Tetsuo Handa
from-****@I-lov*****
Sun Nov 28 11:52:09 JST 2010
TOMOYO
ForkJamie Nguyen wrote:
> Is my understanding accurate?
Yes. But we can start /usr/sbin/ccs-learningd as a "late" daemon because we can
spool audit logs inside the kernel memory until /usr/sbin/ccs-learningd gets
started.
Those who prefer "Learning Mode" by default, they can set arbitrary value
(which is large enough to spool all audit logs until /usr/sbin/ccs-learningd
gets started) to max_reject_log= parameter.
By the way, both ccs-auditd and ccs-learningd want /proc/ccs/reject_log .
But audit logs are removed from the kernel memory as soon as it was read.
Therefore, one has to receive audit logs from the other.
I think that ccs-auditd is likely running even if ccs-learningd is not running.
Therefore, ccs-auditd should read audit logs from /proc/ccs/reject_log and sort
and pass to ccs-learningd. The sorting rule for ccs-auditd would look something
like
if (header_line.contains("# profile=1 "))
write to /var/log/tomoyo/reject_log.learning.conf
else if (header_line.contains("# profile=2 "))
write to /var/log/tomoyo/reject_log.permissive.conf
else if (header_line.contains("# profile=3 "))
write to /var/log/tomoyo/reject_log.enforcing.conf
else
write to /dev/null
and ccs-learningd will read from /var/log/tomoyo/reject_log.learning.conf and
do some processing like
if (directive.equals("file")) {
if (path1.matches("/tmp/file\?\?\?\?\?\?")) {
path1 = "/tmp/file\?\?\?\?\?\?"
} else if (path1.matches("/var/www/html/\{\*\}/\*.html")) {
path1 = "@www_documents"
}
}
and write to /proc/ccs/domain_policy .
ccs-learningd can unlink("/var/log/tomoyo/reject_log.learning.conf")
immediately after open("/var/log/tomoyo/reject_log.learning.conf", O_RDONLY)
in order to save disk space consumption by "Learning Mode".
What do you think this approach?
Regards.