Discussion:
[tomoyo-users-en 544] Kernel Not Tracking New Domains
(too old to reply)
Abby Ricart
2013-03-12 01:01:06 UTC
Permalink
Raw Message
Okay, I configured my kernel as such:

CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"

And installed the latest tomoyo-tools (2.5) for my kernel (3.8.2). I then
initialized the policy (/usr/lib/tomoyo/init_policy).

Upon reboot, the Domain Transition Editor is still listing <kernel> as the
only domain. In dmesg the only tomoyo related message I get is this:

[ 0.000103] Security Framework initialized
[ 0.000126] TOMOYO Linux initialized

What am I doing wrong? The kernel doesn't seem to want to track new domains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20130312/8916688a/attachment.htm
Tetsuo Handa
2013-03-12 14:01:59 UTC
Permalink
Raw Message
Hello.
Post by Abby Ricart
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"
And installed the latest tomoyo-tools (2.5) for my kernel (3.8.2). I then
initialized the policy (/usr/lib/tomoyo/init_policy).
Upon reboot, the Domain Transition Editor is still listing <kernel> as the
[ 0.000103] Security Framework initialized
[ 0.000126] TOMOYO Linux initialized
What am I doing wrong? The kernel doesn't seem to want to track new domains.
This is because the pathname specified via
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER ( /usr/lib/systemd/systemd in your
case) is not yet passed to execve() request after the pathname specified via
CONFIG_SECURITY_TOMOYO_POLICY_LOADER ( /sbin/tomoyo-init in your case) became
visible.

If the pathname specified via CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER is
passed to execve() request after the pathname specified via
CONFIG_SECURITY_TOMOYO_POLICY_LOADER became visible, the pathname specified via
CONFIG_SECURITY_TOMOYO_POLICY_LOADER is executed and messages like

Calling /sbin/tomoyo-init to load policy. Please wait.
TOMOYO: 2.5.0

should be printed in dmesg .

For example, we need to specify /usr/lib/systemd/systemd to
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER when using TOMOYO in Fedora 18,
for /init in Fedora 18's initramfs passes /usr/lib/systemd/systemd to the
execve() request.

Even if /sbin/init is a symlink to /lib/systemd/systemd or
/usr/lib/systemd/systemd , you need to specify /sbin/init to
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER if your /init tries to pass
/sbin/init to the execve() request.

You can try appending TOMOYO_trigger=/sbin/init to the kernel boot command line
in order to temporarily override CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER .

After you have found the correct pathname to specify, you can update
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER and rebuild your kernel.

If you still have problem, please tell me your distribution/version so that
I can try reproducing your problem.

Regards.

Loading...