TOMOYO Linux Kickstarting Manual for Mandriva 2008.1

About this page

This page explains you how to introduce TOMOYO Linux 1.6.3 on Mandriva 2008.1 systems. By operating along with this page, you will be able to experience the fundamental functionalities of TOMOYO Linux and configure and operate TOMOYO Linux.

Installing TOMOYO Linux tools

You need to install TOMOYO Linux tools. The TOMOYO Linux tools include programs for managing TOMOYO Linux's policy.

Install ccs-tools rpm package from administrator's console.
To start an administrator's console, select "Menu" => "Tools" => "System Tools" => "Configure Your Computer" menu.
Then, select "System" => "Open a console as administrator" menu.

Opening console as root user

Run urpmi command to install ccs-tools package.

# urpmi ccs-tools

Initializing policy configuration

A script is included in the tools package that performs configurations in this chapter. Run the script as follows from console or terminal.

# /usr/lib/ccs/init_policy.sh --file-only-profile

The execution of init_policy.sh may take long time (more than 10 minutes in some environment).

You have finished all preparations. Now, reboot the system.

# reboot

About configuration directory

The default directory for storing TOMOYO Linux's configuration is /etc/ccs/ .

About profiles

Since TOMOYO Linux has much functionality, you can selectively enable/disable them using "profiles". All profiles are stored in a single file /etc/ccs/profile.conf and you can switch profiles assigned to domains.

Since this page explains only MAC for files, /etc/ccs/profile.conf will contain the following entries.

0-COMMENT=-----Disabled Mode-----
0-MAC_FOR_FILE=disabled
0-TOMOYO_VERBOSE=disabled
1-COMMENT=-----Learning Mode-----
1-MAC_FOR_FILE=learning
1-TOMOYO_VERBOSE=disabled
2-COMMENT=-----Permissive Mode-----
2-MAC_FOF_FILE=permissive
2-TOMOYO_VERBOSE=enabled
3-COMMENT=-----Enforcing Mode-----
3-MAC_FOR_FILE=enforcing
3-TOMOYO_VERBOSE=enabled

The syntax of an entry of /etc/ccs/profile.conf is shown below.

$profile_number-$topic_name=$control_mode

The leading integer ($profile_number) is the name of profile, the followed word before = ($topic_name) is the name of functionalities and the trailing word after = ($control_mode) is the control mode.

The $topic_name = COMMENT is just for administrators.

The $topic_name = MAC_FOR_FILE means "MAC for file accesses".

The $topic_name = TOMOYO_VERBOSE means whether policy violation messages are printed to console or not, and prints if $control_mode = enabled and doesn't print if $control_mode = disabled.

The above example has 4 profiles (from 0 to 3), and the purpose of them are shown below.

profile 0Don't apply MAC for file accesses. Don't print policy violation messages on console.
profile 1Apply MAC for file accesses using learning mode. Don't print policy violation messages on console.
profile 2Apply MAC for file accesses using permissive mode. Print policy violation messages on console.
profile 3Apply MAC for file accesses using enforcing mode. Print policy violation messages on console.

The basic procedure is, generate policy using learning mode (which is defined in profile 1), confirm policy using permissive mode (which is defined in profile 2), and enforce policy using enforcing mode (which is defined in profile 3).

About programs that can update policies

Programs that can update policies are listed in /etc/ccs/manager.conf . The following programs are listed.

/usr/lib/ccs/loadpolicy
/usr/lib/ccs/editpolicy
/usr/lib/ccs/setlevel
/usr/lib/ccs/setprofile
/usr/lib/ccs/ld-watch
/usr/lib/ccs/ccs-queryd

About exception policy

/etc/ccs/exception_policy.conf contains the following 12 types of exceptions.

