Hello. Matthias Lay wrote: > Hi, > > I am playing around with tomoyo rulesets on a system with a RO squashfs > as root filesystem. > > I noticed all rootfs binaries are prefixed with "squashfs:" > > ..... squashfs:/bin/cat' not defined > > but i cant create a rule with that prefix, as the editor doesnt like > the prefix in his syntax. > > "squashfs:/bin/cat is an invalid domainname" > > the executed programs dont show up in the editor either. > > the only way to get them to show up and create working rules is to > create aggregators like > > aggregator squashfs:/bin/cat /bin/cat > > with this set in exception_policies.conf, the /bin/cat shows up in the > editor and I can create rules for /bin/cat. Yes, that will be the easiest approach when using learning mode (i.e. recording possible domain transition patterns). > > is there another way to get this working, without the need to create an > aggregator for every binary on the system? Not applicable to learning mode, but I think that you can explicitly specify to which domain should the current thread transit at "file execute" entry ( file execute [candidate] [domainname] file execute [candidate] [pathname] in http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html#transition_by_execute ). If you specify keep_domain any from any in exception policy, domain transition will be suppressed by default (i.e. no need to enumerate all binaries in squashfs using "aggregator" entry). You can specify [domainname] or [pathname] as needed in order to force domain transition. > > > Greetz > > Matze > Regards.