Hi, Mark, On Sun, Aug 25, 2013 at 12:46 AM, Mark <[email protected]> wrote:
> Hi all, > > I've been reading about, and playing with Tomoyo 2.5 on a Funtoo > hardened system that has kernel 3.2.50 with grsec. Funtoo is a Gentoo > derivative. > > I have enabled a default policy with "emerge --config tomoyo-tools". > Then rebooted and now I see, for example, domains of the form: > > <kernel> /etc/init.d/SCRIPTNAME > > Obviously there are a lot of these so now my question is about the > learning policy (#1). > > Should I, for example, set them all to 1 (learning mode), save the > policy, reboot the system, and then after a while I can update the > policy to Enforce? Should I only set this domain to 1, or should I do > this for the children as well? > It depends on your concern and the purpose of using TOMOYO, so there's no ready-made answer for the above question. > I assume that this would create sane defaults that can be enforced if > the programs/daemons are called from the init scripts (which, on my > system, is how the programs should always start). > >From the viewpoint of TOMOYO (if it makes sense :-), there's no concepts nor differences between daemons and init scripts. Everything appears to be just a process. > The documentation does name how to build policies for daemons, but with > the domains I mentioned I'm unsure about what is a good practice. > Comments appreciated, thank you :) > > Mark > If you say unsure, why don't you start playing with daemons first? Once you master how to limit/enforce daemons, you'll be able to do the same for init scripts (if you want, of course). Or, you can put everything (every process) under learning mode, and then decide what to restrict. (like TOMOYO Live CD http://tomoyo.sourceforge.jp/1.8/ubuntu10.04-live.html.en) Cheers, Toshiharu Harada [email protected]
_______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
