Info: Version 1.4.x is available.
Last modified: $Date: 2019-02-04 20:23:38 +0900 (Mon, 04 Feb 2019) $
Since the policy of TOMOYO Linux is represented using pathnames, TOMOYO Linux is applicable for tracing file accesses.
You can use TOMOYO Linux to find how programs access files or what program is creating files on specific directories.
To compile kernel, see TOMOYO Linux kernel compilation.
If you are using distributions that support SELinux, you might encounter errors while installing packages if SELinux is not disabled. If you see error messages shown below while installing packages, retry after you disable SELinux. You can disable SELinux by either "changing SELINUX=disabled in /etc/selinux/config and reboot" or "adding selinux=0 to the kernel's boot paramaters".
|
[root@localhost ~]# rpm -ihv kernel-2.6.9-55.0.2.EL_tomoyo_1.4.1.i586.rpm Preparing... ########################################### [100%] Error: %pre(kernel-2.6.9-55.0.2.EL_tomoyo_1.4.1.i586) scriptlet failed, exit status 255 Error: install: %pre scriptlet failed (2), skipping kernel-2.6.9-55.0.2.EL_tomoyo_1.4.1 |
TOMOYO Linux itself can coexist with SELinux. You may continue with SELinux enabled if you want.
If you install rpm package, the following entry is added to /boot/grub/grub.conf upon successful installation.
|
title CentOS (2.6.9-55.0.2.EL_tomoyo_1.4.1) root (hd0,0) kernel /vmlinuz-2.6.9-55.0.2.EL_tomoyo_1.4.1 ro root=/dev/VolGroup00/LogVol00 initrd /initrd-2.6.9-55.0.2.EL_tomoyo_1.4.1.img |
Append "init=/.init" to the line of "kernel".
|
title CentOS (2.6.9-55.0.2.EL_tomoyo_1.4.1) root (hd0,0) kernel /vmlinuz-2.6.9-55.0.2.EL_tomoyo_1.4.1 ro root=/dev/VolGroup00/LogVol00 init=/.init initrd /initrd-2.6.9-55.0.2.EL_tomoyo_1.4.1.img |
If you install deb package, the following entry is added to /boot/grub/menu.lst upon successful installation.
|
title Debian GNU/Linux, kernel 2.6.8-16sarge7-ccs root (hd0,0) kernel /boot/vmlinuz-2.6.8-16sarge7-ccs root=/dev/sda1 ro initrd /boot/initrd.img-2.6.8-16sarge7-ccs savedefault boot |
Append "init=/.init" to the line of "kernel".
|
title Debian GNU/Linux, kernel 2.6.8-16sarge7-ccs root (hd0,0) kernel /boot/vmlinuz-2.6.8-16sarge7-ccs root=/dev/sda1 ro init=/.init initrd /boot/initrd.img-2.6.8-16sarge7-ccs savedefault boot |
The "/.init" is a script to load TOMOYO Linux's policy files and is executed before starting "/sbin/init" .
The "/.init" is included in the TOMOYO Linux tools package.
To compile tools, run the following commands.
|
cd /root/ # Download source of tools for TOMOYO Linux. wget -O ccs-tools-1.4.1-20070605.tar.gz 'https://osdn.jp/frs/redir.php?m=jaist&f=/tomoyo/25543/ccs-tools-1.4.1-20070605.tar.gz' # Extract. tar -zxf ccs-tools-1.4.1-20070605.tar.gz # Compile. make -sC ccstools/ # Move policy loader to / . mv ccstools/.init / |
Create /etc/ccs/manager.txt with the following contents.
| /root/ccstools/editpolicy |
Create /etc/ccs/status.txt with the following contents.
|
MAC_FOR_FILE=1 MAX_ACCEPT_ENTRY=1048576 MAX_GRANT_LOG=0 MAX_REJECT_LOG=0 TOMOYO_VERBOSE=0 |
Save the output of the following commands as /etc/ccs/exception_policy.txt .
| /root/ccstools/make_exception.sh | grep ^file_pattern | sort | uniq |
Reboot with TOMOYO Linux kernel.
The following messages will appear upon successful execution of "/.init", so press "Enter".
|
Press 'Enter' or wait for 10 seconds to use default status. You may input 'disabled' and press 'Enter' to disable MAC in case of emergency. > |
/sbin/init will start and the system will boot if profiles are loaded successfully.
On failure, the following messages will appear and the system halts.
| No profiles loaded. Run policy loader using 'init=' option. |
If failed, check the following points.
Run applications you want to analyze.
You can see the list of programs executed until now by executing /root/ccstools/editpolicy . Choose a program and press "Enter" to see the list of files accessed by the program. See How to use Policy Editor for usage of the policy editor.
You can save the list of all accessed files until now as /etc/ccs/domain_policy.txt by executing /root/ccstools/savepolicy .