Discussion:
[tomoyo-users-en 687] Policy changes are quickly reverted
s***@xoxy.net
2017-08-12 21:50:48 UTC
Permalink
Hello, all.
I'm using Arch Linux 32-bit. I compiled my own kernel to include Tomoyo
and installed tomoyo-tools. My goal for now is to restrict Skype and
ignore everything else. When I try to add things to the policies by
editing domain_policy.conf / exception_policy.conf and loading them, the
changes are removed from these files. When I try to add a line with
tomoyo-editpolicy, nothing happens (ex: go to Exception Policy Editor
and press a, type "initialize_domain /usr/bin/skypeforlinux from any"
and press enter. The line is not added to the list.)
Did I fail to enable/disable something that protects these files? Or
what is the problem?
Tetsuo Handa
2017-08-13 01:24:11 UTC
Permalink
Hello.
Post by s***@xoxy.net
Hello, all.
I'm using Arch Linux 32-bit. I compiled my own kernel to include Tomoyo
and installed tomoyo-tools. My goal for now is to restrict Skype and
ignore everything else.
OK. You are trying to use TOMOYO 2.5.
Post by s***@xoxy.net
When I try to add things to the policies by
editing domain_policy.conf / exception_policy.conf and loading them, the
changes are removed from these files.
Will you explain what "the changes are removed from domain_policy.conf / exception_policy.conf" means?

domain_policy.conf / exception_policy.conf are updated by executing tomoyo-savepolicy (or
tomoyo-editpolicy as offline mode) which means that changes in domain_policy.conf / exception_policy.conf
should not be reverted unless explicitly updated.
Post by s***@xoxy.net
When I try to add a line with
tomoyo-editpolicy, nothing happens (ex: go to Exception Policy Editor
and press a, type "initialize_domain /usr/bin/skypeforlinux from any"
and press enter. The line is not added to the list.)
You are running tomoyo-editpolicy as online mode (i.e. starting tomoyo-editpolicy
without /etc/tomoyo/ command line argument), aren't you?

You are running tomoyo-editpolicy as root user, aren't you?

Are there messages like

<kernel> /usr/sbin/sshd /usr/bin/bash /usr/sbin/tomoyo-editpolicy ( /usr/sbin/tomoyo-editpolicy ) is not permitted to update policies.

in output of dmesg command? If yes, programs for updating on-memory policies are not listed in
/sys/kernel/security/tomoyo/manager . Please make sure that you executed /usr/lib/tomoyo/init_policy .
Post by s***@xoxy.net
Did I fail to enable/disable something that protects these files? Or
what is the problem?
Tetsuo Handa
2017-08-13 21:41:07 UTC
Permalink
Post by Tetsuo Handa
Are there messages like
<kernel> /usr/sbin/sshd /usr/bin/bash /usr/sbin/tomoyo-editpolicy ( /usr/sbin/tomoyo-editpolicy ) is not permitted to update policies.
in output of dmesg command? If yes, programs for updating on-memory policies are not listed in
/sys/kernel/security/tomoyo/manager . Please make sure that you executed /usr/lib/tomoyo/init_policy .
Yes, I see "<kernel> /usr/bin/agetty /usr/bin/login /usr/bin/bash
/usr/bin/tomoyo-editpolicy ( /usr/bin/tomoyo-editpolicy ) is not
permitted to update policies." I thought I had run
/usr/lib/tomoyo/init_policy , but I may have forgotten this second time.
I had to remove tomoyo and its files and reinstall because something I
did (I don't know what; I wasn't able to edit the policies the first
time, either), caused a kernel panic when starting X with tomoyo running.
I ran # /usr/lib/tomoyo/init_policy and still am not able to edit the
policies (same output in dmesg).
OK. So, /etc/tomoyo/manager.conf is expected to be loaded into
/sys/kernel/security/tomoyo/manager when /sbin/init starts upon boot, but
for some reason it is not loaded yet. Well, for Arch Linux, it might be
systemd rather than init .

