TOMOYO
ForkJamie Nguyen wrote:
> If you are asking about entries being added during Learning Mode
> (profile=2), then you could for example set file read/write to
> enforcing by adding this to your profile:
>
> 4-COMMENT=-----Learning mode with read/write in enforcing mode -----
> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
> 4-CONFIG::file={ mode=leanring grant_log=no reject_log=yes }
> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
>
> Setting that domain to profile=4 will then stop new "file read" and
> "file write" entries from being automatically added, though it will
> also deny all read/write requests that are not already in the policy
> for that domain.
>
>
> If you are talking about log files generated by the tomoyo-auditd
> daemon, then you could add something like this to
> /etc/tomoyo/tools/auditd.conf and then restart the daemon:
>
> domain.contains /usr/bin/application
> acl.equals file read /etc/shadow
> destination /dev/null
>
> This will mean the all "file read /etc/shadow" requests for that
> domain will not be logged. The /etc/tomoyo/toools/auditd.conf file has
> some useful instructions inside about the syntax to use.
Oh and the appropriate chapters for the above mentioned topics are here:
http://tomoyo.sourceforge.jp/2.4/chapter-9.html.en#9.2.2
http://tomoyo.sourceforge.jp/2.4/chapter-4.html.en#4.6