On 22/08/2011 23:38, Jamie Nguyen wrote: > Hi Milton, thanks for your interest in TOMOYO Linux. > > Although IRC channels are conducive to informal discussions, there is > one shortcoming. On a mailing list, the questions and discussions are > archived and are helpful for other users to browse at a later date. On > IRC, the discussions are only available to those present at the time. Yes I agree on that. >> While I'm at it, quick question: I can't find a way to create deny rules >> for the domain, for example "deny file read /etc/shadow" so that Tomoyo >> does not try to add "file read /etc/shadow" every time the program >> requests it. There was a similar functionality in AppArmor, it is quite >> handy for applications known to do stuff that are not necessary. >> Is this currently possible? > > Sorry, blacklists are not implemented in TOMOYO Linux. For associated > discussion, see the thread titled "Blacklisting" in the May 2011 > mailing list archive [1]. Toshiharu and Tetsuo both give a good > summary of their opinions. ah yes, I have read that and some other related threads. Actually, I am not asking for any kind of blacklist really, as I am fully against it. I understand my choice of /etc/shadow did not serve my point well here :) but I was more asking of a "don't audit" rule. Like you know this access will get denied by your policy, it is just you don't want to get notified about it, because you know it is going to happen. It is a way to reduce false positives and improve log relevance, otherwise you may find that you often get notified for stuff you did not allow _on purpose_ in your policy, still you will get notified about these. I don't know if implementing that could affect performance. I still need to find some time to read Tomoyo's code. What do you think? Regards, Milton.
TOMOYO
Fork