Discussion:
[tomoyo-users-en 512] Tomoyo in a prodution system
(too old to reply)
florian.lissandres
2012-08-29 14:39:43 UTC
Permalink
Raw Message
Hello,

I have some questions about how use Tomoyo in a production environment.

If I have 2 systems :
- A development system on which I can define my policy ;
- A production system on which I want to set up the policy defined on the
development environment. I just want to protect some processes. For example
I only want to protect a web server and a web browser.

I would like to know :

1- Which files I have to set in the production system ? I don't need any
tools, I only need minimum files to protect the production system.

2- If I could disable the fact that Tomoyo learns domains in the Domain
Transition Editor (I do not need this on the production system) ?


One last question, how can I comment lines in the domain_policy.conf file?

Thank you.

Florian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20120829/e00fe629/attachment.htm
Tetsuo Handa
2012-08-31 02:17:40 UTC
Permalink
Raw Message
Hello from San Diego.

I'm attending LinuxCon North America 2012 / Linux Security Summit 2012
and yesterday / today I had a presentation about CaitSith.
Post by florian.lissandres
I have some questions about how use Tomoyo in a production environment.
Guessing from your past posts, I assume you are talking about TOMOYO 2.5.
Post by florian.lissandres
- A development system on which I can define my policy ;
- A production system on which I want to set up the policy defined on the
development environment. I just want to protect some processes. For example
I only want to protect a web server and a web browser.
1- Which files I have to set in the production system ? I don't need any
tools, I only need minimum files to protect the production system.
/etc/tomoyo/*.conf which will be loaded by /sbin/tomoyo-init are needed.
Also, /sbin/tomoyo-init is needed for loading /etc/tomoyo/*.conf
when /sbin/init starts.

If you are building your kernel for the production system, you can embed
policy files under /etc/tomoyo/ directory into the kernel by copying
/etc/tomoyo/*.conf to security/tomoyo/policy/ directory under your kernel
source tree. Also, using CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
eliminates the need for locating /sbin/tomoyo-init (but you might need to
adjust policy configuration a bit if you are using
CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=n in the development system).
Post by florian.lissandres
2- If I could disable the fact that Tomoyo learns domains in the Domain
Transition Editor (I do not need this on the production system) ?
You don't need to copy /usr/sbin/tomoyo-* nor /usr/lib/tomoyo/* to the
production system if you don't use these programs.
Post by florian.lissandres
One last question, how can I comment lines in the domain_policy.conf file?
Well, comment lines are not supported.
But since unparsable lines are simply ignored, you can embed lines like

#some comment

into your policy files. (Such lines are dropped upon load and therefore
do not appear when reading /sys/kernel/security/tomoyo/ interface.)

Regards.

Loading...