[tomoyo-users-en 421] Re: TOMOYO Policy simplification

Back to archive index
Jamie Nguyen jamie****@tomoy*****
Wed Nov 23 17:40:36 JST 2011

Milton Yates wrote:
> As I have been writing policies for Tomoyo 2.4, I have searched for any
> way available to factor and simplify Tomoyo policies to make them as
> generic and reusable as possible.
> Most of the policies I write, currently for desktop applications, have
> common sets of rules based on the services of the system they use: dbus,
> X, gnome, alsa, pulse, etc.
> So it is desirable to have reusable policies, and not just copy/paste
> lines which is not efficient nor easy to maintain.
> I find this currently difficult to implement completely with Tomoyo.
> The best thing would be if we could name these policy groups (but
> numbers could do at first) and more importantly be able to assign *more
> than one group* to each domain.
> That would be great and would simplify existing policies by being able
> to group policies and make them easier to create/read/change/recertify,
> by making policies closer to a kind of role based approach.

A great proposal :)

Actually, I have thought the same idea before, since there are often
many repeats in each acl_group.

If this idea is implemented, it is important to change to named groups
rather than numbers. Otherwise it gets confusing when you see in a

  acl_group 0
  acl_group 3
  acl_group 6
  acl_group 10
  acl_group 11

Much more usable to see something like:

  acl_group DEFAULT
  acl_group SOUND
  acl_group VIDEO
  acl_group WWW
  acl_group X11

I think it is up to the policy writer to ensure that there are no
redundant permissions. If the groups are created thoughtfully for only
common access requests then there should not be many redundant

Kind regards,

More information about the tomoyo-users-en mailing list
Back to archive index