Jamie Nguyen
dysco****@gmail*****
Sat Nov 27 21:21:37 JST 2010
TOMOYO
ForkTetsuo Handa wrote:
> Sorry, I didn't mean this line for copy&paste purpose.
> I wrote this line for showing "input"/"processing"/"output".
> When we implement this line, we will use a standalone program (maybe named
> /usr/sbin/ccs-learningd ).
So this program would be run alongside ccs-editpolicy? If both can be
run simultaneously then this will basically have the same effect as
Learning Mode, but with the ability to control processing.
>> This sounds good. I assume you are planning to add options to
>> convert-audit-log that allow you to manage which conditions are
>> checked?
>
> Yes.
>
> I removed file_pattern directive from TOMOYO 1.8 because userland programs can
> do more conditional/flexible processing than kernel. We can avoid patternizing
> pathnames using /usr/sbin/ccs-editpolicy or /usr/sbin/ccs-patternize because
> /usr/sbin/ccs-learningd can do it before appending to /proc/ccs/domain_policy .
>
> We can define up to 256 profiles. Therefore, we can define
>
> 0-CONFIG={ mode=disabled }
> 1-CONFIG={ mode=permissive }
> 2-CONFIG={ mode=permissive }
> 3-CONFIG={ mode=enforcing }
>
> and let ccs-learningd process only audit logs from /proc/ccs/reject_log
> with "profile=1 mode=permissive".
>
> When we added ccs-learningd , the learning mode becomes no longer useful.
> I think that the learning mode will be removed eventually.
I like the sound of this. :-) Learning Mode is very simple, but also
not very flexible. In the context of security, flexibility/control is
much more important than simplicity (only to an extent of course;
SELinux being the main example of aggressively trading simplicity for
control). Having /usr/sbin/ccs-learningd does not make things too much
more complex, while also adding much more control.
So in this case, would you agree that the workflow is something along
the lines of this?:
(1) Identify domain (automatic)
(2) Switch domain to profile=1 Permissive Mode
(3) Run /usr/sbin/ccs-learningd with desired proccessing options, with
output either to standard output or directly to domain_policy
(4) Adjust domain policy to allow desired access requests
(5) Switch domain to profile=2 Permissive Mode
(6) View logs
(7) Switch domain to profile=3 Enforcing Mode
Default profiles look something like this?:
0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_grant_log=0 max_reject_log=0 max_learning_entry=0
enforcing_penalty=0 }
0-CONFIG={ mode=disabled grant_log=no reject_log=no }
1-COMMENT=-----Permissive Mode-----
1-PREFERENCE={ max_grant_log=1024 max_reject_log=1024
max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=permissive grant_log=no reject_log=no }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_grant_log=1024 max_reject_log=1024
max_learning_entry=2048 enforcing_penalty=0 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_grant_log=1024 max_reject_log=1024
max_learning_entry=2048 enforcing_penalty=0 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
Kind regards