Thanks! The wrapper programs work well. I was thinking about doing that too, but I think I made a mistake in that I didn't use "exec", so I didn't get a different domain for each java execution and just got the domains for the shell scripts. I am not really clear about the second option that uses self_domain interface. Do you mean in Test.java and Test2.java I need to make a section of code that writes into /sys/kernel/security/tomoyo/self_domain? Do we have a program that allows this writing, e.g. tomoyo-loadpolicy? Or do we simply have to make edits directly to that file? The TOMOYO webpage says: *This can be used to split permissions without requiring an execution, but the application must be modified to write to the interface at the appropriate time.* https://tomoyo.osdn.jp/2.5/policy-specification/domain-policy-syntax.html.en#task_manual_domain_transition When is this appropriate time? Then am I going to be able to see the 2 domains using tomoyo-editpolicy and do the training for both domains so that I don't have to generate the policies from scratch? Apologies for having too many questions. :) The documentation on self_domain seems to be very little. Regards, Rahmadi On Tue, Apr 4, 2017 at 2:40 PM, Tetsuo Handa < pengu****@i-lov*****> wrote: > Rahmadi Trimananda wrote: > > > > > > Thank you! I managed to install Tomoyo on my system and it's working > well. > > :) > > Good. > > > > > I have another question that I hope is do-able to do on Tomoyo. > > > > So, I am experimenting with a folder (shown below): > > > > iotuser at raspberrypi:~/tomoyo/test $ ls > > a.out save Test2.class test2.txt Test.class test.txt > > edit stat Test2.java test.c Test.java > > > > Basically, I wish to create separate domains for different java > executions. > > So, as I have 2 class files, I would like to create separate domains for > > "java Test" and "java Test2". I've been trying to use initialize_domain > and > > no_initialize_domain in Exception Policy Editor but no success yet. It > > seems that no_initialize_domain only works if the application is run from > > different paths? Need your insights/advice to make this work. Thank you! > > Please use wrapper programs > > ---------- run_Test1 start ---------- > #!/bin/sh > exec /usr/bin/java Test > ---------- run_Test1 end ---------- > > ---------- run_Test2 start ---------- > #!/bin/sh > exec /usr/bin/java Test2 > ---------- run_Test2 end ---------- > > and specify path to these wrapper programs instead of /usr/bin/java . > > If Test.java and Test2.java can be updated to write to > /sys/kernel/security/tomoyo/self_domain interface, you can specify > for example > > <kernel> /usr/bin/java > task manual_domain_transition <kernel> //Test > task manual_domain_transition <kernel> //Test2 > > <kernel> //Test > > <kernel> //Test2 > > instead. > > http://tomoyo.osdn.jp/2.5/policy-specification/domain- > transition-procedure.html.en#transition_by_non_execute > > > > > Regards, > > Rahmadi > -- Kind regards, Rahmadi Trimananda Ph.D. student @ University of California, Irvine "Stay hungry, stay foolish!" - Steve Jobs - -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20170404/454a8d84/attachment.html>
TOMOYO
Fork