This page is for TOMOYO 2.2 (for Linux 2.6.30 - 2.6.35 kernels). Please jump to this page for TOMOYO 2.3 (for Linux 2.6.36 and later kernels).

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Phase 3: Learning your system's behavior.

This page describes how to use TOMOYO's learning mode.


Step 1: Creating domains

After you rebooted the system with TOMOYO Linux kernels, login as root.

Decide what application to analyze/protect.

Below procedure is a case of Apache in CentOS 5 environment.

Start the target application.

[root@tomoyo ~]# service httpd start

Let's start TOMOYO's policy editor. Please note that this time, you don't need to pass /etc/tomoyo/ to the command line, for we directly edits TOMOYO's policy currently used by the kernel.

In the CentOS 5 , Apache's program's location is /usr/sbin/httpd .
Scroll the cursor using arrow-keys and/or Home/End/PageUp/PageDown keys to find the line /usr/sbin/httpd . In this picture, it is line 416.

editpolicy-httpd-profile0.png

If /usr/sbin/httpd is registered with "initialize_domain", a domain named "<kernel> /usr/sbin/httpd" is created by invoking /usr/sbin/httpd . If not registered, a child domain of invoker domain (for example, if you invoked from "<kernel> /usr/sbin/mingetty /bin/login /bin/bash", it is "<kernel> /usr/sbin/mingetty /bin/login /bin/bash /usr/sbin/httpd") is created. This manual assumes that /usr/sbin/httpd is registered with "initialize_domain".

Press 's' key and enter '1' and press 'Enter' key.

editpolicy-httpd-set-profile1.png

Now the profile number of the /usr/sbin/httpd has changed to 1.

editpolicy-httpd-profile1.png

Press 'q' key to quit the policy editor. Then, run "tomoyo-pstree" and verify that /usr/sbin/httpd processes are assigned profile number 1.

pstree-httpd1.png


Step 2: Gathering necessary permissions

Restart the Apache in order to learn necessary permissions for starting/finishing the Apache.

[root@tomoyo ~]# service httpd restart

Run TOMOYO's policy editor again and go to the /usr/sbin/httpd line. (Line number may be changed because new domains are added by programs executed by you and the system.)

Press 'Enter' key to browse the permissions gathered by now.

editpolicy-httpd-acl1.png

Press 'q' key to quit the policy editor. Do whatever you want to allow Apache.

Be sure to sometimes save policy, for necessary permissions are accumulated on only kernel memory. If you reboot the system, all gathered permissions will be lost.

To save the policy currently in the kernel onto the disk, use "tomoyo-savepolicy" command.

[root@tomoyo ~]# /usr/sbin/tomoyo-savepolicy

By executing "tomoyo-savepolicy", two files ("exception_policy.conf", "domain_policy.conf") are created in the /etc/tomoyo/ directory. To be accurate, they are symbolic links to text files whose filenames contain the creation time.

To load the policy currently on the disk into the kernel, use "tomoyo-loadpolicy" command.

[root@tomoyo ~]# /usr/sbin/tomoyo-loadpolicy af

The "a" option means load two files ("exception_policy.conf", "domain_policy.conf"). The "f" option means erase the policy currently in the kernel before loading the policy currently on the disk. If "f" is not given, the policy currently on the disk will be added to the policy currently in the kernel.


Step 3: Reviewing gathered permissions

After you came to think you have done roughly everything you want to allow Apache to do, run the policy editor and change the profile number to 2. Note that Apache may have executed some external programs (e.g. /bin/sh , /usr/bin/perl , /usr/lib/sendmail) and thus has descendant domains. Be sure to change the profile number for descendant domains if any as well as the /usr/sbin/httpd domain.

Choose target domains and press 's' key and enter '2' and press 'Enter' key.

editpolicy-httpd-set-profile2.png

Now the profile number of the /usr/sbin/httpd and descendant has changed to 2.

editpolicy-httpd-profile2.png

Press 'q' key to quit the policy editor. Redo whatever you want to allow Apache to do.

If the profile is configured as "TOMOYO_VERBOSE=enabled" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs.

permissive-warning.png

If the "TOMOYO-WARNING:" messages are no longer printed after you have likely done everything you want Apache to allow, proceed to the next step.

If your purpose of using TOMOYO Linux is for just analysis, this point is the goal of this procedure.

If your purpose of using TOMOYO Linux is for protection, proceed to next phase.


Return to index page.

sflogo.php