This page is for TOMOYO 2.2 (for Linux 2.6.30 - 2.6.35 kernels). Please jump to this page for TOMOYO 2.3 (for Linux 2.6.36 and later kernels).

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Phase 2: Initializing TOMOYO Linux.

This page describes basic operations needed for using TOMOYO.


Step 1: Initializing Policy

To initialize policy, run

[root@tomoyo ~]# /usr/lib/tomoyo/tomoyo_init_policy

This will take several minutes.

TOMOYO's policy files will be saved in /etc/tomoyo/ directory.


Step 2: Learning how to use TOMOYO's policy editor

Run TOMOYO's policy editor "tomoyo-editpolicy" with "/etc/tomoyo/" option, and you will see a picture shown below.

[root@tomoyo ~]# /usr/sbin/tomoyo-editpolicy /etc/tomoyo/

editpolicy-domain-list1.png

This picture describes the domain tree. As of now, only "<kernel>" domain is defined. But as the system runs, TOMOYO will create domains and add them to the tree. The example picture shown below has many domains.

editpolicy-domain-list2.png

The MAC in TOMOYO Linux is applied in the units of domains. Every process belongs to single domain, and basically the process will transit to different domain whenever it executes a program. The name of a domain is a concatenated string expression for the process execution history. For example, the name of domain which the kernel belongs to is "<kernel>", the name of domain which /sbin/init invoked by the kernel belongs to is "<kernel> /sbin/init", the name of domain which /etc/rc.d/rc invoked by the /sbin/init belongs to is "<kernel> /sbin/init /etc/rc.d/rc". The exceptions of this transition rule are described later.

Look at the number which are the second column of each line.

editpolicy-domain-profile-number.png

This number is called "profile number". A profile number is an integer value which takes between 0 and 255.

Press "w" key, and you will see some choices.

editpolicy-window-list.png

Press "p" key, and you will see the list of profiles.

You will see entries shown in below picture.

editpolicy-profile-list-file-only.png

You can scroll this window using arrow keys and/or Home/End/PageUp/PageDown keys.

NameControlDefault valueLearning mode supported
COMMENT A line of text that describes the content of the profile. -
MAC_FOR_FILE Enable Mandatory Access Control(MAC) for files. disabled Yes
MAX_ACCEPT_ENTRY Limits the max number of ACL entries that are automatically appended during learning mode. 2048 -
TOMOYO_VERBOSE Dump domain policy violation messages to syslog. enabled -

You can give the following values for MAC_FOR_FILE.

Value Meaning
disabled Disabled. Works as if regular kernel.
learning Learning mode. Not rejected if the request violates policy. Automatically appended to policy.
permissive Permissive mode. Not rejected if the request violates policy. Not appended to policy automatically.
enforcing Enforcing mode. Rejected if the request violates policy.

You can give any integer greater or equals to 0 for MAX_ACCEPT_ENTRY.

You can give the following values for TOMOYO_VERBOSE

Value Meaning
disabled Don't dump domain policy violation messages.
enabled Dump domain policy violation messages.

Press "w" key, then press "e" key, and you will see the picture shown below.

editpolicy-exception-list1.png

This screen contains the following types of exceptions.

(1) Pathname pattern

Register pathnames with patterns using the "file_pattern" directive. When a file operation is performed and the requested pathname matches a patterned pathname registered with "file_pattern" directive, policy is generated using patterned pathnames.
The following is the guideline.

  • Files under /proc/PID/ directory.
  • Files under /sys/ directory. (Applicable to 2.6 kernels only)
  • Some files under /dev/ directory.
  • Policy files under /etc/tomoyo/ directory.
  • Manual pages.
  • Spool directories.
  • Temporary files used for sending and receiving mails.
  • Temporary files used by man command.
  • Temporary files used by mount command.

TOMOYO Linux needs more patterned pathnames depending on the applications installed and their configurations. You can add missing patterned pathnames after running the system.