Did you reboot the system after you executed /usr/lib/tomoyo/init_policy
so that /sbin/tomoyo-init will load /etc/tomoyo/manager.conf into
/sys/kernel/security/tomoyo/manager when /sbin/init starts upon boot?

After rebooting, is /sys/kernel/security/tomoyo/manager still empty?
s***@xoxy.net
2017-08-14 15:29:13 UTC
Permalink
On 08/13/2017 05:41 PM, Tetsuo Handa -
Post by Tetsuo Handa
Post by Tetsuo Handa
Are there messages like
<kernel> /usr/sbin/sshd /usr/bin/bash
/usr/sbin/tomoyo-editpolicy ( /usr/sbin/tomoyo-editpolicy ) is not
permitted to update policies.
Post by Tetsuo Handa
Post by Tetsuo Handa
in output of dmesg command? If yes, programs for updating
on-memory policies are not listed in
Post by Tetsuo Handa
Post by Tetsuo Handa
/sys/kernel/security/tomoyo/manager . Please make sure that you
executed /usr/lib/tomoyo/init_policy .
Post by Tetsuo Handa
Yes, I see "<kernel> /usr/bin/agetty /usr/bin/login /usr/bin/bash
/usr/bin/tomoyo-editpolicy ( /usr/bin/tomoyo-editpolicy ) is not
permitted to update policies." I thought I had run
/usr/lib/tomoyo/init_policy , but I may have forgotten this second time.
I had to remove tomoyo and its files and reinstall because something I
did (I don't know what; I wasn't able to edit the policies the first
time, either), caused a kernel panic when starting X with tomoyo running.
I ran # /usr/lib/tomoyo/init_policy and still am not able to edit the
policies (same output in dmesg).
OK. So, /etc/tomoyo/manager.conf is expected to be loaded into
/sys/kernel/security/tomoyo/manager when /sbin/init starts upon boot, but
for some reason it is not loaded yet. Well, for Arch Linux, it might be
systemd rather than init .
Did you reboot the system after you executed /usr/lib/tomoyo/init_policy
so that /sbin/tomoyo-init will load /etc/tomoyo/manager.conf into
/sys/kernel/security/tomoyo/manager when /sbin/init starts upon boot?
After rebooting, is /sys/kernel/security/tomoyo/manager still empty?
Both /sys/kernel/security/tomoyo/manager and /etc/tomoyo/manager.conf
are empty after running /usr/lib/tomoyo/init_policy and rebooting.
(/etc/tomoyo/manager.conf is empty immediately after running
init_policy. No relevant output is in dmesg.)
Tetsuo Handa
2017-08-14 23:05:10 UTC
Permalink
Post by s***@xoxy.net
On 08/13/2017 05:41 PM, Tetsuo Handa -
Post by Tetsuo Handa
After rebooting, is /sys/kernel/security/tomoyo/manager still empty?
Both /sys/kernel/security/tomoyo/manager and /etc/tomoyo/manager.conf
are empty after running /usr/lib/tomoyo/init_policy and rebooting.
(/etc/tomoyo/manager.conf is empty immediately after running
init_policy. No relevant output is in dmesg.)
OK. So, for some reason /etc/tomoyo/manager.conf is empty. I'm surprised that
init_policy failed to write to /etc/tomoyo/manager.conf . Anyway, you can try
manually creating /etc/tomoyo/manager.conf with content shown below.

