On 03/21/2011 12:05 AM, Horvath Andras wrote: > I'd like to announce my new project that i created recently buuilding > on Tomoyo module. > > The goal is a fully automatic MAC configuration solution. > Thanks a ton. This is really going to make tomoyo rock.
Comments:
* No Exception:
22:21:29 rrs@champaran:~$ sudo ./tomld.py --reset -c
tomld (tomoyo learning daemon) 0.15
platform is debian wheezy/sid
tomoyo kernel mode is active
* resetting domain configurations on demand
are you sure? [yes/No] yes
* exception domains
/bin/sh /bin/bash /bin/dash /usr/sbin/sshd
* processes using network
/usr/sbin/vpnc
* checking policy and rules
/usr/sbin/vpnc, no domain, create domain (restart needed), no rule,
create rule with learning mode on
* whole running cycle took 0.24s, sleeping 10s between every cycle
* new processes using network
/usr/bin/ktorrent
..* new processes using network
/usr/sbin/exim4
.* new processes using network
/usr/sbin/dnsmasq
/usr/bin/host
./usr/bin/host, no domain, create domain, no rule, create rule with
learning mode on
..............* new processes using network
/usr/bin/fdm
Traceback (most recent call last):
File "./tomld.py", line 1316, in <module>
d5 = os.readlink(d4)
*OSError: [Errno 2] No such file or directory: '/proc/5113/fd/3'
*
* I changed this to make it work with debian wheezy/sid
* supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."]*
* There's no need to install the patch package, *linux-patch-tomoyo1.7*.
tomoyo is already enabled in the Debian kernel.
23:01:11 rrs@champaran:/tmp$ diff tomld.py /home/rrs/tomld.py
30d29
< # - show statistics about active domains
and rules on exit
153c152
< supp = ["debian 6.", "ubuntu 10.10."]
---
> supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."]
612,615d610
< # stat
< d = re.findall("^<kernel>.*$\n+use_profile +[1-3] *$",
tdomf, re.M)
< r = re.findall("^allow_", tdomf, re.M)
< color(str(len(d)) + " active domains, " + str(len(r)) + "
rules")
1160c1155
< if not (package_d(tpak1) and package_d(tpak2)):
---
> if not package_d(tpak2):
1162c1157
< color("install packages (" + tpak1 + ", " + tpak2 + ") and
reboot the system with " \
---
> color("install packages (" + tpak2 + ") and reboot the
system with " \
1172c1167
< os.system(comm + " install " + tpak1 + " " + tpak2)
---
> os.system(comm + " install " + tpak2)
* After running step 2, you ask the user to stop and reboot to boot in
'enforcing mode'. Many things are breaking here. For me: exim4, dnsmasq,
dbus, ktorrent - all broke. These are the errors I got (not complete,
there'll be many many more)
[ 96.910337] ERROR: Access read/write
/var/spool/exim4/input/1Q1i7G-00014r-0m-D denied for /usr/sbin/exim4
[ 121.620620] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 121.620726] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 154.144437] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 154.144477] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 174.277939] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 174.278047] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 186.918465] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 186.918571] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/sbin/dnsmasq
[ 201.839392] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 201.839501] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm
[ 201.839626] ERROR: Access read
/lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
[ 201.839992] ERROR: Access read
/lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
[ 201.840746] ERROR: Access read /etc/hosts denied for /usr/bin/fdm
[ 201.840905] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 201.841417] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 201.841747] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
[ 201.841854] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
[ 207.862719] ERROR: Access ioctl /dev/null 0x5401 denied for
/usr/sbin/exim4
[ 207.862800] ERROR: Access read
/var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4
[ 207.863908] ERROR: Access create /var/log/exim4/paniclog 0640
denied for /usr/sbin/exim4
[ 233.684510] ERROR: Access ioctl /dev/null 0x5401 denied for
/usr/sbin/exim4
[ 233.684712] ERROR: Access read
/var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4
[ 233.688033] ERROR: Access create /var/log/exim4/paniclog 0640
denied for /usr/sbin/exim4
[ 349.302234] ERROR: Access ioctl /dev/null 0x5401 denied for
/usr/sbin/exim4
[ 349.302341] ERROR: Access read
/var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4
[ 349.306666] ERROR: Access create /var/log/exim4/paniclog 0640
denied for /usr/sbin/exim4
[ 501.869845] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 501.869954] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm
[ 501.870078] ERROR: Access read
/lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
[ 501.870432] ERROR: Access read
/lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
[ 501.871082] ERROR: Access read /etc/hosts denied for /usr/bin/fdm
[ 501.871236] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 501.871726] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 501.872163] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
[ 501.872274] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
[ 737.411262] start_kdeinit (5972): /proc/5974/oom_adj is
deprecated, please use /proc/5974/oom_score_adj instead.