(2) Unconditionally readable files

Register files that are allowed to be read by all programs using the "allow_read" directive. Patterns are allowed. When a file open request for reading is issued and the requested pathname matches a pathname registered with "allow_read" directive, the open request for read access is granted even if the pathname is not explicitly permitted by the domain policy.
The following is the guideline.

  • Dynamically-linked library files that are registered with ldconfig.
  • Some files under /proc/ directory.
  • Some locale data under /usr/share/locale/ directory.

You may find more files depending on applications in your system or configurations. Add missing files after observing which files are used for read access.

(3) Non-rewritable files

Register files that you don't want to allow overwriting existing contents (like log files) using "deny_rewrite" directive. Patterns are allowed. Files registered with "deny_rewrite" directive are (as long as it is not explicitly given by "allow_rewrite" directive in domain policy) forbidden to "open for writing but not append mode" and "truncate".
The following is the guideline.

  • Files under /var/log/ directory.

You may find more files depending on applications in your system or configurations. Add missing files after observing which files are used for append-only access.

(4) Programs invocable via symbolic links

Basically, TOMOYO Linux checks execute permissions using the dereferenced pathname if the requested program is a symbolic link. But to handle programs that behave differently depending on the name of invocation, you may define domains using the name of symbolic links.
To allow executing programs using the name of symbolic links, use alias directive followed by dereferenced pathname and reference pathname. No patterns are allowed.
For example, /sbin/pidof is a symbolic link to /sbin/killall5 . In normal case, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed. By specifying "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the domain for /sbin/pidof .

(5) Programs that cause domain transition initialization

Register programs that initializes the domain transition history using the "initialize_domain" directive. No patterns allowed. When a program that is registered with "initialize_domain" directive is executed, the program runs just under the <kernel> domain.
The following is the guideline.

  • Scripts that start or terminate daemon programs located under /etc/init.d/ directory.
  • Daemon programs that you want to make domain names shorter (for example, httpd and sshd).

You may find more programs depending on applications in your system or configurations. Add missing programs after observing which programs should be initialize their domain transition history. But be careful with the side effect of other domains. For example, when the domain policy already includes

<kernel> ... /bin/bash
use_profile 3
allow_execute /bin/tcsh

<kernel> ... /bin/bash /bin/tcsh
use_profile 3
allow_execute /bin/cat

<kernel> ... /bin/bash /bin/tcsh /bin/cat
use_profile 3
allow_read /etc/fstab

and you add /bin/tcsh as initialize_domain, "<kernel> ... /bin/bash /bin/tcsh" will become unreachable domain because /bin/tcsh runs in "<kernel> /bin/tcsh" domain. In that case, you will need to replace "<kernel> ... /bin/bash /bin/tcsh" with "<kernel> /bin/tcsh" as shown below.

<kernel> ... /bin/bash
use_profile 3
allow_execute /bin/tcsh

<kernel> /bin/tcsh
use_profile 3
allow_execute /bin/cat

<kernel> /bin/tcsh /bin/cat
use_profile 3
allow_read /etc/fstab
(6) Programs that prevent domain transition initialization

To deny the effect of "initialize_domain" directive under specific conditions, use "no_initialize_domain" directive.

(7) Domains that prevent domain transition

To declare domain keepers, use "keep_domain" directive followed by domain definition.
For example, if "keep_domain <kernel> /usr/sbin/sshd /bin/tcsh" is given, any process that belongs to "<kernel> /usr/sbin/sshd /bin/tcsh" domain stays at that domain unless any program registered with "initialize_domain" directive is executed.

(8) Domains that cause domain transition

To deny the effect of "keep_domain" directive under specific conditions, use "no_keep_domain" directive.

Press "q" key to finish the policy editor.

Please see the policy editor's tutorial page How to use Policy Editor as needed.


Step 3: Reboot the system

Now, reboot with TOMOYO Linux kernel.

[root@tomoyo ~]# reboot

Return to index page.

sflogo.php