  1. Pathname pattern
  2. Pathname group
  3. Address group
  4. Unconditionally readable files
  5. Unconditionally usable environment variable names
  6. Non-rewritable files
  7. Programs invocable via symbolic links
  8. Program aggregations
  9. Programs that cause domain transition initialization
  10. Programs that prevent domain transition initialization
  11. Domains that prevent domain transition
  12. Domains that cause domain transition

About audit logs

TOMOYO Linux has two types of logs, "access granted logs" (access requests that didn't violate domain policy) and "access rejected logs" (access requests that violated domain policy). By installing ccs-tools package, the system is automatically configured to save "access rejected logs".

Switching to learning mode

Start TOMOYO Linux's policy editor from administrator's console.

# /usr/sbin/ccs-editpolicy

You will see a screen shown below. Note that the number of domains may differ depending on environment.

Policy Editor

For example, let's search for this editor from this screen. Press "f" and enter "ccs-editpolicy" and press "Enter" key.

Policy Editor

You can scroll screen using arrow keys. You will find a line containing "/usr/sbin/ccs-editpolicy".

Policy Editor

To do some operations, open a Konsole window.
To start a Konsole window, select "Menu" => "Tools" => "Konsole" menu.

Opening Konsole

Switch to the policy editor's window, and let's search for the Konsole's window. Press "r" to refresh. Press "f" and enter "start_kdeinit" and press "Enter" key. You will find a line containing "/usr/bin/kdeinit".

Policy Editor

Move cursor to a line below the line containing "/usr/bin/kdeinit" by pressing down arrow key and press "Space" key. You will find a "&" mark appeared at the beginning of the line.

Policy Editor

Repeat this operation against all lines below the line containing "/bin/bash". In this example, repeat from line 86 to 99.

Policy Editor

Press "s" key and enter "1" and press "Enter" key. The "1" means profile number 1, which is defined for "learning mode" at Initializing policy configuration.

Policy Editor

Now, the Konsole window is in "learning mode".

Policy Editor

Switch to the Konsole's window, and let's do some operations.

Using Konsole

Browsing policies generated by learning mode

Switch to the policy editor's window, and let's search for the Konsole's window. Press "r" to refresh. Press "f" and enter "start_kdeinit" and press "Enter" key. You will find lines containing "/bin/date" and "/usr/bin/head" and "/bin/sh" and "/usr/bin/tail" were appended.

Policy Editor

Move the cursor to the line containing "/usr/bin/head" (in this screen, line number 98) and press "Enter" key. You will see a line containing "allow_read /etc/passwd". This entry was automatically appended by TOMOYO Linux's learning mode.

Policy Editor

Press "Enter" key to return. Let's see what entries are automatically appended for the line "/bin/sh" and "/usr/bin/tail".

Policy Editor

Policy Editor

As you might have already guessed, "allow_read" means the pathname followed by this keyword is opened for reading, "allow_read/write" means the pathname followed by this keyword is opened for reading and writing, "allow_execute" means the pathname followed by this keyword is executed.

Switching to enforcing mode

Let's switch to enforcing mode. Profile 3 is defined for "enforcing mode" at Initializing policy configuration. Let's assign profile 3 for lines which are currently assigned profile 1 (in this screen, from line 86 to 102).

Policy Editor

Now, these lines are assigned profile 3.

Policy Editor

Switch to the Konsole's window, and let's do some operations.

Using Konsole

You will find only operations you have done in "learning mode" are allowed.

Switch to the policy editor's window, and press "q" key to terminate the editor. Then, let's browse "access rejected logs".

# less /var/log/tomoyo/reject_log.conf

You will find some entries which has "mode=enforcing".

#2008-08-29 17:05:56# profile=3 mode=enforcing pid=5715 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 state[0]=0 state[1]=0 state[2]=0
<kernel> /etc/rc.d/init.d/dm /etc/X11/prefdm /usr/bin/kdm /etc/X11/xdm/Xsession /etc/X11/Xsession /bin/sh /usr/bin/startkde /usr/bin/start_kdeinit /usr/bin/kdeinit /bin/bash /usr/bin/head
allow_read /etc/hosts

