Hello.
Please describe TOMOYO's version (you can check it by
"cat /proc/ccs/version" for TOMOYO 1.x,
"cat /sys/kernel/security/tomoyo/version" for TOMOYO 2.x).
Guessing from policy syntax, I assume you are using TOMOYO 1.8.x.
Ben Ward wrote:
> This resulted in a domain "/usr/bin/chromium". Which I
> put into learning mode and played about surfing on the web for half an
> hour, bookmarking things, using it as a file browser, all the common
> stuff I do usually, and then put it into enforcing mode. But then
> underneath the domain appeared "/usr/lib/chromium/chromium ( -> 266)".
Lines with "( -> number )" do not represent a real domain. This is a note that
tells you that a process in the domain (in this case, /usr/bin/chromium domain)
will transit to "<kernel> /usr/lib/chromium/chromium" domain (rather than a
child of /usr/bin/chromium domain). This line is printed because you added
"initialize_domain /usr/lib/chromium/chromium from any" line.
> If I enter it, I get sent to that domain, marked with a "*" and with, if
266 is the line number for "<kernel> /usr/lib/chromium/chromium" domain.
Lines with "( -> number )" is something like a shortcut icon.
By pressing Enter key on "/usr/lib/chromium/chromium ( -> 266)" line,
you are redirected to line 266.
The "*" mark (which means "a process might transit to this domain from domains
other than the parent of this domain") is printed because you added
"initialize_domain /usr/lib/chromium/chromium from any" line.
> I enter the policy editor 0: transition_failed and 1: use_group 0. The
> "/usr/bin/chromium" domain had a lot more entries to the domain policy
> after I switched from learning mode, including tty and shell related
> things. When I used @ to switch to process view, after putting
> "/usr/bin/chromium" into enforcing mode (3). The chomium process were
> not (0). Additionally chromium stopped going to any address I put in the
> address after this, even when I switched everything back to (0).
> I reason that perhaps the processes would have switched to (3) if
> "/usr/lib/chromium/chromium" was set to (3), and that I should have
> activated learning mode on it.
"<kernel> /usr/lib/chromium/chromium" domain contained only
0: transition_failed
1: use_group 0
and you changed to use profile 3, didn't you?
Then, the process in "<kernel> /usr/lib/chromium/chromium" domain has no ACL
entries except ones given via "acl_group 0 " lines in the exception policy.
So, you should have changed to use profile 1 before you change to use profile 3.
> However that does not explain in my mind
> why "/usr/bin/chromium" acted what seemed to me as odd
I couldn't understand this part.
> and the appearance of "/usr/lib/chromium/chromium ( -> 266)" only after I
> activated learning mode on "/usr/bin/chromium".
This is because default mode for domains is disabled mode (or profile 0). This
means that by default TOMOYO does not record what programs are executed from
each domain. As a result, TOMOYO did not know that /usr/lib/chromium/chromium
was executed from /usr/bin/chromium domain. TOMOYO can know it only after you
changed /usr/bin/chromium domain to use learning mode (or profile 1).
Since TOMOYO did not know it before you activate learning mode on
"/usr/bin/chromium" domain, TOMOYO was not able to print
"/usr/lib/chromium/chromium ( -> 266)" line before you let TOMOYO learn it.
You can add
0-CONFIG::file::execute={ mode=learning }
to your /etc/ccs/profile.conf so that TOMOYO will record by default what
programs are executed from each domain.
> Should I also include
> some option or polict to allow me to visit websites and basically
> anything I type in the address bar in the future - as I can't visit
> every webpage I will ever visit (something like patterning?).
You will need to add ACL entries to
"<kernel> /usr/lib/chromium/chromium" domain.
Regards.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
