tomoyotitle.png

TOMOYO Linux LiveCD Tutorial for CentOS 5

About this page

This document explains how to use the TOMOYO Linux LiveCD. The CD image contains CentOS with a TOMOYO Linux kernel and userspace tools pre-installed. You can use this CD to try TOMOYO Linux without any effects to the existing system.

Getting LiveCD

You can download ISO image file of TOMOYO Linux LiveCD at Download page.

Please burn the ISO image into CD-R. You can use VMware Player if you don't want to burn the ISO image.

Booting from LiveCD

Please boot your PC from LiveCD. When boot sequence has finished, the following screen is shown. This LiveCD is almost the same with normal CentOS LiveCD, except that several icons are added by TOMOYO Linux:

desktop.png

By double-clicking "Keyboard" icon, you can choose keyboard type you want to use:

kbdselect-en.png

Using LiveCD

Please double-click the icon named "TOMOYO Linux Policy Violation Log". Then you can see the following window:

reject_log.png

This window is showing accesses which violate the policy of TOMOYO Linux. New violation accesses are showed instantly. Since this LiveCD is configured to boot without predefined policy, all accesses are recorded to policy violation logs. Please keep the window shown and operate some functions. The logs that what process accesses which resources are shown in real time.

Then, please double-click the icon named "TOMOYO Linux Policy Editor". Then the following window is shown:

editpolicy.png

This window displays all invoked processes in the tree structure. Each line is called "domain". All invoked processes from the beginning of boot sequence are monitored by TOMOYO Linux kernel. The information that what process accesses which resources is recorded as a TOMOYO Linux policy. You can understand your Linux's behavior easily by browsing TOMOYO Linux policy. That's the greatest characteristic of TOMOYO Linux.

The first situation of policy editor shows process invocation history whose origin is <kernel>. Please scroll down as you like and confirm the process invoked in your system.

Let's try to find the process named "gnome-terminal". Please press 'F' key, then a prompt is shown in the bottom of the window. Please input "gnome-terminal" and press 'Enter' key:

find.png

You can see that gnome-terminal invoked /usr/sbin/sudo, and /usr/sbin/sudo invoked /usr/bin/tail and /usr/sbin/ccs-editpolicy :

domain_gnome-terminal.png

Please press 'Enter' key on /usr/bin/tail :

acl_tail.png

The leftmost number of each line is line number, and next word is the access permission. "file execute" means execute, "file write" means open for writing, "file read" means open for reading, "misc env" means accepting this environment variable name. These lines show the tail command read a locale file and /var/log/tomoyo/reject_000.log /var/log/tomoyo/reject_001.log /var/log/tomoyo/reject_002.log /var/log/tomoyo/reject_003.log . This policy is the result of learning the behavior of double-clicking "TOMOYO Linux Policy Violation Log" icon.

Please press 'Enter' key to go back to the previous domain-tree view. Please browse several domains and permissions as you like.

Restricting accesses

Now let's try to restrict accesses by TOMOYO Linux. Please keep the policy editor in background, and start "Terminal" in the "Application" menu of the top of the display (Applications -> Accessories -> Terminal):

menu_terminal.png

After starting terminal, please go back to the policy editor and press 'R' key to reload TOMOYO Linux policy. Please find /bin/bash that is the child of gnome-terminal . To find bash, you can use 'F' key like the previous operations:

domain_bash.png

This bash is running in the "Terminal" window. There are domains of grep, id, and so on, which were automatically executed in bash start sequence. Please type the following command in the terminal:

$ head /etc/passwd
$ bash
$ tail /etc/passwd
$ exit

bash_learning.png

Then, please go back the policy editor and press 'R' key, and you can see that domains of executed programs are appended:

bash_learned.png

Please pay attention to the numbers in the next of line numbers. All lines are currently '1':

all_learning.png

These numbers show the process's running mode of TOMOYO Linux, which is called profile number. The profile numbers of are 0-3 and all domains in this LiveCD are initially assigned profile number 1 (learning mode):

profile numbermeanings
0disabled mode (TOMOYO Linux do nothing)
1leaning mode (access requests that violated policy are accepted and policy is updated to allow such access requests)
2permissive mode (access requests that violated policy are accepted)
3enforcing mode (access requests that violated policy are debied)

