[tomoyo-users-en 419] TOMOYO Policy simplification

Back to archive index
Milton Yates milto****@loule*****
Wed Nov 23 06:50:18 JST 2011


As I have been writing policies for Tomoyo 2.4, I have searched for any
way available to factor and simplify Tomoyo policies to make them as
generic and reusable as possible.
Most of the policies I write, currently for desktop applications, have
common sets of rules based on the services of the system they use: dbus,
X, gnome, alsa, pulse, etc.
So it is desirable to have reusable policies, and not just copy/paste
lines which is not efficient nor easy to maintain.

I find this currently difficult to implement completely with Tomoyo.

The best I could find is to create path_groups in exception policy, then
add these grouped Paths to grant permissions in the different domain
policies. But this only groups Paths! I would like to be able to group
{file read file1, file write file2}, not just file1 and file2 in the
same path_group.

I can do that by using the "use_group N" (acl_group) directive in domain
policy, but then I can only use ONE group for each domain :(
The best thing would be if we could name these policy groups (but
numbers could do at first) and more importantly be able to assign *more
than one group* to each domain.
That would be great and would simplify existing policies by being able
to group policies and make them easier to create/read/change/recertify,
by making policies closer to a kind of role based approach.

Or did I miss once again something in the documentation ? :)

Thank you!

Milton Yates

More information about the tomoyo-users-en mailing list
Back to archive index