This page is for TOMOYO 2.2 (for Linux 2.6.30 - 2.6.35 kernels). Please jump to this page for TOMOYO 2.3 (for Linux 2.6.36 and later kernels).

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Phase 4: Tuning policy for your system.

This page describes how to tune TOMOYO's policy.


Step 1: Patterning File Access Permissions

Append access permissions for files that are not necessarily accessed in the learning mode such as WWW contents for WWW service to /etc/tomoyo/domain_policy.conf .
The following example allows /usr/sbin/httpd to read files in the /var/www/html/ directory.

<kernel> /usr/sbin/httpd
use_profile 3
allow_read /var/www/html/\*
allow_read /var/www/html/\*/\*
allow_read /var/www/html/\*/\*/\*
allow_read /var/www/html/\*/\*/\*/\*
allow_read /var/www/html/\*/\*/\*/\*/\*

In the same way, modify access permissions for files using patterns that should be grouped.
The following example shows /usr/sbin/smbd should handle all log files equally.

BeforeAfter
<kernel> /usr/sbin/smbd
use_profile 3
allow_write /var/log/samba/host1.log
allow_write /var/log/samba/host2.log
allow_write /var/log/samba/host3.log
allow_write /var/log/samba/host4.log
allow_write /var/log/samba/host5.log
<kernel> /usr/sbin/smbd
use_profile 3
allow_write /var/log/samba/\*.log

You can confirm the range of accessible files by using "tomoyo-pathmatch" command that lists pathnames matching to the given pathname patterns.

[root@tomoyo ~]# /usr/sbin/tomoyo-pathmatch '/var/log/samba/\*.log'
/var/log/samba/host1.log /var/log/samba/host2.log /var/log/samba/host3.log /var/log/samba/host4.log /var/log/samba/host5.log

Operation example

Save the domain policy currently in the kernel onto the disk.

[root@tomoyo ~]# /usr/sbin/tomoyo-savepolicy d

List up pathnames that can be temporary files.

[root@tomoyo ~]# /usr/sbin/tomoyo-findtemp < /etc/tomoyo/domain_policy.conf
/etc/mtab.tmp
/etc/mtab~
/etc/mtab~2302
/etc/mtab~2328
/etc/mtab~2329
/etc/mtab~2330
/etc/mtab~2331
/etc/mtab~2332
/etc/mtab~2339
/etc/mtab~2383
/halt
/selinux/disable
/selinux/enforce
/selinux/policyvers
/tmp/sh-thd-1163110572
/tmp/sh-thd-1163113704
/var/cache/samba/browse.dat.
/var/lib/nfs/etab.tmp
/var/lib/nfs/xtab.tmp
/var/lock/mrtg/mrtg_l

Find domains that access these files.

[root@tomoyo ~]# /usr/sbin/tomoyo-domainmatch /etc/mtab~2302
<kernel> /sbin/init /etc/rc.d/rc.sysinit /sbin/initlog /etc/rc.d/rc.sysinit /sbin/initlog /bin/mount
allow_create /etc/mtab~2302
allow_write /etc/mtab~2302
allow_link /etc/mtab~2302 /etc/mtab~
allow_unlink /etc/mtab~2302
[root@tomoyo ~]# /usr/sbin/tomoyo-domainmatch /tmp/sh-thd-1163113704
<kernel> /etc/rc.d/init.d/smartd /sbin/initlog /usr/sbin/smartd /bin/sh
allow_create /tmp/sh-thd-1163113704
allow_read/write /tmp/sh-thd-1163113704
allow_unlink /tmp/sh-thd-1163113704

Save the exception policy currently in the kernel onto the disk.

[root@tomoyo ~]# /usr/sbin/tomoyo-savepolicy e

Append patterns to the exception policy on the disk if needed.

[root@tomoyo ~]# echo 'file_pattern /etc/mtab~\$' >> /etc/tomoyo/exception_policy.conf
[root@tomoyo ~]# echo 'file_pattern /tmp/sh-thd-\$' >> /etc/tomoyo/exception_policy.conf

Load the exception policy on the disk to the kernel.

[root@tomoyo ~]# /usr/sbin/tomoyo-loadpolicy ef

Patternize pathnames that match '/etc/mtab~\$' and '/tmp/sh-thd-\$'.