[ 744.237066] EXT4-fs (dm-0): re-mounted. Opts:
acl,user_xattr,delalloc,errors=remount-ro,commit=0
[ 760.405858] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/bin/pidgin
[ 760.405900] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
/usr/bin/pidgin
[ 774.398148] ERROR: Access read /usr/share/davmail/davmail.jar
denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.464194] ERROR: Access read /usr/lib/java/swt-gtk-3.5.1.jar
denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.464842] ERROR: Access read
/usr/share/davmail/lib/activation-1.1.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.465038] ERROR: Access read
/usr/share/davmail/lib/commons-codec-1.3.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.465235] ERROR: Access read
/usr/share/davmail/lib/commons-collections-3.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.465432] ERROR: Access read
/usr/share/davmail/lib/commons-httpclient-3.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.465631] ERROR: Access read
/usr/share/davmail/lib/commons-logging-1.0.4.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.465824] ERROR: Access read
/usr/share/davmail/lib/htmlcleaner-2.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.466019] ERROR: Access read
/usr/share/davmail/lib/jackrabbit-webdav-1.4.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.466206] ERROR: Access read
/usr/share/davmail/lib/jcharset-1.3.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.466395] ERROR: Access read
/usr/share/davmail/lib/jcifs-1.3.14.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.466579] ERROR: Access read
/usr/share/davmail/lib/jdom-1.0.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.466773] ERROR: Access read
/usr/share/davmail/lib/junit-3.8.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.466965] ERROR: Access read
/usr/share/davmail/lib/log4j-1.2.15.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.467151] ERROR: Access read
/usr/share/davmail/lib/mail-1.4.3.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.467346] ERROR: Access read
/usr/share/davmail/lib/slf4j-api-1.3.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.467553] ERROR: Access read
/usr/share/davmail/lib/slf4j-log4j12-1.3.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.467744] ERROR: Access read
/usr/share/davmail/lib/stax-api-1.0.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.467935] ERROR: Access read
/usr/share/davmail/lib/stax2-api-3.0.3.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.468184] ERROR: Access read
/usr/share/davmail/lib/woodstox-core-asl-4.0.9.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 774.468391] ERROR: Access read
/usr/share/davmail/lib/xercesImpl-2.8.1.jar denied for
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
[ 801.925413] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 801.925526] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm
[ 801.925651] ERROR: Access read
/lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
[ 801.926078] ERROR: Access read
/lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
[ 801.926791] ERROR: Access read /etc/hosts denied for /usr/bin/fdm
[ 801.926957] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 801.927477] ERROR: Access read /etc/nsswitch.conf denied for
/usr/bin/fdm
[ 801.927836] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
[ 801.927944] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
[ 825.935742] ERROR: Access read /usr/lib/libktcore.so.11.0.4
denied for /usr/bin/ktorrent
[ 825.935899] ERROR: Access read /usr/lib/libktcore.so.11.0.4
denied for /usr/bin/ktorrent
Is there an equivalent of *setenforce* ? We should use something like
that to easily switch it to learning mode until the user feels the full
and final policy is ready. Another approach could be to run tomld right
after init on first setup (during system start) in learning mode.
That'll allow it to learn all services and other apps behavior and
create the correct policy.
* There should also be a '-u' switch which should allow addition of new
learnt rules without discarding all the old rules. Or is it already there?
That's all for now. Again, thank you for creating this. Please put some
git repo so that no history is lost.
--
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
