OSDN -- Desarrollar y descargar software de código abierto
Translation Status of Español translation status for es

[tomoyo-users-en 726] Re: domain_policy output from learning mode

Back to archive index
Tetsuo Handa pengu****@i-lov*****
Sat Mar 14 19:22:37 JST 2020 

Hello.

On 2020/03/14 1:49, Manuel Bessler wrote:
> 1. The learning-mode generated domain policy has a couple of combinations of rules added like
>    file getattr <file>
>    file read/getattr <file>
>    file getattr/truncate <file>
>    file read/write/getattr <file>
>    file read/write <file>
>    file append/getattr <file>
> 
>    Can I just list these separately, or combine then in different ways to make ? For example:
>    file getattr <any-file>
>    file create/append/write/truncate/rename <write-file>
>    file read <readonly-file>
> 
>    Or even just:
>    file getattr/read/write/append/trucate/execute/unlink/symlink/rename/create <file>
> 

No, for these are grouped based on number/type of arguments each operation takes.
For example, opening a file for read and/or write takes one pathname, creating a file
takes one pathname and one permission, renaming a file takes two pathnames.

> 2. There was a patch to ccs-patch in 2015 adding support for multiple use_group <n> per domain.
>     Did this ever make it into Tomoyo? From a quick glance, it doesn't look like it, but
>     I wanted to make sure before I get deep into policy writing.

If you are talking about TOMOYO 2.x, it is available in TOMOYO 2.6 (Linux 5.1 and later).
If you are talking about TOMOYO 1.x, it is available in TOMOYO 1.8 (Linux 2.4.37 / 2.6.27 and later).

> 
> 3. Can the various groupings (path_group, number_group, address_group...) be used recursively?
>     For example
>     path_group LIBS /lib/lib\*.so\*
>     path_group MYAPP /etc/myapp/\*
>     path_group MYAPP @LIBS

No. Please use "multiple use_group <n> per domain" available in TOMOYO 2.6 / 1.8.

> 
> 
> I was also wondering if there was a place (ie. github repo) where example
> policies for common programs are kept?

No. Since I'm not a member of Linux distributions, I can't afford providing
ready-made policies. Contributions from users are welcomed.

> For example, to run Nginx webserver, there are few things that are common
> across all installs that would make it possible to reuse, and thus one does
> not have to start from scratch...

You can publish them in your repositories.

Regards.

More information about the tomoyo-users-en mailing list
Back to archive index