Info: Version 1.4.x is available.

Access Analysis using TOMOYO Linux

Last modified: $Date: 2019-02-04 20:23:38 +0900 (Mon, 04 Feb 2019) $

Since the policy of TOMOYO Linux is represented using pathnames, TOMOYO Linux is applicable for tracing file accesses.
You can use TOMOYO Linux to find how programs access files or what program is creating files on specific directories.


Install TOMOYO Linux kernel

To compile kernel, see TOMOYO Linux kernel compilation.

If you are using distributions that support SELinux, you might encounter errors while installing packages if SELinux is not disabled. If you see error messages shown below while installing packages, retry after you disable SELinux. You can disable SELinux by either "changing SELINUX=disabled in /etc/selinux/config and reboot" or "adding selinux=0 to the kernel's boot paramaters".

[root@localhost ~]# rpm -ihv kernel-2.6.9-55.0.2.EL_tomoyo_1.4.1.i586.rpm
Preparing...                ########################################### [100%]
Error: %pre(kernel-2.6.9-55.0.2.EL_tomoyo_1.4.1.i586) scriptlet failed, exit status 255
Error:   install: %pre scriptlet failed (2), skipping kernel-2.6.9-55.0.2.EL_tomoyo_1.4.1

TOMOYO Linux itself can coexist with SELinux. You may continue with SELinux enabled if you want.

If you install rpm package, the following entry is added to /boot/grub/grub.conf upon successful installation.

title CentOS (2.6.9-55.0.2.EL_tomoyo_1.4.1)
    root (hd0,0)
    kernel /vmlinuz-2.6.9-55.0.2.EL_tomoyo_1.4.1 ro root=/dev/VolGroup00/LogVol00
    initrd /initrd-2.6.9-55.0.2.EL_tomoyo_1.4.1.img

Append "init=/.init" to the line of "kernel".

title CentOS (2.6.9-55.0.2.EL_tomoyo_1.4.1)
    root (hd0,0)
    kernel /vmlinuz-2.6.9-55.0.2.EL_tomoyo_1.4.1 ro root=/dev/VolGroup00/LogVol00 init=/.init
    initrd /initrd-2.6.9-55.0.2.EL_tomoyo_1.4.1.img

If you install deb package, the following entry is added to /boot/grub/menu.lst upon successful installation.

title Debian GNU/Linux, kernel 2.6.8-16sarge7-ccs
root (hd0,0)
kernel /boot/vmlinuz-2.6.8-16sarge7-ccs root=/dev/sda1 ro
initrd /boot/initrd.img-2.6.8-16sarge7-ccs

Append "init=/.init" to the line of "kernel".

title Debian GNU/Linux, kernel 2.6.8-16sarge7-ccs
root (hd0,0)
kernel /boot/vmlinuz-2.6.8-16sarge7-ccs root=/dev/sda1 ro init=/.init
initrd /boot/initrd.img-2.6.8-16sarge7-ccs

The "/.init" is a script to load TOMOYO Linux's policy files and is executed before starting "/sbin/init" .
The "/.init" is included in the TOMOYO Linux tools package.

Install TOMOYO Linux tools

To compile tools, run the following commands.

cd /root/
# Download source of tools for TOMOYO Linux.
wget -O ccs-tools-1.4.1-20070605.tar.gz ''
# Extract.
tar -zxf ccs-tools-1.4.1-20070605.tar.gz
# Compile.
make -sC ccstools/
# Move policy loader to / .
mv ccstools/.init /

Create Policy

Create /etc/ccs/manager.txt with the following contents.


Create /etc/ccs/status.txt with the following contents.


Save the output of the following commands as /etc/ccs/exception_policy.txt .

/root/ccstools/ | grep ^file_pattern | sort | uniq


Reboot with TOMOYO Linux kernel.

The following messages will appear upon successful execution of "/.init", so press "Enter".

Press 'Enter' or wait for 10 seconds to use default status.
You may input 'disabled' and press 'Enter' to disable MAC in case of emergency.

/sbin/init will start and the system will boot if profiles are loaded successfully.
On failure, the following messages will appear and the system halts.

No profiles loaded. Run policy loader using 'init=' option.

If failed, check the following points.

Run applications you want to analyze.

You can see the list of programs executed until now by executing /root/ccstools/editpolicy . Choose a program and press "Enter" to see the list of files accessed by the program. See How to use Policy Editor for usage of the policy editor.

You can save the list of all accessed files until now as /etc/ccs/domain_policy.txt by executing /root/ccstools/savepolicy .