HI Tetsuo, I have answered my own question from a previous post of yours: http://comments.gmane.org/gmane.linux.tomoyo.user.english/118
I think in summary I had two issues: 1. profile.conf had got deleted somehow. 2. system came backup with no profiles, I unknowingly created profile.conf again but they hadn't got loaded into the kernel. I tried to load them via: /sbin/tomoyo-init but recieved: <kernel> /usr/sbin/sshd /bin/bash /bin/su /bin/bash ( /bin/bash ) is not permitted to update policies. which meant I had to reboot regardless so that: "/sbin/tomoyo-init copies /etc/tomoyo/manager.conf to /sys/kernel/security/tomoyo/manager", in which case I may as well reboot so that /sbin/tomoyo-init loads in profile.conf anyway! Thank you for your help. -- Campbell www.cammckenzie.com PS: I like tomoyo, I think with better userland tools it could catch on. for example better file / pathname globbing to slim down domain.conf files. (Similar to: http://wiki.apparmor.net/index.php/QuickProfileLanguage#File_Globbing) Anyway thanks again for your help. On 11 May 2012 08:25, Cam Mckenzie <[email protected]> wrote: > Hello, > > > > Did you execute tomoyo-savepolicy between after changing profile from 1 > to 3 > > and before rebooting your system? > > No, you are correct that I didn't save the profile after I changed it to > use_profile 3 but the rest of the profile was saved. > > > > prompt is because /etc/tomoyo/profile.conf was deleted by some reason. > > Hmm not sure how I OR if I deleted but i think I recreated it running: > /usr/lib/tomoyo/tomoyo_init_policy after it stopped working after the > reboot. > > > > According to INFO below, it seems to me that profiles 2 and 3 are > defined. > > You meant "use_profile 2" and "use_profile 3" lines have gone from > > /etc/tomoyo/domain_policy.conf and > /sys/kernel/security/tomoyo/domain_policy ? > > The problem I have is that the Kernel does not know about profiles 2 or 3. > > Please double check the below output: The reason there is even a profile > "2" is because I created one within tomoyo-editpolicy's Profile Editor, Yes > the correct profiles are defined in the profile.conf, but it doesn't match > what is in the kernel. > > > root@www:~# cat /sys/kernel/security/tomoyo/profile > 0-COMMENT=disabled > 0-MAC_FOR_FILE=disabled > 0-MAX_ACCEPT_ENTRY=0 > 0-TOMOYO_VERBOSE=disabled > 1-COMMENT=disabled > 1-MAC_FOR_FILE=disabled > 1-MAX_ACCEPT_ENTRY=0 > 1-TOMOYO_VERBOSE=disabled > 2-COMMENT= > 2-MAC_FOR_FILE=disabled > 2-MAX_ACCEPT_ENTRY=2048 > 2-TOMOYO_VERBOSE=enabled > > ^^ Note: Profile 2 isn't the same, and there is no profile 3 in the kernel. > > root@www:~# cat /etc/tomoyo/profile.conf > 0-COMMENT=-----Disabled Mode----- > 0-MAC_FOR_FILE=disabled > 0-TOMOYO_VERBOSE=disabled > 1-COMMENT=-----Learning Mode----- > 1-MAC_FOR_FILE=learning > 1-TOMOYO_VERBOSE=disabled > 2-COMMENT=-----Permissive Mode----- > 2-MAC_FOR_FILE=permissive > 2-TOMOYO_VERBOSE=enabled > 3-COMMENT=-----Enforcing Mode----- > 3-MAC_FOR_FILE=enforcing > 3-TOMOYO_VERBOSE=enabled > > I think my main question is now, how do I load the profiles from disk into > the kernel? > > Thanks for your help so far. > > --Cam > >
_______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
