On Wed, Mar 23, 2011 at 10:12 AM, Jamie Nguyen <jamie****@tomoy*****>wrote: > Mauras Olivier wrote: > > Oh... So putting an incorrect value doesn't validate it right? > > If so how could i make those /sbin/init appear correctly because for now > in > > my domain list they appear under the same /sbin/init as my host one... > > I can see them separated by switching in process mode, but they don't > show > > the directory they're executed in and the only way for me to recognize > each > > one is to sort them by looking at their subprocesses. > > This is because of "initialize_domain /sbin/init from any" in > exception policy. Any time and any place that /sbin/init is executed, > it will run as the domain "<kernel> /sbin/init". You can either remove > that line, or more preferably add "no_initialize_domain /sbin/init > from <kernel> /domain/that/executes/sbin/init" to exception policy. If > you add the no_initialize_domain line, then the /sbin/init that is run > in your chroot will no longer appear as the same domain as the host > /sbin/init. You will of course have to determine all domains you need > to execute /sbin/init from and give them all a no_initialize_domain > line. > > We have some revised documentation in progress at the moment. It is > not yet fully completed and proof-read, but you can find it here if > you are interested: > > http://tomoyo.sourceforge.jp/1.8-tmp/index.html.en > > Information on initialize_domain and no_initialize_domain directives: > http://tomoyo.sourceforge.jp/1.8-tmp/chapter-5.html.en#5.2 > > Information on use of exec.realpath in conditional ACL: > http://tomoyo.sourceforge.jp/1.8-tmp/chapter-10.html.en > > Kind regards, > Jamie > > _______________________________________________ > tomoyo-users-en mailing list > tomoy****@lists***** > http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en > Thanks Jamie, i now better understand how to manage these containers. So i added an exception like said, then added a new domain "<kernel> /path/to/container/sbin/init" and set it to learning mode. Made the container reboot, have activities but the domain doesn't list anything and in the process view init is still listed as <kernel> /sbin/init Do i have to do something else? Reload anything? Thanks, Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20110323/eb53f2b2/attachment.html>
TOMOYO
Fork