Dear list, I am using linux 3.8.4, tomoyo tools 2.5.0, and I want to sandbox the skype process.
I installed tomoyo, added the kernel line and followed the instructions from the Archlinux wiki(0), the wiki presents a domain_policy.conf file and a exeption_policy.conf . The two files seems reasonable to me, and seems a good starting point to eventually fine tune. (0) https://wiki.archlinux.org/index.php/Skype#TOMOYO Unfortunately with those settings Skype does not start at all, and I cannot understand the reason. I started tomoyo-auditd, and checked the /var/log/tomoyo/reject_003.log to understand what is wrong. I copied a part of the reject_003.log in the bottom of the email, the first line it is expected as the original configuration file did not mention infinality, and I fixed it with two new lines in domain_policy.conf: file read /etc/fonts/infinality/styles.conf.avail/infinality/\*.conf file read /etc/fonts/infinality/\*.conf Updating the configuration and restarting skype the lines disappear. But the next lines completely puzzled me, the path_group in exception_policy.conf contains all the files and directory under ~/.Skype and the configuration file domain_policy.conf the lines file create @SKYPE_FILES 0666 file read/write/unlink/truncate @SKYPE_FILES should ensure that Skype can do whatever it needs in the directory. Why tomoyo is stopping the request? Thanks for any insight, Paolo #2013/03/26 15:33:04# profile=3 mode=enforcing granted=no (global-pid=12304) task={ pid=12304 ppid=8058 uid=1000 gid=1000 euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 } path1={ uid=0 gid=0 ino=192620 major=0 minor=17 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=192609 perm=0755 } <kernel> /usr/lib32/skype/skype file read /etc/fonts/infinality/styles.conf.avail/infinality/52-infinality.conf #2013/03/26 15:33:04# profile=3 mode=enforcing granted=no (global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000 euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 } path1.parent={ uid=1000 gid=1000 ino=53455 perm=0700 } <kernel> /usr/lib32/skype/skype file create /home/paolo/.Skype/shared_dynco/dc.lock 0600 #2013/03/26 15:33:04# profile=3 mode=enforcing granted=no (global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000 euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 } path1.parent={ uid=1000 gid=1000 ino=53455 perm=0700 } <kernel> /usr/lib32/skype/skype file create /home/paolo/.Skype/shared_dynco/dc.lock 0600 [...] #2013/03/26 15:33:05# profile=3 mode=enforcing granted=no (global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000 euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 } path1.parent={ uid=1000 gid=1000 ino=53475 perm=0700 } <kernel> /usr/lib32/skype/skype file create /home/paolo/.Skype/paolo_bolzoni/config.tmp 0600 #2013/03/26 15:33:05# profile=3 mode=enforcing granted=no (global-pid=12318) task={ pid=12304 ppid=8058 uid=1000 gid=1000 euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 } path1={ uid=0 gid=0 ino=93211 major=0 minor=17 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=93206 perm=0755 } <kernel> /usr/lib32/skype/skype file read /usr/lib32/libv4l/plugins/libv4l-mplane.so [...] _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
