TOMOYO
ForkHi,
As I have been writing policies for Tomoyo 2.4, I have searched for any
way available to factor and simplify Tomoyo policies to make them as
generic and reusable as possible.
Most of the policies I write, currently for desktop applications, have
common sets of rules based on the services of the system they use: dbus,
X, gnome, alsa, pulse, etc.
So it is desirable to have reusable policies, and not just copy/paste
lines which is not efficient nor easy to maintain.
I find this currently difficult to implement completely with Tomoyo.
The best I could find is to create path_groups in exception policy, then
add these grouped Paths to grant permissions in the different domain
policies. But this only groups Paths! I would like to be able to group
{file read file1, file write file2}, not just file1 and file2 in the
same path_group.
I can do that by using the "use_group N" (acl_group) directive in domain
policy, but then I can only use ONE group for each domain :(
The best thing would be if we could name these policy groups (but
numbers could do at first) and more importantly be able to assign *more
than one group* to each domain.
That would be great and would simplify existing policies by being able
to group policies and make them easier to create/read/change/recertify,
by making policies closer to a kind of role based approach.
Or did I miss once again something in the documentation ? :)
Thank you!
Regards,
Milton Yates