TOMOYO
ForkHi,
By the way, which version of tomoyo are you asking about here? I'm guessing 2.4.
Milton Yates wrote:
> Actually, I am not asking for any kind of blacklist really, as I am
> fully against it. I understand my choice of /etc/shadow did not serve my
> point well here :) but I was more asking of a "don't audit" rule. Like
> you know this access will get denied by your policy, it is just you
> don't want to get notified about it, because you know it is going to happen.
> It is a way to reduce false positives and improve log relevance,
> otherwise you may find that you often get notified for stuff you did not
> allow _on purpose_ in your policy, still you will get notified about these.
Sorry, I'm not entirely sure what exactly you are asking.
If you are asking about entries being added during Learning Mode
(profile=2), then you could for example set file read/write to
enforcing by adding this to your profile:
4-COMMENT=-----Learning mode with read/write in enforcing mode -----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG::file={ mode=leanring grant_log=no reject_log=yes }
4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
Setting that domain to profile=4 will then stop new "file read" and
"file write" entries from being automatically added, though it will
also deny all read/write requests that are not already in the policy
for that domain.
If you are talking about log files generated by the tomoyo-auditd
daemon, then you could add something like this to
/etc/tomoyo/tools/auditd.conf and then restart the daemon:
domain.contains /usr/bin/application
acl.equals file read /etc/shadow
destination /dev/null
This will mean the all "file read /etc/shadow" requests for that
domain will not be logged. The /etc/tomoyo/toools/auditd.conf file has
some useful instructions inside about the syntax to use.
Kind regards,
Jamie