TOMOYO
ForkJD wrote:
> I've just started with Tomoyo 2.4 on a fresh install on Arch Linux,
> but I can't set a policy.
I've just installed Arch Linux and confirmed that everything works fine.
/bin/dmesg shows that TOMOYO 2.4 is activated.
sr 2:0:0:0: Attached scsi CD-ROM sr0
kjournald starting. Commit interval 5 seconds
EXT3-fs (sda1): mounted filesystem with ordered data mode
Calling /sbin/tomoyo-init to load policy. Please wait.
TOMOYO: 2.4.0
Mandatory Access Control activated.
udevd[249]: starting version 173
I assume you installed Linux 3.1 kernel (by doing "pacman -S linux") and
tomoyo-tools-2.4.0.20111025-1 (by doing "pacman -S tomoyo-tools") after fresh
installation.
> I've followed the instructions on the wiki: setting the grub command
> line, executing /usr/lib/tomoyo/init_policy, and running
> tomoyo-editpolicy; however, if I try to set a policy on any process
> ("s" and entering "1" where it asks for the new profile number), it
> does not change, the profile number remains at 0.
Well, I think you have skipped something. Please follow below checklist.
(Q1) Did you correctly append security=tomoyo to kernel lines
(e.g. kernel /boot/vmlinuz-linux root=/dev/sda1 ro security=tomoyo) in
/boot/grub/menu.lst ?
(Q2) Did you run /usr/lib/tomoyo/init_policy *before* you reboot?
(Q3) Did you find "TOMOYO: 2.4.0" line from output of /bin/dmesg command
*after* you reboot?
(Q4) Did you run /usr/sbin/tomoyo-editpolicy without command line arguments?
(Q5) Did you find that (at least) some dozens of domains are displayed on the
policy editor?
----- screenshot start -----
<<< Domain Transition Editor >>> 99 domains '?' for help
<kernel>
0: 1 <kernel>
=> <kernel> /sbin/init ( -> 1 )
=> <kernel> /sbin/modprobe ( -> 84 )
1: 1 * /sbin/init
2: 1 /etc/rc.multi
3: 1 /bin/rm
4: 1 /bin/sed
5: 1 /bin/stty
6: 1 /bin/touch
7: 1 /bin/tput
8: 1 /etc/rc.d/crond
=> <kernel> /usr/sbin/crond ( -> 94 )
9: 1 /bin/pidof
10: 1 /bin/stty
11: 1 /bin/tput
12: 1 /etc/rc.d/hwclock
13: 1 /bin/stty
14: 1 /bin/tput
15: 1 /etc/rc.d/netfs
16: 1 /bin/mount
17: 1 /bin/stty
18: 1 /bin/tput
19: 1 /etc/rc.d/network
20: 1 /bin/stty
21: 1 /bin/tput
22: 1 /usr/sbin/ip
23: 1 /etc/rc.d/syslog-ng
24: 1 /bin/pidof
25: 1 /bin/stty
26: 1 /bin/tput
27: 1 /usr/sbin/syslog-ng
28: 1 /etc/rc.local
29: 1 /sbin/sysctl
30: 1 /etc/rc.sysinit
=> <kernel> /sbin/modprobe ( -> 84 )
=> <kernel> /sbin/udevd ( -> 85 )
31: 1 /bin/chmod
32: 1 /bin/cp
33: 1 /bin/dmesg
34: 1 /bin/findmnt
35: 1 /bin/grep
36: 1 /bin/install
37: 1 /bin/ln
38: 1 /bin/mkdir
39: 1 /bin/mount
40: 1 /bin/mountpoint
41: 1 /bin/rm
42: 1 /bin/stty
43: 1 /bin/tput
44: 1 /sbin/bootlogd
45: 1 /sbin/fsck
46: 1 /sbin/fsck.ext3
47: 1 /sbin/hwclock
48: 1 /sbin/minilogd
49: 1 /sbin/swapon
50: 1 /sbin/udevadm
51: 1 /usr/bin/find
52: 1 /usr/bin/kbd_mode
53: 1 /usr/bin/loadkeys
54: 1 /bin/sh
55: 1 /bin/gzip
56: 1 /usr/lib/initscripts/arch-tmpfiles
57: 1 /bin/install
58: 1 /usr/bin/find
59: 1 /usr/bin/getent
60: 1 /usr/bin/sort
61: 1 /usr/bin/xargs
62: 1 /usr/sbin/ip
63: 1 /sbin/agetty
64: 1 /bin/login
65: 1 /bin/bash
66: 1 /etc/rc.d/sshd
=> <kernel> /usr/sbin/sshd ( -> 95 )
67: 1 /bin/cat
68: 1 /bin/grep
69: 1 /bin/readlinkcy
70: 1 /bin/rm
71: 1 /bin/stty
72: 1 /bin/tput
73: 1 /sbin/ifconfig
74: 1 /usr/bin/pgrep
75: 1 /usr/bin/tty
76: 1 /usr/sbin/dhcpcd
77: 1 /usr/lib/dhcpcd/dhcpcd-run-hooks
78: 1 /bin/cat
79: 1 /bin/chmod
80: 1 /bin/hostname
81: 1 /bin/rm
82: 1 /bin/sed
83: 1 /usr/sbin/tomoyo-editpolicy
84: 1 * /sbin/modprobe
85: 1 * /sbin/udevd
=> <kernel> /sbin/modprobe ( -> 84 )
86: 1 /lib/udev/ata_id
87: 1 /lib/udev/cdrom_id
88: 1 /lib/udev/input_id
89: 1 /lib/udev/path_id
90: 1 /lib/udev/pci-db
91: 1 /lib/udev/scsi_id
92: 1 /lib/udev/usb_id
93: 1 /sbin/blkid
94: 1 * /usr/sbin/crond
95: 1 * /usr/sbin/sshd
=> <kernel> /usr/sbin/sshd ( -> 95 )
96: 1 /bin/bash
97: 1 /usr/bin/tty
98: 1 /usr/sbin/tomoyo-editpolicy
----- screenshot end -----
(Q6) Did you find that there are 13 entries on the screen which can be
displayed by pressing "w" -> "p" keys?
----- screenshot start -----
<<< Profile Editor >>> 13 entries '?' for help
<kernel>
0: PROFILE_VERSION=20100903
1: 0-COMMENT=-----Disabled Mode-----
2: 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
3: 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4: 1-COMMENT=-----Learning Mode-----
5: 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
6: 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
7: 2-COMMENT=-----Permissive Mode-----
8: 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
9: 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
10: 3-COMMENT=-----Enforcing Mode-----
11: 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
12: 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
----- screenshot end -----