Discussion:
[tomoyo-users-en 654] caitsith-editpolicy?
(too old to reply)
0***@cox.net
2016-10-22 17:19:13 UTC
Permalink
Raw Message
Do you have any plans to create an ncurses caitsith-editpolicy similar
to ccs-editpolicy? I've been contemplating migrating from CCS to
Caitsith and miss the ncurses editor for in-memory policy editing.
Tetsuo Handa
2016-10-23 00:07:35 UTC
Permalink
Raw Message
Hello.
Post by 0***@cox.net
Do you have any plans to create an ncurses caitsith-editpolicy similar
to ccs-editpolicy? I've been contemplating migrating from CCS to
Caitsith and miss the ncurses editor for in-memory policy editing.
Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
for editing in-memory policy configuration ( /proc/caitsith/policy or
/sys/kernel/security/caitsith/policy ), I don't have a plan to create
caitsith-editpolicy .

Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
or tomoyo-editpolicy for browsing and editing in-memory policy configuration.
But since CaitSith does not, there is little need for browsing and editing
in-memory policy configuration using a dedicated tool.

You can run caitsith-savepolicy when you modified in-memory policy configuration
using caitsith-loadpolicy or caitsith-queryd .
0***@cox.net
2016-10-23 01:20:58 UTC
Permalink
Raw Message
Thanks for the response. My question stemmed from what is probably just
some confusion on my part. I have been attempting to make changes
directly to /etc/caitsith/policy/current
and then load those changes by issuing command #
/usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current. What I
found is that this seems to append /etc/caitsith/policy/current to
/sys/kernel/security/caitsith/policy. If I had made some deletions to
/etc/caitsith/policy/current, # cat /sys/kernel/security/caitsith/policy
would still show some of the policy I had deleted. I tried the command #
/usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current, but that
didn't work. In hindsight, I should have asked if there is a way to
completely replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current without rebooting?
Post by Tetsuo Handa
Hello.
Post by 0***@cox.net
Do you have any plans to create an ncurses caitsith-editpolicy similar
to ccs-editpolicy? I've been contemplating migrating from CCS to
Caitsith and miss the ncurses editor for in-memory policy editing.
Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
for editing in-memory policy configuration ( /proc/caitsith/policy or
/sys/kernel/security/caitsith/policy ), I don't have a plan to create
caitsith-editpolicy .
Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
or tomoyo-editpolicy for browsing and editing in-memory policy configuration.
But since CaitSith does not, there is little need for browsing and editing
in-memory policy configuration using a dedicated tool.
You can run caitsith-savepolicy when you modified in-memory policy configuration
using caitsith-loadpolicy or caitsith-queryd .
Tetsuo Handa
2016-10-23 04:52:56 UTC
Permalink
Raw Message
Post by 0***@cox.net
Thanks for the response. My question stemmed from what is probably just
some confusion on my part. I have been attempting to make changes
directly to /etc/caitsith/policy/current and then load those changes by
issuing command
# /usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current
. What I found is that this seems to append /etc/caitsith/policy/current to
/sys/kernel/security/caitsith/policy.
Yes, TOMOYO / CaitSith's policy interface deletes a line (and lines which
depend on that line) when that line starts with "delete " keyword, and
appends that line when that line does not start with "delete " keyword.

But there is an exception. The "delete " keyword is ignored for lines which
start with "POLICY_VERSION=" or "stat " or "quota " or "audit ".

Lines which start with "POLICY_VERSION=" or "quota " or "audit " can be
updated by overwriting that line.

# echo 'quota audit[1] allowed=1024' | caitsith-loadpolicy
# echo 'quota memory audit 16777216' | caitsith-loadpolicy
# caitsith-savepolicy -

Lines which start with "quota " will not be printed if its quota value is 0.

# echo 'quota audit[1] allowed=0 denied=0 unmatched=0' | caitsith-loadpolicy
# echo 'quota memory audit 0' | caitsith-loadpolicy
# caitsith-savepolicy -
Post by 0***@cox.net
If I had made some deletions to
/etc/caitsith/policy/current,
# cat /sys/kernel/security/caitsith/policy
would still show some of the policy I had deleted.
You need to replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current using commands shown below.
Post by 0***@cox.net
I tried the command
# /usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current
, but that didn't work. In hindsight, I should have asked if there is
a way to completely replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current without rebooting?
You can use below commands to completely replace in-memory policy configuration
without rebooting.

# caitsith-savepolicy - | awk ' { print "delete " $0 }' | caitsith-loadpolicy
# caitsith-loadpolicy < /etc/caitsith/policy/current

But please be aware that there is a moment where all access requests are
unconditionally granted (and/or domain transition does not occur as expected)
due to lack of in-memory policy configuration.

If you care about such moment, you can edit in-memory policy configuration
using caitsith-loadpolicy and then save in-memory policy configuration using
caitsith-savepolicy .

# edit a_temporary_file_which_contains_changes
# caitsith-loadpolicy < a_temporary_file_which_contains_changes
# caitsith-savepolicy
# rm a_temporary_file_which_contains_changes

Content of a_temporary_file_which_contains_changes would look like below.

