Chapter 8: Interface permissions
In order for a application or domain to modify policy in the /sys/kernel/security/tomoyo/ interface, it must be listed in /sys/kernel/security/tomoyo/manager. To register an application, you can for example run the following command:
# echo "/usr/sbin/tomoyo-editpolicy" | /usr/sbin/tomoyo-loadpolicy -m
By default, only processes with UID=0 and EUID=0 (a.k.a. root user) are allowed to modify policy. In order to allow $USER user to modify policy, run this command:
# echo "manage_by_non_root" | /usr/sbin/tomoyo-loadpolicy -m # chown -R $USER /sys/kernel/security/tomoyo/
This can be reversed by running this command:
# echo "delete manage_by_non_root" | /usr/sbin/tomoyo-loadpolicy -m # chown -R root /sys/kernel/security/tomoyo/
If you want to have a separate user that is able to modify policy, the file "
/etc/tomoyo/tomoyo-post-init" can be used. If this file exists, it is executed by
/sbin/tomoyo-init at boot. To allow 'tomoyo' user to modify policy, create "
/etc/tomoyo/tomoyo-post-init" with the following contents:
#! /bin/sh echo manage_by_non_root > /sys/kernel/security/tomoyo/manager chown -R tomoyo /sys/kernel/security/tomoyo/
Then, make this file executable and make policy directory readable/writable by 'tomoyo' user:
# chmod 755 /etc/tomoyo/tomoyo-post-init # chown -R tomoyo /etc/tomoyo/