[root@tomoyo ~]# /usr/sbin/tomoyo-patternize '/etc/mtab~\$' '/tmp/sh-thd-\$' < /etc/tomoyo/domain_policy.conf > /etc/tomoyo/domain_policy.tmp

Confirm that these files are patternized.

[root@tomoyo ~]# /usr/sbin/tomoyo-findtemp < /etc/tomoyo/domain_policy.tmp
/etc/mtab.tmp
/etc/mtab~
/halt
/selinux/disable
/selinux/enforce
/selinux/policyvers
/var/cache/samba/browse.dat.
/var/lib/nfs/etab.tmp
/var/lib/nfs/xtab.tmp
/var/lock/mrtg/mrtg_l

Verify that the patterning are done as you have intended by diff'ing the domain policy before patternize and the one after the patternize.

[root@tomoyo ~]# diff /etc/tomoyo/domain_policy.conf /etc/tomoyo/domain_policy.tmp
2326,2331c2326,2331
< allow_read/write /tmp/sh-thd-1163110572
< allow_read/write /tmp/sh-thd-1163113704
< allow_create /tmp/sh-thd-1163110572
< allow_create /tmp/sh-thd-1163113704
< allow_unlink /tmp/sh-thd-1163110572
< allow_unlink /tmp/sh-thd-1163113704
---
> allow_read/write /tmp/sh-thd-\$
> allow_read/write /tmp/sh-thd-\$
> allow_create /tmp/sh-thd-\$
> allow_create /tmp/sh-thd-\$
> allow_unlink /tmp/sh-thd-\$
> allow_unlink /tmp/sh-thd-\$
3331,3336c3331,3336
< allow_write /etc/mtab~2328
< allow_write /etc/mtab~2329
< allow_write /etc/mtab~2330
< allow_write /etc/mtab~2331
< allow_write /etc/mtab~2332
< allow_write /etc/mtab~2383
---
> allow_write /etc/mtab~\$
> allow_write /etc/mtab~\$
> allow_write /etc/mtab~\$
> allow_write /etc/mtab~\$
> allow_write /etc/mtab~\$
> allow_write /etc/mtab~\$
3338,3349c3338,3349
< allow_create /etc/mtab~2328
< allow_create /etc/mtab~2329
< allow_create /etc/mtab~2330
< allow_create /etc/mtab~2331
< allow_create /etc/mtab~2332
< allow_create /etc/mtab~2383
< allow_link /etc/mtab~2328 /etc/mtab~
< allow_link /etc/mtab~2329 /etc/mtab~
< allow_link /etc/mtab~2330 /etc/mtab~
< allow_link /etc/mtab~2331 /etc/mtab~
< allow_link /etc/mtab~2332 /etc/mtab~
< allow_link /etc/mtab~2383 /etc/mtab~
---
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
3351,3356c3351,3356
< allow_unlink /etc/mtab~2328
< allow_unlink /etc/mtab~2329
< allow_unlink /etc/mtab~2330
< allow_unlink /etc/mtab~2331
< allow_unlink /etc/mtab~2332
< allow_unlink /etc/mtab~2383
---
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
3439,3440c3439,3440
< allow_write /etc/mtab~2302
< allow_write /etc/mtab~2339
---
> allow_write /etc/mtab~\$
> allow_write /etc/mtab~\$
3443,3446c3443,3446
< allow_create /etc/mtab~2302
< allow_create /etc/mtab~2339
< allow_link /etc/mtab~2302 /etc/mtab~
< allow_link /etc/mtab~2339 /etc/mtab~
---
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
3449,3450c3449,3450
< allow_unlink /etc/mtab~2302
< allow_unlink /etc/mtab~2339
---
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$

Update the domain policy on the disk.

[root@tomoyo ~]# cat /etc/tomoyo/domain_policy.tmp > /etc/tomoyo/domain_policy.conf

Load the domain policy on the disk to the kernel.

[root@tomoyo ~]# /usr/sbin/tomoyo-loadpolicy df

Confirm that the domain policy currently in the kernel is updated.

[root@tomoyo ~]# /usr/sbin/tomoyo-savepolicy -d | /usr/sbin/tomoyo-findtemp
/etc/mtab.tmp
/etc/mtab~
/halt
/selinux/disable
/selinux/enforce
/selinux/policyvers
/var/cache/samba/browse.dat.
/var/lib/nfs/etab.tmp
/var/lib/nfs/xtab.tmp
/var/lock/mrtg/mrtg_l

Return to index page.

sflogo.php