This page is for TOMOYO 2.2 (for Linux 2.6.30 - 2.6.35 kernels). Please jump to this page for TOMOYO 2.3 (for Linux 2.6.36 and later kernels).

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Tools Documentation

<<Tools for system administrators>>

<Policy Editor "tomoyo-editpolicy">

Edits the current policy in /sys/kernel/security/tomoyo/ directory.

You may give one of 'e' 'd' 'p' 'm' 'u' to the commandline to choose the initial screen. If not given, screen for domain listing is shown.


Up-arrowScroll 1 line up.
Down-arrowScroll 1 line down.
PageUpScroll 1 page up.
PageDownScroll 1 page down.
Right-arrowScroll 1 column right.
Left-arrowScroll 1 column left.
HomeMove to the top of line.
EndMove to the bottom of line.


f/FFind First
n/NFind Next
p/PFind Previous


a/AAdd an entry.
EnterEdit ACLs of a domain at the cursor position. (Valid only for screen for domain listing.)
SpaceInvert selection state of an entry at the cursor position.
c/CCopy selection state of an entry at the cursor position to all entries below the cursor position.
d/DDelete selected entries.
s/SSet profile number of selected entries. (Valid only for screen for domain listing.)
InsertCopy an entry at the cursor position to history buffer.


w/WSwitch to window list.

A tutorial is available at How to use Policy Editor.

<Policy Loader "tomoyo-loadpolicy">

Reloads the on-disk policy onto memory.

There are the following commandline parameters.

<Control Level Changer "tomoyo-setlevel">

Changes the current control level (i.e. writing to /sys/kernel/security/tomoyo/profile ) and displays the new control level.

You can give the new control level from commandline parameter.

<Profile Selector "tomoyo-setprofile">

Assigns a profile to domains.

You can give the new profile number and domainnames from the commandline parameter. The list of domainnames that the profile number assigned to has changed is printed.

<Process Info Viewer "tomoyo-pstree">

Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.

This program shows the profile number, the name of process, PID, the domainname like "pstree" command.

<Policy Saver "tomoyo-savepolicy">

Saves the on-memory policy onto disk.

There are the following commandline parameters.

<Temporal Pathnames Detector "tomoyo-findtemp">

Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.

The nonexistent pathnames are likely used as temporary pathnames. So find the naming rules from similar nonexistent pathnames and append the pattern to /etc/tomoyo/exception_policy.conf and /sys/kernel/security/tomoyo/exception_policy .

You can pass the content of /etc/tomoyo/domain_policy.conf or /sys/kernel/security/tomoyo/domain_policy using redirection or pipes to the standard input of this program.

<Library Pathnames Updater "tomoyo-ld-watch">

Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ has changed.

By running this program while updating packages, you can avoid errors "unable to start applications because shared libraries are unreadable" when the pathnames of shared libraries accessed by general programs has changed.

<Policy Syntax Checker "tomoyo-checkpolicy">

Reads policy files from standard input and checks syntaxes.

Prints errors with line numbers if any.

<Initial Policy Loader "tomoyo-init">

Loads policy files from /etc/tomoyo/ directory.

Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.

<ACL Searcher "tomoyo-domainmatch">

This is a "fgrep" for /sys/kernel/security/tomoyo/domain_policy .

<Pathname Pattern Replacer "tomoyo-patternize">

Reads domain policy from standard input and replaces pathnames with patterns if the pathname matches to patterns given at commandline and writes to standard output. Pathnames that contains execute permission and domainnames won't be patterned.

<Policy Template Generator "tomoyo_init_policy">

Generates templates for policy. You need to review the output because automatically generated policy may contain redundant or dangerous entries.

Return to index page.