Append entries without deletion.
----------
10 acl execute
10 allow path="/path/to/old_executable"

20 acl read
audit 0
10 allow path="/path/to/old_file"
----------

Append entries with some deletion.
----------
10 acl execute
10 allow path="/path/to/new_executable"
delete 10 allow path="/path/to/old_executable"

21 acl read
audit 1
10 allow path="/path/to/file"

delete 20 acl read
----------
Post by 0***@cox.net
Post by Tetsuo Handa
Hello.
Post by 0***@cox.net
Do you have any plans to create an ncurses caitsith-editpolicy similar
to ccs-editpolicy? I've been contemplating migrating from CCS to
Caitsith and miss the ncurses editor for in-memory policy editing.
Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
for editing in-memory policy configuration ( /proc/caitsith/policy or
/sys/kernel/security/caitsith/policy ), I don't have a plan to create
caitsith-editpolicy .
Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
or tomoyo-editpolicy for browsing and editing in-memory policy configuration.
But since CaitSith does not, there is little need for browsing and editing
in-memory policy configuration using a dedicated tool.
You can run caitsith-savepolicy when you modified in-memory policy configuration
using caitsith-loadpolicy or caitsith-queryd .
0***@cox.net
2016-10-23 22:44:41 UTC
Permalink
Raw Message
Thank you so much for these detailed explanations and examples! I am now
able to reliably edit Caitsith policy without rebooting.
Post by Tetsuo Handa
Post by 0***@cox.net
Thanks for the response. My question stemmed from what is probably just
some confusion on my part. I have been attempting to make changes
directly to /etc/caitsith/policy/current and then load those changes by
issuing command
# /usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current
. What I found is that this seems to append /etc/caitsith/policy/current to
/sys/kernel/security/caitsith/policy.
Yes, TOMOYO / CaitSith's policy interface deletes a line (and lines which
depend on that line) when that line starts with "delete " keyword, and
appends that line when that line does not start with "delete " keyword.
But there is an exception. The "delete " keyword is ignored for lines which
start with "POLICY_VERSION=" or "stat " or "quota " or "audit ".
Lines which start with "POLICY_VERSION=" or "quota " or "audit " can be
updated by overwriting that line.
# echo 'quota audit[1] allowed=1024' | caitsith-loadpolicy
# echo 'quota memory audit 16777216' | caitsith-loadpolicy
# caitsith-savepolicy -
Lines which start with "quota " will not be printed if its quota value is 0.
# echo 'quota audit[1] allowed=0 denied=0 unmatched=0' | caitsith-loadpolicy
# echo 'quota memory audit 0' | caitsith-loadpolicy
# caitsith-savepolicy -
Post by 0***@cox.net
If I had made some deletions to
/etc/caitsith/policy/current,
# cat /sys/kernel/security/caitsith/policy
would still show some of the policy I had deleted.
You need to replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current using commands shown below.
Post by 0***@cox.net
I tried the command
# /usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current
, but that didn't work. In hindsight, I should have asked if there is
a way to completely replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current without rebooting?
You can use below commands to completely replace in-memory policy configuration
without rebooting.
# caitsith-savepolicy - | awk ' { print "delete " $0 }' | caitsith-loadpolicy
# caitsith-loadpolicy < /etc/caitsith/policy/current
But please be aware that there is a moment where all access requests are
unconditionally granted (and/or domain transition does not occur as expected)
due to lack of in-memory policy configuration.
If you care about such moment, you can edit in-memory policy configuration
using caitsith-loadpolicy and then save in-memory policy configuration using
caitsith-savepolicy .
# edit a_temporary_file_which_contains_changes
# caitsith-loadpolicy < a_temporary_file_which_contains_changes
# caitsith-savepolicy
# rm a_temporary_file_which_contains_changes
Content of a_temporary_file_which_contains_changes would look like below.
Append entries without deletion.
----------
10 acl execute
10 allow path="/path/to/old_executable"
20 acl read
audit 0
10 allow path="/path/to/old_file"
----------
Append entries with some deletion.
----------
10 acl execute
10 allow path="/path/to/new_executable"
delete 10 allow path="/path/to/old_executable"
21 acl read
audit 1
10 allow path="/path/to/file"
delete 20 acl read
----------
Post by 0***@cox.net
Post by Tetsuo Handa
Hello.
Post by 0***@cox.net
Do you have any plans to create an ncurses caitsith-editpolicy similar
to ccs-editpolicy? I've been contemplating migrating from CCS to
Caitsith and miss the ncurses editor for in-memory policy editing.
Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
for editing in-memory policy configuration ( /proc/caitsith/policy or
/sys/kernel/security/caitsith/policy ), I don't have a plan to create
caitsith-editpolicy .
Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
or tomoyo-editpolicy for browsing and editing in-memory policy configuration.
But since CaitSith does not, there is little need for browsing and editing
in-memory policy configuration using a dedicated tool.
You can run caitsith-savepolicy when you modified in-memory policy configuration
using caitsith-loadpolicy or caitsith-queryd .
Loading...