.png

(C-5) The next picture is a screenshot which is after pressing "D" key.
optimize-15.png

(C-6) The next picture is a screenshot which is after pressing "Y" key.
optimize-16.png


Return to index page.

sflogo.php