Mauras Olivier wrote: > Oh... So putting an incorrect value doesn't validate it right? > If so how could i make those /sbin/init appear correctly because for now in > my domain list they appear under the same /sbin/init as my host one... > I can see them separated by switching in process mode, but they don't show > the directory they're executed in and the only way for me to recognize each > one is to sort them by looking at their subprocesses.
This is because of "initialize_domain /sbin/init from any" in exception policy. Any time and any place that /sbin/init is executed, it will run as the domain "<kernel> /sbin/init". You can either remove that line, or more preferably add "no_initialize_domain /sbin/init from <kernel> /domain/that/executes/sbin/init" to exception policy. If you add the no_initialize_domain line, then the /sbin/init that is run in your chroot will no longer appear as the same domain as the host /sbin/init. You will of course have to determine all domains you need to execute /sbin/init from and give them all a no_initialize_domain line. We have some revised documentation in progress at the moment. It is not yet fully completed and proof-read, but you can find it here if you are interested: http://tomoyo.sourceforge.jp/1.8-tmp/index.html.en Information on initialize_domain and no_initialize_domain directives: http://tomoyo.sourceforge.jp/1.8-tmp/chapter-5.html.en#5.2 Information on use of exec.realpath in conditional ACL: http://tomoyo.sourceforge.jp/1.8-tmp/chapter-10.html.en Kind regards, Jamie _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
