Jose Jurado
2015-05-24 03:51:04 UTC
Tomoyo 1.8.4 was installed on an Arch distro (Antergos) with the download of the Linux kernel 4.0.4 and tomoyo-tools following Tomoyo 1.8's documentation. There were eight passages during the installation that I may have misunderstood, and I hope that this list is not overwhelming, but I would be very grateful for your suggestions or for clarifications in the documentation:-
(1) During the first session after rebooting, I could access the graphical interface with the command "/usr/bin/ccs-editpolicy /etc/ccs/". Running "/usr/bin/ccs-editpolicy" however generated an error message. I can't remember what the error message was, but it sounded similar or identical to the one I get for that command today:
"You can't use this editor for this kernel."
On rebooting today, I get error messages as well for:
$ /usr/bin/ccs-editpolicy /etc/ccs/
Directory /etc/ccs//policy/current/ doesn't exist.
$ /usr/bin/ccs-editpolicy /etc/ccs
Directory /etc/ccs/policy/current/ doesn't exist.
I note the documentation for the previous version (Tomoyo 1.7), which advises that "You need to register either "the domainname that this editor belongs to" or "the pathname of this editor (usually /usr/sbin/ccs-editpolicy)" with /proc/ccs/manager before you use this editor." Would this be required for Tomoyo 1.8? If that is why the above error messages are appearing, could you kindly list what command(s) would register this?
(2) My Arch installation already had packages installed for: wget patch gcc make; but ncurses-devel nor libncurses-dev were not available on Arch/AUR repositories. If they are required for Arch, where can they be downloaded from please?
(3) The linux 4.0.4 kernel was downloaded from the offered location, but I'm afraid I couldn't work out from the documentation nor from certain other websites where to "Extract the kernel source and go to the extracted directory", so the following was executed at the home folder:
tar -zxf linux-4.0.4.tar.gz
cd linux-4.0.4/
The remainder of the operations in Section "3.3.2. Download and patch the kernel" were performed within the /linux-4.0.4 folder:
wget -O ccs-patch-1.8.4-20150505.tar.gz [etc]
wget -O ccs-patch-1.8.4-20150505.tar.gz.asc [etc]
gpg ccs-patch-1.8.4-20150505.tar.gz.asc #Note: no public key was available
tar -zxf ccs-patch-1.8.4-20150505.tar.gz
patch -sp1 [etc]
Was that ok?
(4) The "Security Options" for the 4.0.4 kernel include an option to select "Tools for Tomoyo users" or something like that, but maybe the Tomoyo installation documentation does not mention this. Should this option be selected?
(5) When configuring the kernel, the documentation's recommended settings for "Security Options" were already set by default by the kernel, including "(/sbin/init) Trigger for calling userspace policy loader". Should the documentation here recommend systemd users (Arch, RHEL 7, etc) to replace this with (/usr/lib/systemd/systemd) as the Trigger? I haven't tried changing this yet.
(6) I understand that "CCS_trigger=/usr/lib/systemd/systemd" should be stated in the bootloader for systemd users if kernel entry "(/sbin/init) Trigger for calling userspace policy loader" is not modified and if "Activate without calling userspace policy loader" is not selected. However, when using Grub Customizer tool as someone who isn't used to modifying GRUB, I assumed that "ccsecurity=on" (without quotes) should be added at the end of the GRUB_CMDLINE_LINUX line. Perhaps following this on that line should be "CCS_trigger=/usr/lib/systemd/systemd" in my case (also without quotes), is that correct? "CCS_trigger=/usr/lib/systemd/systemd" has not been entered in GRUB, even since error (1) above occurred (i.e. since first run).
(7) Were the warnings obtained when compiling and installing the kernel relevant: http://pastebin.com/nCN27zUq ?
(8) During the installation of userspace tools several warnings appeared, beginning as follows:-
make -s USRLIBDIR=/usr/lib
[Warnings appeared here, starting by:]
ccs-init.c:93:9: warning: variable ret_ignored set but not used [-Wunused-but-set-variable]
char *ret_ignored;
^
ccs-init.c: In function copy_files:
ccs-init.c:173:8: warning: variable ret_ignored set but not used [-Wunused-but-set-variable]
int ret_ignored;
^
[...]
There were more warnings, but they weren't recorded, unfortunately. I note the following instruction: "Please change USRLIBDIR=/usr/lib to USRLIBDIR=/usr/lib64 (for 64bits userspace) or USRLIBDIR=/usr/lib32 (for 32bits userspace) if needed". However, I didn't know whether this was required on my 64-bit machine so those lines were not modified. Was that ok, or is there an explanation or a webpage that could be looked at that which might address when USRLIBDIR needs to be set as 32 or 64-bit please?
