OSDN -- Desarrollar y descargar software de código abierto
Translation Status of Español translation status for es

[tomoyo-users-en 513] Re: Tomoyo in a prodution system

Back to archive index
Tetsuo Handa from-****@I-lov*****
Fri Aug 31 11:17:40 JST 2012 

Hello from San Diego.

I'm attending LinuxCon North America 2012 / Linux Security Summit 2012
and yesterday / today I had a presentation about CaitSith.

florian.lissandres wrote:
> I have some questions about how use Tomoyo in a production environment.

Guessing from your past posts, I assume you are talking about TOMOYO 2.5.

> If I have 2 systems :
> - A development system on which I can define my policy ;
> - A production system on which I want to set up the policy defined on the
> development environment. I just want to protect some processes. For example
> I only want to protect a web server and a web browser.
>
> I would like to know :
> 
> 1- Which files I have to set in the production system ? I don't need any
> tools, I only need minimum files to protect the production system.

/etc/tomoyo/*.conf which will be loaded by /sbin/tomoyo-init are needed.
Also, /sbin/tomoyo-init is needed for loading /etc/tomoyo/*.conf
when /sbin/init starts.

If you are building your kernel for the production system, you can embed
policy files under /etc/tomoyo/ directory into the kernel by copying
/etc/tomoyo/*.conf to security/tomoyo/policy/ directory under your kernel
source tree. Also, using CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
eliminates the need for locating /sbin/tomoyo-init (but you might need to
adjust policy configuration a bit if you are using
CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=n in the development system).

> 2- If I could disable the fact that Tomoyo learns domains in the Domain
> Transition Editor (I do not need this on the production system) ?

You don't need to copy /usr/sbin/tomoyo-* nor /usr/lib/tomoyo/* to the
production system if you don't use these programs.

> 
> One last question, how can I comment lines in the domain_policy.conf file?

Well, comment lines are not supported.
But since unparsable lines are simply ignored, you can embed lines like

#some comment

into your policy files. (Such lines are dropped upon load and therefore
do not appear when reading /sys/kernel/security/tomoyo/ interface.)

Regards.

More information about the tomoyo-users-en mailing list
Back to archive index