TOMOYO

Fork

[tomoyo-users-en 694] Re: Policy changes are quickly reverted (stank: message 2 of 13)

• Previous message (by thread): [tomoyo-users-en 688] Re: Policy changes are quickly reverted
• Next message (by thread): [tomoyo-users-en 689] Re: Policy changes are quickly reverted
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for replying.

On 08/12/2017 09:24 PM, Tetsuo Handa - 
pengu****@I-lov***** wrote:
 > Hello.
 >
 > stank****@xoxy***** wrote:
 >> Hello, all.
 >> I'm using Arch Linux 32-bit. I compiled my own kernel to include Tomoyo
 >> and installed tomoyo-tools.  My goal for now is to restrict Skype and
 >> ignore everything else.
 >
 > OK. You are trying to use TOMOYO 2.5.

Correct. I forgot to mention the version (tomoyo, as in vanilla kernel 
4.4.79, tomoyo-tools 2.5.0.20170102).

 >
 >>                           When I try to add things to the policies by
 >> editing domain_policy.conf / exception_policy.conf and loading them, the
 >> changes are removed from these files.
 >
 > Will you explain what "the changes are removed from 
domain_policy.conf / exception_policy.conf" means?
By this, I mean that I add something to one of these files, attempt to 
load it # $(tomoyo-loadpolicy -ef < /etc/tomoyo/exception_policy.conf), 
then look at it again. The file is changed back to its state before I 
edited it. I also don't see any change if I look in $(tomoyo-editpolicy).
 > domain_policy.conf / exception_policy.conf are updated by executing 
tomoyo-savepolicy (or
 > tomoyo-editpolicy as offline mode) which means that changes in 
domain_policy.conf / exception_policy.conf
 > should not be reverted unless explicitly updated.
 >
 >>                                        When I try to add a line with
 >> tomoyo-editpolicy, nothing happens (ex: go to Exception Policy Editor
 >> and press a, type "initialize_domain /usr/bin/skypeforlinux from any"
 >> and press enter. The line is not added to the list.)
 >
 > You are running tomoyo-editpolicy as online mode (i.e. starting 
tomoyo-editpolicy
 > without /etc/tomoyo/ command line argument), aren't you?
Yes.

 >
 > You are running tomoyo-editpolicy as root user, aren't you?

Yes.

 > Are there messages like
 >
 >    <kernel> /usr/sbin/sshd /usr/bin/bash /usr/sbin/tomoyo-editpolicy 
( /usr/sbin/tomoyo-editpolicy ) is not permitted to update policies.
 >
 > in output of dmesg command? If yes, programs for updating on-memory 
policies are not listed in
 > /sys/kernel/security/tomoyo/manager . Please make sure that you 
executed /usr/lib/tomoyo/init_policy .

Yes, I see "<kernel> /usr/bin/agetty /usr/bin/login /usr/bin/bash 
/usr/bin/tomoyo-editpolicy ( /usr/bin/tomoyo-editpolicy ) is not 
permitted to update policies."  I thought I had run 
/usr/lib/tomoyo/init_policy , but I may have forgotten this second time. 
I had to remove tomoyo and its files and reinstall because something I 
did (I don't know what; I wasn't able to edit the policies the first 
time, either), caused a kernel panic when starting X with tomoyo running.

I ran # /usr/lib/tomoyo/init_policy and still am not able to edit the 
policies (same output in dmesg).

 >> Did I fail to enable/disable something that protects these files? Or
 >> what is the problem?
 >
 >

• Previous message (by thread): [tomoyo-users-en 688] Re: Policy changes are quickly reverted
• Next message (by thread): [tomoyo-users-en 689] Re: Policy changes are quickly reverted
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]