I hope that this list is not off-putting, but I hope also that the list of error and warning messages may be of interest to keep improving your helpful documentation and your excellent application.
(1) During the first session after rebooting, I could access the graphical interface with the command "/usr/bin/ccs-editpolicy /etc/ccs/". Running "/usr/bin/ccs-editpolicy" however generated an error message. I can't remember what the error message was, but it sounded similar or identical to the one I get for that command today:
"You can't use this editor for this kernel."
On rebooting today, I get error messages as well for:
$ /usr/bin/ccs-editpolicy /etc/ccs/
Directory /etc/ccs//policy/current/ doesn't exist.
$ /usr/bin/ccs-editpolicy /etc/ccs
Directory /etc/ccs/policy/current/ doesn't exist.
I note the documentation for the previous version (Tomoyo 1.7), which advises that "You need to register either "the domainname that this editor belongs to" or "the pathname of this editor (usually /usr/sbin/ccs-editpolicy)" with /proc/ccs/manager before you use this editor." Would this be required for Tomoyo 1.8? If that is why the above error messages are appearing, could you kindly list what command(s) would register this?
(2) My Arch installation already had packages installed for: wget patch gcc make; but ncurses-devel nor libncurses-dev were not available on Arch/AUR repositories. If they are required for Arch, where can they be downloaded from please?
(3) The linux 4.0.4 kernel was downloaded from the offered location, but I'm afraid I couldn't work out from the documentation nor from certain other websites where to "Extract the kernel source and go to the extracted directory", so the following was executed at the home folder:
tar -zxf linux-4.0.4.tar.gz
cd linux-4.0.4/
The remainder of the operations in Section "3.3.2. Download and patch the kernel" were performed within the /linux-4.0.4 folder:
wget -O ccs-patch-1.8.4-20150505.tar.gz [etc]
wget -O ccs-patch-1.8.4-20150505.tar.gz.asc [etc]
gpg ccs-patch-1.8.4-20150505.tar.gz.asc #Note: no public key was available
tar -zxf ccs-patch-1.8.4-20150505.tar.gz
patch -sp1 [etc]
Was that ok?
(4) The "Security Options" for the 4.0.4 kernel include an option to select "Tools for Tomoyo users" or something like that, but maybe the Tomoyo installation documentation does not mention this. Should this option be selected?
(5) When configuring the kernel, the documentation's recommended settings for "Security Options" were already set by default by the kernel, including "(/sbin/init) Trigger for calling userspace policy loader". Should the documentation here recommend systemd users (Arch, RHEL 7, etc) to replace this with (/usr/lib/systemd/systemd) as the Trigger? I haven't tried changing this yet.
(6) I understand that "CCS_trigger=/usr/lib/systemd/systemd" should be stated in the bootloader for systemd users if kernel entry "(/sbin/init) Trigger for calling userspace policy loader" is not modified and if "Activate without calling userspace policy loader" is not selected. However, when using Grub Customizer tool as someone who isn't used to modifying GRUB, I assumed that "ccsecurity=on" (without quotes) should be added at the end of the GRUB_CMDLINE_LINUX line. Perhaps following this on that line should be "CCS_trigger=/usr/lib/systemd/systemd" in my case (also without quotes), is that correct? "CCS_trigger=/usr/lib/systemd/systemd" has not been entered in GRUB, even since error (1) above occurred (i.e. since first run).
(7) Were the warnings obtained when compiling and installing the kernel relevant: http://pastebin.com/nCN27zUq ?
(8) During the installation of userspace tools several warnings appeared, beginning as follows:-
make -s USRLIBDIR=/usr/lib
[Warnings appeared here, starting by:]
ccs-init.c:93:9: warning: variable ret_ignored set but not used [-Wunused-but-set-variable]
char *ret_ignored;
^
ccs-init.c: In function copy_files:
ccs-init.c:173:8: warning: variable ret_ignored set but not used [-Wunused-but-set-variable]
int ret_ignored;
^
[...]
There were more warnings, but they weren't recorded, unfortunately. I note the following instruction: "Please change USRLIBDIR=/usr/lib to USRLIBDIR=/usr/lib64 (for 64bits userspace) or USRLIBDIR=/usr/lib32 (for 32bits userspace) if needed". However, I didn't know whether this was required on my 64-bit machine so those lines were not modified. Was that ok, or is there an explanation or a webpage that could be looked at that which might address when USRLIBDIR needs to be set as 32 or 64-bit please?
I hope that this list is not off-putting, but I hope also that the list of error and warning messages may be of interest to keep improving your helpful documentation and your excellent application.