This page is for TOMOYO 2.2 (for Linux 2.6.30 - 2.6.35 kernels). Please jump to this page for TOMOYO 2.3 (for Linux 2.6.36 and later kernels).

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Phase 5: Restricting your system's behavior.

This page describes how to use TOMOYO's enforcing mode.


Step 1: Enabling enforcing mode

After you came to think you have done everything, run the policy editor and change the profile number to 3.

Run the policy editor. Choose target domains and press 's' key and enter '3' and press 'Enter' key.

editpolicy-httpd-set-profile3.png

Now the profile number of the /usr/sbin/httpd and descendant has changed to 3.

editpolicy-httpd-profile3.png

Press 'q' key to quit the policy editor. Then, run "tomoyo-pstree" and verify that /usr/sbin/httpd processes and descendant are assigned profile number 3.

pstree-httpd3.png

And now, /usr/sbin/httpd processes and descendant are protected by MAC, for the profile 3 was configured for enforcing file accesses control.

editpolicy-profile-list-enforcing.png

Let's try an operation which is permitted by policy.

operation-permitted.png

The operation was successfully completed, for sending mail is permitted by policy.

Let's try an operation which is not permitted by policy.

unix-penguin.png

The operation was rejected. (Seemingly, it looks like it was successfully completed. But actually, the execution of /bin/cat was rejected as you can see warning message by /bin/mail that the input was empty.)

unix-penguin-rejected.png

If the profile is configured as "TOMOYO_VERBOSE=enabled" (this is default), the "TOMOYO-ERROR:" messages will be printed to the console when policy violation occurs.

enforcing-error.png


Return to index page.

sflogo.php