#2008-08-29 17:06:05# profile=3 mode=enforcing pid=5716 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 state[0]=0 state[1]=0 state[2]=0 argc=4 envc=71 argv[]={ "tail" "-n" "3" "/etc/passwd" } envp[]={ "LC_PAPER=en_US.UTF-8" "LESSKEY=/etc/.less" "KDE_MULTIHEAD=false" "LC_ADDRESS=en_US.UTF-8" "LC_MONETARY=en_US.UTF-8" "HOSTNAME=localhost" "DM_CONTROL=/var/run/xdmctl" "TERM=xterm" "SHELL=/bin/bash" "XDG_MENU_PREFIX=kde-" "LC_SOURCED=1" "HISTSIZE=1000" "XDG_SESSION_COOKIE=fcf074214a7c98128ebd635e48b7d2e9-1220036528.194469-1695056499" "XDM_MANAGED=/var/run/xdmctl/xdmctl-:0,maysd,mayfn,sched,rsvd,method=classic,auto" "TMPDIR=/home/kumaneko/tmp" "GS_LIB=/home/kumaneko/.fonts" "WINDOWID=58720263" "LC_NUMERIC=en_US.UTF-8" "QTDIR=/usr/lib/qt3" "QTINC=" "KDE_FULL_SESSION=true" "USER=kumaneko" "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.svgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.lzma=01;31:*.tlz=01;31:*.deb=01;31:*.rpm=01;31:*.cpio=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.iso=01;31:*.jpg=01;35:*.jpeg=01;35:*.JPG=01;35:*.JPEG=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.divx=01;35:*.xvid=01;35:*.asf=01;35:*.wmv=01;35:*.mp4=01;35:*.3gp=01;35:*.flv=01;35:*.ico=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.mp2=00;36:*.mod=00;36:*.xm=00;36:*.s3m=00;36:*.it=00;36:*.wma=00;36:*~=47;30:*.bak=47;30:*.swp=47;30:*.bck=47;30:*.bk=47;30:*.old=47;30:*.tmp=47;30:*.save=47;30:*.rpmsave=47;30:*.rpmnew=47;30:" "QT4DOCDIR=/usr/share/doc/qt4/doc" "LC_TELEPHONE=en_US.UTF-8" "SESSION_MANAGER=local/localhost:/tmp/.ICE-unix/4811" "KONSOLE_DCOP=DCOPRef(konsole-5669,konsole)" "NLSPATH=/usr/share/locale/%l/%N" "MAIL=/var/spool/mail/kumaneko" "DESKTOP_SESSION=01KDE" "PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin/:/usr/games:/usr/lib/qt4/bin:/home/kumaneko/bin:/usr/lib/qt4/bin" "LC_MESSAGES=en_US.UTF-8" "SECURE_LEVEL=3" "LC_IDENTIFICATION=en_US.UTF-8" "LC_COLLATE=en_US.UTF-8" "KONSOLE_DCOP_SESSION=DCOPRef(konsole-5669,session-1)" "INPUTRC=/etc/inputrc" "PWD=/home/kumaneko" "XMODIFIERS=@im=none" "LANG=en_US.UTF-8" "KDE_SESSION_UID=500" "PYTHONSTARTUP=/etc/pythonrc.py" "LC_MEASUREMENT=en_US.UTF-8" "SSH_ASKPASS=/usr/lib/ssh/ssh-askpass" "HISTCONTROL=ignoredups" "LESSCHARSET=utf-8" "SHLVL=2" "HOME=/home/kumaneko" "LANGUAGE=en_US.UTF-8:en_US:en" "XCURSOR_THEME=default" "GCONF_TMPDIR=/tmp" "PYTHONPATH=/usr/lib/ooo-2.4/program:/usr/lib/ooo-2.4/program" "G_FILENAME_ENCODING=@locale" "TMP=/home/kumaneko/tmp" "LESS=-MM" "LOGNAME=kumaneko" "QTLIB=" "LC_CTYPE=en_US.UTF-8" "DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-RLijCkFZnX,guid=5b956b604d520884b24906e048b847b1" "PKG_CONFIG_PATH=/usr/lib/qt4/lib/pkgconfig:/usr/lib/qt4/lib/pkgconfig" "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" "BROWSER=/usr/bin/www-browser" "DESKTOP=kde" "META_CLASS=desktop" "DISPLAY=:0.0" "MDV_MENU_STYLE=mandriva" "LC_TIME=en_US.UTF-8" "COLORTERM=" "XAUTHORITY=/home/kumaneko/.Xauthority" "LC_NAME=en_US.UTF-8" "_=/usr/bin/tail" }
<kernel> /etc/rc.d/init.d/dm /etc/X11/prefdm /usr/bin/kdm /etc/X11/xdm/Xsession /etc/X11/Xsession /bin/sh /usr/bin/startkde /usr/bin/start_kdeinit /usr/bin/kdeinit /bin/bash
allow_execute /usr/bin/tail