To enable TOMOYO Linux access restriction, you need to assign profile number 3 to domain. Let's restrict operations using bash invoked from gnome-terminal. Please press Space key at bash just below gnome-terminal, and you will see '&' mark appeared at the left of the line number. This '&' is the 'selected' mark:

select-1.png

Then, please press 'C' key, and you will get '&' mark copied to all lines below:

select-2.png

Then, please press Space key at sudo, and you will see '&' mark disappeared:

select-3.png

Then, please press 'C' key, and you will get '&' mark cleared from all lines below:

select-4.png

Then, please press 'S' key then prompt is shown in the bottom of the window. Please input "3" and press 'Enter' key:

setprofile.png

Profile number 3 is assigned to the selected domains:

bash_enforced.png

bash invoked from gnome-terminal is already running in enforcing mode. Please execute some commands in the terminal. Commands that are not executed in learning mode will be denied. In the following window, "head /etc/password" is granted, but executions of "ls" and "ps" are denied:

1st_bash.png

In addition, first-level bash can't execute "tail /etc/passwd", but second-level bash can do it:

2nd_bash.png

This is because TOMOYO Linux distinguishes processes according to their invocation history. In current policy, the following two bashes exist.

head command is only permitted in the first bash, and tail command is only permitted in the second bash. TOMOYO Linux monitors all processes from system boot sequence, and processes are distinguished by fine-grained method.

You can find below entries which contains "mode=enforcing" line from /var/log/tomoyo/reject_003.log . Not only requested pathnames but also process credential information / command line arguments / environment variables etc. are recorded. If you want to restrict access more strictly, you can utilize these variables as needed.

#2012/03/12 15:39:15# profile=3 mode=enforcing granted=no (global-pid=3957) task={ pid=3957 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=278537 major=253 minor=0 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=278529 perm=0755 } exec={ realpath="/bin/ls" argc=2 envc=34 argv[]={ "ls" "--color=tty" } envp[]={ "SSH_AGENT_PID=3707" "HOSTNAME=livecd.localdomain" "TERM=xterm" "SHELL=/bin/bash" "HISTSIZE=1000" "GTK_RC_FILES=/etc/gtk/gtkrc:/home/centos/.gtkrc-1.2-gnome2" "WINDOWID=24139895" "USER=centos" "LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:" "GNOME_KEYRING_SOCKET=/tmp/keyring-8oUnTf/socket" "SSH_AUTH_SOCK=/tmp/ssh-tsEoIb3676/agent.3676" "SESSION_MANAGER=local/livecd.localdomain:/tmp/.ICE-unix/3676" "USERNAME=centos" "MAIL=/var/spool/mail/centos" "PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/centos/bin" "DESKTOP_SESSION=default.desktop" "GDM_XSERVER_LOCATION=local" "INPUTRC=/etc/inputrc" "PWD=/home/centos" "XMODIFIERS=@im=none" "LANG=en_US.UTF-8" "GDMSESSION=default.desktop" "SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass" "SHLVL=2" "HOME=/home/centos" "GNOME_DESKTOP_SESSION_ID=Default" "LOGNAME=centos" "DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-WkqSSGbio0,guid=cef7aeb2362c3dddacb141004f5e14b2" "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" "DISPLAY=:0.0" "G_BROKEN_FILENAMES=1" "COLORTERM=gnome-terminal" "XAUTHORITY=/tmp/.gdmDX2ZAW" "_=/bin/ls" } }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash
file execute /bin/ls

#2012/03/12 15:39:15# profile=3 mode=enforcing granted=no (global-pid=3957) task={ pid=3957 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=278537 major=253 minor=0 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=278529 perm=0755 }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash
file read /bin/ls

