Discussion:
[tomoyo-users-en 518] Why ERROR: Domain '</bin/id>' not ready.
(too old to reply)
do1
2012-12-25 09:30:26 UTC
Permalink
Raw Message
Hello,

I want to have two domains, so I add into domain_policy:

# cat /sys/kernel/security/tomoyo/domain_policy
<kernel>
use_profile 0
use_group 0

</bin/id>
use_profile 0
use_group 0

And two rules in exception policy:

# grep domain /sys/kernel/security/tomoyo/exception_policy
<kernel> keep_domain any from any
<kernel> reset_domain /bin/id from any

Now when I run /bin/id I get error:

# /bin/id
-bash: /bin/id: Cannot allocate memory

and error in dmesg:

ERROR: Domain '</bin/id>' not ready.

What is the cause of this? As I guess this should be only if "profile for the domain is not defined", but it's defined in domain_policy.

When I use initialize_domain all works OK, but I want to understand what's wrong with reset_domain.

# uname -r
3.4.22

Best regards,
Don.
Tetsuo Handa
2012-12-25 10:30:23 UTC
Permalink
Raw Message
Hello.
Post by do1
ERROR: Domain '</bin/id>' not ready.
What is the cause of this? As I guess this should be only if "profile for the domain is not defined", but it's defined in domain_policy.
You need to append profiles for </bin/id> namespace like

<kernel> PROFILE_VERSION=20100903
<kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
</bin/id> PROFILE_VERSION=20100903
</bin/id> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }

because "use_profile 0" for "</bin/id>" namespace needs a line like

"</bin/id> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }"

.

Please see http://tomoyo.sourceforge.jp/2.5/chapter-14.html for examples.
Loading...