#2008-08-29 17:06:05# profile=3 mode=enforcing pid=5716 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 state[0]=0 state[1]=0 state[2]=0
<kernel> /etc/rc.d/init.d/dm /etc/X11/prefdm /usr/bin/kdm /etc/X11/xdm/Xsession /etc/X11/Xsession /bin/sh /usr/bin/startkde /usr/bin/start_kdeinit /usr/bin/kdeinit /bin/bash
allow_read /usr/bin/tail

#2008-08-29 17:06:20# profile=3 mode=enforcing pid=5719 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 state[0]=0 state[1]=0 state[2]=0 argc=1 envc=71 argv[]={ "date" } envp[]={ "LESSKEY=/etc/.less" "LC_PAPER=en_US.UTF-8" "LC_ADDRESS=en_US.UTF-8" "KDE_MULTIHEAD=false" "DM_CONTROL=/var/run/xdmctl" "HOSTNAME=localhost" "LC_MONETARY=en_US.UTF-8" "XDG_MENU_PREFIX=kde-" "SHELL=/bin/bash" "TERM=xterm" "XDM_MANAGED=/var/run/xdmctl/xdmctl-:0,maysd,mayfn,sched,rsvd,method=classic,auto" "XDG_SESSION_COOKIE=fcf074214a7c98128ebd635e48b7d2e9-1220036528.194469-1695056499" "HISTSIZE=1000" "LC_SOURCED=1" "TMPDIR=/home/kumaneko/tmp" "GS_LIB=/home/kumaneko/.fonts" "LC_NUMERIC=en_US.UTF-8" "WINDOWID=58720263" "QTDIR=/usr/lib/qt3" "QTINC=" "KDE_FULL_SESSION=true" "USER=kumaneko" "LC_TELEPHONE=en_US.UTF-8" "QT4DOCDIR=/usr/share/doc/qt4/doc" "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.svgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.lzma=01;31:*.tlz=01;31:*.deb=01;31:*.rpm=01;31:*.cpio=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.iso=01;31:*.jpg=01;35:*.jpeg=01;35:*.JPG=01;35:*.JPEG=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.divx=01;35:*.xvid=01;35:*.asf=01;35:*.wmv=01;35:*.mp4=01;35:*.3gp=01;35:*.flv=01;35:*.ico=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.mp2=00;36:*.mod=00;36:*.xm=00;36:*.s3m=00;36:*.it=00;36:*.wma=00;36:*~=47;30:*.bak=47;30:*.swp=47;30:*.bck=47;30:*.bk=47;30:*.old=47;30:*.tmp=47;30:*.save=47;30:*.rpmsave=47;30:*.rpmnew=47;30:" "SESSION_MANAGER=local/localhost:/tmp/.ICE-unix/4811" "NLSPATH=/usr/share/locale/%l/%N" "KONSOLE_DCOP=DCOPRef(konsole-5669,konsole)" "PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin/:/usr/games:/usr/lib/qt4/bin:/home/kumaneko/bin:/usr/lib/qt4/bin" "DESKTOP_SESSION=01KDE" "MAIL=/var/spool/mail/kumaneko" "LC_MESSAGES=en_US.UTF-8" "LC_COLLATE=en_US.UTF-8" "LC_IDENTIFICATION=en_US.UTF-8" "SECURE_LEVEL=3" "PWD=/home/kumaneko" "INPUTRC=/etc/inputrc" "KONSOLE_DCOP_SESSION=DCOPRef(konsole-5669,session-1)" "XMODIFIERS=@im=none" "KDE_SESSION_UID=500" "LANG=en_US.UTF-8" "PYTHONSTARTUP=/etc/pythonrc.py" "LC_MEASUREMENT=en_US.UTF-8" "HISTCONTROL=ignoredups" "SSH_ASKPASS=/usr/lib/ssh/ssh-askpass" "HOME=/home/kumaneko" "SHLVL=3" "LESSCHARSET=utf-8" "LANGUAGE=en_US.UTF-8:en_US:en" "GCONF_TMPDIR=/tmp" "XCURSOR_THEME=default" "LOGNAME=kumaneko" "LESS=-MM" "TMP=/home/kumaneko/tmp" "G_FILENAME_ENCODING=@locale" "PYTHONPATH=/usr/lib/ooo-2.4/program:/usr/lib/ooo-2.4/program" "QTLIB=" "DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-RLijCkFZnX,guid=5b956b604d520884b24906e048b847b1" "LC_CTYPE=en_US.UTF-8" "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" "PKG_CONFIG_PATH=/usr/lib/qt4/lib/pkgconfig:/usr/lib/qt4/lib/pkgconfig" "DESKTOP=kde" "BROWSER=/usr/bin/www-browser" "DISPLAY=:0.0" "META_CLASS=desktop" "LC_TIME=en_US.UTF-8" "MDV_MENU_STYLE=mandriva" "LC_NAME=en_US.UTF-8" "XAUTHORITY=/home/kumaneko/.Xauthority" "COLORTERM=" "_=/bin/date" }
<kernel> /etc/rc.d/init.d/dm /etc/X11/prefdm /usr/bin/kdm /etc/X11/xdm/Xsession /etc/X11/Xsession /bin/sh /usr/bin/startkde /usr/bin/start_kdeinit /usr/bin/kdeinit /bin/bash /bin/sh
allow_execute /bin/date

