Tetsuo Handa wrote: > If you are experiencing this problem when using policy namespace, > I think you are confused by below two things. > > > > Please check that the domains with "use_group 0" and the exception policy with > "acl_group 0" belong to the same policy namespace. For example, "<kernel> > /usr/sbin/sshd /bin/bash" domain is in "<kernel>" namespace. Thus, this domain > will search for "<kernel> acl_group 0 misc env HOME" from the exception > policy. > (For compatibility, "<kernel> " prefix is omissible for "<kernel> acl_group 0 > misc env HOME" case.) But "</usr/sbin/sshd> /bin/bash" domain is in > "</usr/sbin/sshd>" namespace. Thus, this domain will search for > "</usr/sbin/sshd> acl_group 0 misc env HOME" from the exception policy. > > > > Also, please note that the permission for receiving environment variables > (misc > env) and the permission for using interpreter/loader programs (file read) are > checked using the domain where the process will belong to upon successful > program execution. For example, > > <kernel> reset_domain /usr/sbin/sshd from any > > will cause processes which belong to domains in the "<kernel>" namespace to > temporarily transit to "</usr/sbin/sshd>" domain in the "</usr/sbin/sshd>" > namespace. (The "temporarily" means that they will return to the old domain if > program execution has failed, and they will remain in the new domain if > program > execution has succeeded.) Therefore, "misc env HOME" is searched from > "</usr/sbin/sshd>" namespace using "use_group" settings of "</usr/sbin/sshd>" > domain. As you put "acl_group 0 misc env HOME" into the "<kernel>" namespace, > the process which is temporarily in the "</usr/sbin/sshd>" namespace is unable > to find "</usr/sbin/sshd> acl_group 0 misc env HOME" from the exception > policy. > > This means that, when you develop a policy for specific application using > policy namespace, you can restrict environment variables which the application > is allowed to receive without worrying interference with other policy > namespaces.
Actually, I believe I have set up correctly: grep "^<kernel> reset_domain" exception_policy.conf <kernel> reset_domain /usr/bin/firefox from any grep "^</usr/bin/firefox> acl_group 0 misc env" exception_policy.conf </usr/bin/firefox> acl_group 0 misc env HOME </usr/bin/firefox> acl_group 0 misc env USERNAME ... grep -A 3 "^</usr/bin/firefox>" domain_policy.conf </usr/bin/firefox> use_profile 3 use_group 0 I confirm that the problem still persists. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