[***@localhost ~]# /usr/lib/tomoyo/init_policy
Creating policy directory... OK
Creating configuration directory... OK
Creating exception policy... OK.
Creating domain policy... OK.
Creating manager policy... OK.
Creating default profile... OK.
Creating stat policy... OK.
Creating configuration file for tomoyo-editpolicy ... OK.
Creating configuration file for tomoyo-auditd ... OK.
Creating configuration file for tomoyo-patternize ... OK.
Creating configuration file for tomoyo-notifyd ... OK.
[***@localhost ~]# cat /etc/tomoyo/manager.conf
/usr/sbin/tomoyo-loadpolicy
/usr/sbin/tomoyo-editpolicy
/usr/sbin/tomoyo-setlevel
/usr/sbin/tomoyo-setprofile
/usr/sbin/tomoyo-queryd
[***@localhost ~]#
s***@xoxy.net
2017-08-19 21:30:16 UTC
Permalink
On 08/14/2017 07:05 PM, Tetsuo Handa -
Post by Tetsuo Handa
Post by s***@xoxy.net
On 08/13/2017 05:41 PM, Tetsuo Handa -
Post by Tetsuo Handa
After rebooting, is /sys/kernel/security/tomoyo/manager still empty?
Both /sys/kernel/security/tomoyo/manager and /etc/tomoyo/manager.conf
are empty after running /usr/lib/tomoyo/init_policy and rebooting.
(/etc/tomoyo/manager.conf is empty immediately after running
init_policy. No relevant output is in dmesg.)
OK. So, for some reason /etc/tomoyo/manager.conf is empty. I'm surprised that
init_policy failed to write to /etc/tomoyo/manager.conf . Anyway, you can try
manually creating /etc/tomoyo/manager.conf with content shown below.
Creating policy directory... OK
Creating configuration directory... OK
Creating exception policy... OK.
Creating domain policy... OK.
Creating manager policy... OK.
Creating default profile... OK.
Creating stat policy... OK.
Creating configuration file for tomoyo-editpolicy ... OK.
Creating configuration file for tomoyo-auditd ... OK.
Creating configuration file for tomoyo-patternize ... OK.
Creating configuration file for tomoyo-notifyd ... OK.
/usr/sbin/tomoyo-loadpolicy
/usr/sbin/tomoyo-editpolicy
/usr/sbin/tomoyo-setlevel
/usr/sbin/tomoyo-setprofile
/usr/sbin/tomoyo-queryd
Great! After putting those lines (with the correct paths) in
/etc/tomoyo/manager.conf and rebooting, I can finally edit tomoyo's
policies. Thanks a lot for your help.

Tetsuo Handa
2017-08-14 23:56:28 UTC
Permalink
Post by s***@xoxy.net
On 08/13/2017 05:41 PM, Tetsuo Handa -
Post by Tetsuo Handa
After rebooting, is /sys/kernel/security/tomoyo/manager still empty?
Both /sys/kernel/security/tomoyo/manager and /etc/tomoyo/manager.conf
are empty after running /usr/lib/tomoyo/init_policy and rebooting.
(/etc/tomoyo/manager.conf is empty immediately after running
init_policy. No relevant output is in dmesg.)
OK. So, for some reason /etc/tomoyo/manager.conf is empty. I\'m surprised that
init_policy failed to write to /etc/tomoyo/manager.conf . Anyway, you can try
manually creating /etc/tomoyo/manager.conf with content shown below.
Creating policy directory... OK
Creating configuration directory... OK
Creating exception policy... OK.
Creating domain policy... OK.
Creating manager policy... OK.
Creating default profile... OK.
Creating stat policy... OK.
Creating configuration file for tomoyo-editpolicy ... OK.
Creating configuration file for tomoyo-auditd ... OK.
Creating configuration file for tomoyo-patternize ... OK.
Creating configuration file for tomoyo-notifyd ... OK.
/usr/sbin/tomoyo-loadpolicy
/usr/sbin/tomoyo-editpolicy
/usr/sbin/tomoyo-setlevel
/usr/sbin/tomoyo-setprofile
/usr/sbin/tomoyo-queryd
Yes, I see \"<kernel> /usr/bin/agetty /usr/bin/login /usr/bin/bash /usr/bin/tomoyo-editpolicy ( /usr/bin/tomoyo-editpolicy ) is not permitted to update policies.\"
Oops, in your environment, they are installed in /usr/bin rather than /usr/sbin .
Loading...