Post by 0***@cox.netThanks for the response. My question stemmed from what is probably just
some confusion on my part. I have been attempting to make changes
directly to /etc/caitsith/policy/current and then load those changes by
issuing command
# /usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current
. What I found is that this seems to append /etc/caitsith/policy/current to
/sys/kernel/security/caitsith/policy.
Yes, TOMOYO / CaitSith's policy interface deletes a line (and lines which
depend on that line) when that line starts with "delete " keyword, and
appends that line when that line does not start with "delete " keyword.
But there is an exception. The "delete " keyword is ignored for lines which
start with "POLICY_VERSION=" or "stat " or "quota " or "audit ".
Lines which start with "POLICY_VERSION=" or "quota " or "audit " can be
updated by overwriting that line.
# echo 'quota audit[1] allowed=1024' | caitsith-loadpolicy
# echo 'quota memory audit 16777216' | caitsith-loadpolicy
# caitsith-savepolicy -
Lines which start with "quota " will not be printed if its quota value is 0.
# echo 'quota audit[1] allowed=0 denied=0 unmatched=0' | caitsith-loadpolicy
# echo 'quota memory audit 0' | caitsith-loadpolicy
# caitsith-savepolicy -
Post by 0***@cox.netIf I had made some deletions to
/etc/caitsith/policy/current,
# cat /sys/kernel/security/caitsith/policy
would still show some of the policy I had deleted.
You need to replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current using commands shown below.
Post by 0***@cox.netI tried the command
# /usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current
, but that didn't work. In hindsight, I should have asked if there is
a way to completely replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current without rebooting?
You can use below commands to completely replace in-memory policy configuration
without rebooting.
# caitsith-savepolicy - | awk ' { print "delete " $0 }' | caitsith-loadpolicy
# caitsith-loadpolicy < /etc/caitsith/policy/current
But please be aware that there is a moment where all access requests are
unconditionally granted (and/or domain transition does not occur as expected)
due to lack of in-memory policy configuration.
If you care about such moment, you can edit in-memory policy configuration
using caitsith-loadpolicy and then save in-memory policy configuration using
caitsith-savepolicy .
# edit a_temporary_file_which_contains_changes
# caitsith-loadpolicy < a_temporary_file_which_contains_changes
# caitsith-savepolicy
# rm a_temporary_file_which_contains_changes
Content of a_temporary_file_which_contains_changes would look like below.
Append entries without deletion.
----------
10 acl execute
10 allow path="/path/to/old_executable"
20 acl read
audit 0
10 allow path="/path/to/old_file"
----------
Append entries with some deletion.
----------
10 acl execute
10 allow path="/path/to/new_executable"
delete 10 allow path="/path/to/old_executable"
21 acl read
audit 1
10 allow path="/path/to/file"
delete 20 acl read
----------
Post by 0***@cox.netPost by Tetsuo HandaHello.
Post by 0***@cox.netDo you have any plans to create an ncurses caitsith-editpolicy similar
to ccs-editpolicy? I've been contemplating migrating from CCS to
Caitsith and miss the ncurses editor for in-memory policy editing.
Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
for editing in-memory policy configuration ( /proc/caitsith/policy or
/sys/kernel/security/caitsith/policy ), I don't have a plan to create
caitsith-editpolicy .
Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
or tomoyo-editpolicy for browsing and editing in-memory policy configuration.
But since CaitSith does not, there is little need for browsing and editing
in-memory policy configuration using a dedicated tool.
You can run caitsith-savepolicy when you modified in-memory policy configuration
using caitsith-loadpolicy or caitsith-queryd .