Discussion:
[tomoyo-users-en 496] How to stop auto-adding policy use_profile 0 on Tomoyo 2.5
(too old to reply)
karl156
2012-07-11 15:30:01 UTC
Permalink
Raw Message
How can I stop Tomoyo from auto adding such entries to my policy file?

<kernel> /usr/sbin/cron /bin/sh
use_profile 0
use_group 0


I tried this, but it still adds hundreds of that entries.

<kernel>
use_profile 4
use_group 0

<kernel> 4-COMMENT=-----ReallyDisabled Mode-----
<kernel> 4-PREFERENCE={ max_audit_log=0 max_learning_entry=0 }
<kernel> 4-CONFIG={ mode=disabled grant_log=no reject_log=no }

What am I doing wrong? How can I stop it?
I am using Tomoyo 2.5 on Linux 3.2.
Tetsuo Handa
2012-07-11 15:57:46 UTC
Permalink
Raw Message
Hello.
Post by karl156
How can I stop Tomoyo from auto adding such entries to my policy file?
<kernel> /usr/sbin/cron /bin/sh
use_profile 0
use_group 0
What am I doing wrong? How can I stop it?
Sorry but you can't.

use_profile and use_group lines are automatically added and are overwritable
but are not deletable. These lines are essential attributes of the domain.
Post by karl156
I am using Tomoyo 2.5 on Linux 3.2.
use_profile line takes a profile number defined in /sys/kernel/security/tomoyo/profile .

use_group line takes an acl_group number defined in /sys/kernel/security/tomoyo/exception_policy .

Regards.
karl156
2012-07-11 16:42:06 UTC
Permalink
Raw Message
Thanks for your fast reply. Just to be sure we are talking about the
same thing:

I have hundreds of this empty domains in my policy. They only consist of
"use_profile 0" and "use_group 0". No real ACL entries. I know that I
need use_profile and use_group for domains I really have a policy for.

But for the empty domains these 3 lines are somewhat useless to me. So
there is no simple way to stop this auto adding?

I am just thinking if something like this would do the job:
"file execute /\{\*\}/\* keep"
This would stop domain transistions, which means that there will be no
more empty domains. But I am not yet sure where I should place the entry.



Off-topic: How do I set a placeholder for any number?
"file chmod /path/to/file 0644" works
"file chmod /path/to/file 0-99999" works but is range limited
"file chmod /path/to/file \*" does not work
"file chmod /path/to/file *" does not work
Post by Tetsuo Handa
Hello.
Post by karl156
How can I stop Tomoyo from auto adding such entries to my policy file?
<kernel> /usr/sbin/cron /bin/sh
use_profile 0
use_group 0
What am I doing wrong? How can I stop it?
Sorry but you can't.
use_profile and use_group lines are automatically added and are overwritable
but are not deletable. These lines are essential attributes of the domain.
Post by karl156
I am using Tomoyo 2.5 on Linux 3.2.
use_profile line takes a profile number defined in /sys/kernel/security/tomoyo/profile .
use_group line takes an acl_group number defined in /sys/kernel/security/tomoyo/exception_policy .
Regards.
Tetsuo Handa
2012-07-11 17:14:16 UTC
Permalink
Raw Message
Post by karl156
But for the empty domains these 3 lines are somewhat useless to me. So
there is no simple way to stop this auto adding?
You can define keep_domain in the exception policy.
( http://tomoyo.sourceforge.jp/2.5/chapter-5.html#5.2 )
Post by karl156
"file execute /\{\*\}/\* keep"
You may want to specify

keep_domain any from any

in the exception policy, which by default suppresses domain transition.
Post by karl156
Off-topic: How do I set a placeholder for any number?
"file chmod /path/to/file 0644" works
"file chmod /path/to/file 0-99999" works but is range limited
"file chmod /path/to/file \*" does not work
"file chmod /path/to/file *" does not work
You can define number_group like

number_group ANY_NUMBER 0-0xFFFFFFFF

in the exception policy and refer it using @groupname like

file chmod /path/to/file @ANY_NUMBER

. ( http://tomoyo.sourceforge.jp/2.5/chapter-6.html#6.3 )


This is past 2 AM. Next response will be after morning.

Loading...