On 6 June 2016 at 15:52, Tetsuo Handa <pengu****@i-lov*****> wrote: >> >> >> >> As I understand from domain transition logic described here >> >> http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute >> >> it should work >> >> But neither dd no the-tool don't have even read access to /dev/mtdX >> >> >> >> Any pointers on what am I doing wrong? >> >> Thanks in advance! >> >> >> > >> > I guess that /bin/dd and /sbin/fw-tool are running in the <kernel> domain. >> >> It seems you are right. >> tomoyo-queryd showed that the-tool runs with profile 4 while >> </sbin/the-tool> domain is configured as profile 0. >> But then I don't understand how domain transition (exception policy) rules work. >> Will they always match the most "hungry"/vague rule? not the first one? > > It should match as described in the link above. OK, it seems I've resolved my problems. Thank you for your examples! >> Like in my config it looks like any /sbin/the-tool instance will match >> "keep_domain any from <kernel>" not "reset_domain /sbin/the-tool from >> any" as I was expecting. >> And adding "no_keep_domain /sbin/the-tool from any" also doesn't help. >> So I'm confused here. >> > > I think you can try how domain transition tree would look like, by > removing reset_domain / keep_domain entries and generating via usual > learning steps. You might find that the pathnames you assumed /bin/dd and > /sbin/fw-tool might be recognized as different names (e.g. if /sbin is > a symlink to /usr/sbin , /sbin/fw-tool will be recognized as > /usr/sbin/fw-tool ). After TOMOYO generated domains as detail as possible, > you can design which domains should be compressed. > > Also, as far as I saw, you don't need to use policy namespace. > If you don't have reason to use policy namespace, you will be able to > replace reset_domain with initialize_domain . > Yes, I'm now using only one namespace, initialize_domain and keep_domain for few things. Regards, Roman
TOMOYO
Fork