[tomoyo-users-en 411] Re: Self-restarting program

[Tetsuo Handa]

Milton Yates wrote:
> These are some of the domains I have initialized:
> <kernel> /bin/prog /usr/bin/java
> <kernel> /bin/prog /usr/bin/java /opt/icedtea6-bin-\*/bin/java /stuffs
> <kernel> /bin/prog /usr/bin/java /opt/icedtea6-bin-\*/bin/java
> 
> this last domain has to execute /usr/bin/java again, this is to make the
> program self-restart (after an update for example). So the domain
> "<kernel> /bin/prog /usr/bin/java /opt/icedtea6-bin-\*/bin/java
> /usr/bin/java" will be created.
> I need to reset this domain back to the "<kernel> /bin/prog
> /usr/bin/java" domain.

You want /opt/icedtea6-bin-\*/bin/java to go back to
<kernel> /bin/prog /usr/bin/java domain upon execution of /usr/bin/java ,
don't you?

As TOMOYO 2.4 supports policy namespace, you can create one for /bin/prog .
http://tomoyo.sourceforge.jp/2.4/chapter-13.html
You can add

  reset_domain /bin/prog from any

to <kernel> namespace's exception policy. Adding this line causes
processes belonging to <kernel> namespace (e.g. <kernel> domain,
<kernel> /sbin/init domain, <kernel> /usr/sbin/sshd /bin/bash domain)
to transit to </bin/prog> domain upon execution of /bin/prog .

Then, you can add

  initialize_domain /usr/bin/java from any

to </bin/prog> namespace's exception policy. Adding this line causes
processes belonging to </bin/prog> namespace (e.g. </bin/prog> domain,
</bin/prog> /usr/bin/java domain, </bin/prog> /usr/bin/java
/opt/icedtea6-bin-\*/bin/java domain) to transit to </bin/prog> /usr/bin/java
domain upon execution of /bin/prog .
(Be sure to create </bin/prog> domain and profile for that domain manually
because domains are not automatically created upon domain transition across
namespaces.)

You may instead want to add

  keep_domain any from any

to </bin/prog> namespace's exception policy if you want to suppress domain
transition within </bin/prog> namespace.



Simpler solution which is also applicable to TOMOYO 2.3 users:
You can add

  keep_domain /opt/icedtea6-bin-\*/bin/java from /usr/bin/java
  keep_domain /usr/bin/java from /usr/bin/java

to exception policy. Adding these lines cause creation of domains like

  <kernel> /bin/prog /usr/bin/java
  <kernel> /bin/prog /usr/bin/java /stuffs

.

_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en@lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en