#2008-08-29 17:06:20# profile=3 mode=enforcing pid=5719 uid=500 gid=500 euid=500 egid=500 suid=500 sgid=500 fsuid=500 fsgid=500 state[0]=0 state[1]=0 state[2]=0
<kernel> /etc/rc.d/init.d/dm /etc/X11/prefdm /usr/bin/kdm /etc/X11/xdm/Xsession /etc/X11/Xsession /bin/sh /usr/bin/startkde /usr/bin/start_kdeinit /usr/bin/kdeinit /bin/bash /bin/sh
allow_read /bin/date

Policies which you browsed using "ccs-editpolicy" are kept on memory only. So, they will be lost if you shutdown the system. To save policies currently on memory onto disk, run the following command.

# /usr/sbin/ccs-savepolicy

As you have seen above, by using TOMOYO Linux, you can monitor

in detail.

Tips and more information

Using TOMOYO Linux without becoming user "root"

If you don't want to become user "root" for using TOMOYO Linux, you can configure TOMOYO Linux to allow policy manipulation by non "root" user.

For example, if you want to allow user "demo" to manipulate policy, create /etc/ccs/ccs-post-init with the following contents

#! /bin/sh
echo manage_by_non_root > /proc/ccs/manager
chown -R demo:demo /proc/ccs/

and /etc/ccs/ccs-post-init will be called by /sbin/ccs-init . Don't forget to run

# chmod 700 /etc/ccs/ccs-post-init

to make it executable. Also, you will need to run

# chown -R demo:demo /etc/ccs/

to allow user "demo" to read and write policy files on /etc/ccs/ directory.

Policy editor's manual

A manual for /usr/sbin/ccs-editpolicy is available at How to use Policy Editor.


TOMOYO Linux is supported by NTT DATA CORPORATION
Send message to Webadmin
Last modified: $Date: 2019-02-04 23:02:53 +0900 (Mon, 04 Feb 2019) $
0005127 hits since August 30, 2008

sflogo.php