#2012/03/12 15:39:17# profile=3 mode=enforcing granted=no (global-pid=3958) task={ pid=3958 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=278565 major=253 minor=0 perm=0555 type=file } path1.parent={ uid=0 gid=0 ino=278529 perm=0755 } exec={ realpath="/bin/ps" argc=1 envc=34 argv[]={ "ps" } envp[]={ "SSH_AGENT_PID=3707" "HOSTNAME=livecd.localdomain" "TERM=xterm" "SHELL=/bin/bash" "HISTSIZE=1000" "GTK_RC_FILES=/etc/gtk/gtkrc:/home/centos/.gtkrc-1.2-gnome2" "WINDOWID=24139895" "USER=centos" "LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:" "GNOME_KEYRING_SOCKET=/tmp/keyring-8oUnTf/socket" "SSH_AUTH_SOCK=/tmp/ssh-tsEoIb3676/agent.3676" "SESSION_MANAGER=local/livecd.localdomain:/tmp/.ICE-unix/3676" "USERNAME=centos" "MAIL=/var/spool/mail/centos" "PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/centos/bin" "DESKTOP_SESSION=default.desktop" "GDM_XSERVER_LOCATION=local" "INPUTRC=/etc/inputrc" "PWD=/home/centos" "XMODIFIERS=@im=none" "LANG=en_US.UTF-8" "GDMSESSION=default.desktop" "SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass" "SHLVL=2" "HOME=/home/centos" "GNOME_DESKTOP_SESSION_ID=Default" "LOGNAME=centos" "DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-WkqSSGbio0,guid=cef7aeb2362c3dddacb141004f5e14b2" "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" "DISPLAY=:0.0" "G_BROKEN_FILENAMES=1" "COLORTERM=gnome-terminal" "XAUTHORITY=/tmp/.gdmDX2ZAW" "_=/bin/ps" } }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash
file execute /bin/ps

#2012/03/12 15:39:17# profile=3 mode=enforcing granted=no (global-pid=3958) task={ pid=3958 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=278565 major=253 minor=0 perm=0555 type=file } path1.parent={ uid=0 gid=0 ino=278529 perm=0755 }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash
file read /bin/ps

#2012/03/12 15:39:23# profile=3 mode=enforcing granted=no (global-pid=3960) task={ pid=3960 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=115066 major=253 minor=0 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=114689 perm=0755 }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash /usr/bin/head
file read /etc/fstab

#2012/03/12 15:40:13# profile=3 mode=enforcing granted=no (global-pid=3961) task={ pid=3961 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=295632 major=253 minor=0 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=295316 perm=0755 } exec={ realpath="/usr/bin/tail" argc=2 envc=34 argv[]={ "tail" "/etc/passwd" } envp[]={ "SSH_AGENT_PID=3707" "HOSTNAME=livecd.localdomain" "TERM=xterm" "SHELL=/bin/bash" "HISTSIZE=1000" "GTK_RC_FILES=/etc/gtk/gtkrc:/home/centos/.gtkrc-1.2-gnome2" "WINDOWID=24139895" "USER=centos" "LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:" "GNOME_KEYRING_SOCKET=/tmp/keyring-8oUnTf/socket" "SSH_AUTH_SOCK=/tmp/ssh-tsEoIb3676/agent.3676" "SESSION_MANAGER=local/livecd.localdomain:/tmp/.ICE-unix/3676" "USERNAME=centos" "MAIL=/var/spool/mail/centos" "PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/centos/bin" "DESKTOP_SESSION=default.desktop" "GDM_XSERVER_LOCATION=local" "INPUTRC=/etc/inputrc" "PWD=/home/centos" "XMODIFIERS=@im=none" "LANG=en_US.UTF-8" "GDMSESSION=default.desktop" "SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass" "SHLVL=2" "HOME=/home/centos" "GNOME_DESKTOP_SESSION_ID=Default" "LOGNAME=centos" "DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-WkqSSGbio0,guid=cef7aeb2362c3dddacb141004f5e14b2" "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" "DISPLAY=:0.0" "G_BROKEN_FILENAMES=1" "COLORTERM=gnome-terminal" "XAUTHORITY=/tmp/.gdmDX2ZAW" "_=/usr/bin/tail" } }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash
file execute /usr/bin/tail

#2012/03/12 15:40:13# profile=3 mode=enforcing granted=no (global-pid=3961) task={ pid=3961 ppid=3904 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 type!=execute_handler } path1={ uid=0 gid=0 ino=295632 major=253 minor=0 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=295316 perm=0755 }
<kernel> /sbin/init /etc/X11/prefdm /usr/sbin/gdm /usr/sbin/gdm-binary /etc/X11/xinit/Xsession /usr/bin/ssh-agent /bin/sh /bin/bash /usr/bin/dbus-launch /etc/X11/xinit/Xclients /usr/bin/gnome-session /usr/bin/nautilus /usr/bin/gnome-terminal /bin/bash
file read /usr/bin/tail

For more information

In this tutorial, you have experienced TOMOYO's basic access control functionality. TOMOYO Linux has many features. Please follow the links on the top of this page to utilize TOMOYO Linux more effectively.