Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments, for TOMOYO cannot distinguish between environments outside the container and environments inside the container since LXC environments are created using pivot_root().
To address this problem, policy namespace has been discussed on tomoyo-dev-en ML, and the specification and implementation are now ready. http://tomoyo.sourceforge.jp/1.8/chapter-15.html Although policy namespace was originally designed for using TOMOYO in LXC environments, I'm sure policy namespace is useful without LXC environments. Each policy namespace has its own set of domain policy, exception policy and profiles, which are all independent of other namespaces. This independency allows you (and those who want to develop and distribute policy for specific applications) to develop policy files without worrying interference among namespaces. I think this will allow you to use TOMOYO like AppArmor. You can download TOMOYO 1.8.2-pre patches by doing wget -O - 'http://sourceforge.jp/projects/tomoyo/svn/view/trunk/1.8.x/ccs-patch.tar.gz?root=tomoyo&view=tar' | tar -zxf - --strip 1 from the kernel source tree and download the latest tools for TOMOYO 1.8.2-pre by doing wget -O - 'http://sourceforge.jp/projects/tomoyo/svn/view/trunk/1.8.x/ccs-tools/ccstools.tar.gz?root=tomoyo&view=tar' | tar -zxf - . I'll include policy namespace when I propose TOMOYO 2.4 next time. Please try and report problems. Regards. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
