TOMOYO

Fork

[Tomoyo-dev 830] 対話的に要求を許可する際のメッセージの変更について

Tetsuo Handa from-****@i-lov*****
2008年 6月 6日 (金) 11:18:00 JST

• 前の記事 [Tomoyo-dev 839] Ubuntu 8.04 + TOMOYO 1.6.1 LiveCDをアップデートしました
• 次の記事 [Tomoyo-dev 831] /sbin/ccs-init の入力待ちに関して
• 記事の並び順: [ 日付 ] [ スレッド ] [ 件名 ] [ 著者 ]

　熊猫です。

　TOMOYO 1.1.1 で追加された「強制モードにおいてポリシーに違反する
アクセス要求が発生した場合に、システム管理者に問い合わせる」機能に関して、
/proc/ccs/query インタフェースに渡される情報を増やそうと思います。

−−−−−−−−−−　ポリシー違反の原因となった操作　−−−−−−−−−−

# who am i
# sh -c "id -a"
# mount -t tmpfs none /mnt/

−−−−−−−−−−　従来の /proc/ccs/query ログ　−−−−−−−−−−

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash
allow_capability SYS_IOCTL
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_IOCTL
Added 'allow_capability SYS_IOCTL'.

<kernel> /sbin/getty /bin/login /bin/bash
allow_execute /usr/bin/who
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /usr/bin/who
Added 'allow_execute /usr/bin/who'.

----------------------------------------
#Need to create domain
<kernel> /sbin/getty /bin/login /bin/bash /usr/bin/who
Allow? ('Y'es/'N'o):y

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash /usr/bin/who
allow_read/write /var/run/utmp
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /var/run/utmp
Added 'allow_read/write /var/run/utmp'.

<kernel> /sbin/getty /bin/login /bin/bash /usr/bin/who
allow_capability SYS_IOCTL
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_IOCTL
Added 'allow_capability SYS_IOCTL'.

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash
allow_execute /bin/sh
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /bin/sh
Added 'allow_execute /bin/sh'.

----------------------------------------
#Need to create domain
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
Allow? ('Y'es/'N'o):y

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
allow_read/write /dev/tty
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /dev/tty
Added 'allow_read/write /dev/tty'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
allow_read /etc/mtab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/mtab
Added 'allow_read /etc/mtab'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
allow_execute /usr/bin/id
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /usr/bin/id
Added 'allow_execute /usr/bin/id'.

----------------------------------------
#Need to create domain
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
Allow? ('Y'es/'N'o):y

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_capability SYS_IOCTL
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_IOCTL
Added 'allow_capability SYS_IOCTL'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_read /etc/nsswitch.conf
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/nsswitch.conf
Added 'allow_read /etc/nsswitch.conf'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_read /etc/passwd
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/passwd
Added 'allow_read /etc/passwd'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_read /etc/group
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/group
Added 'allow_read /etc/group'.

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash
allow_execute /bin/mount
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /bin/mount
Added 'allow_execute /bin/mount'.

----------------------------------------
#Need to create domain
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
Allow? ('Y'es/'N'o):y

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_read/write /dev/null
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /dev/null
Added 'allow_read/write /dev/null'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_read /etc/blkid.tab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/blkid.tab
Added 'allow_read /etc/blkid.tab'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_capability SYS_MOUNT
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_MOUNT
Added 'allow_capability SYS_MOUNT'.

----------------------------------------
# /bin/mount is requesting
mount -t tmpfs none /mnt/ 0x0
Allow? ('Y'es/'N'o):y

----------------------------------------
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_read/write /etc/mtab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /etc/mtab
Added 'allow_read/write /etc/mtab'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_create /etc/mtab~1860
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_create /etc/mtab~\$
Added 'allow_create /etc/mtab~\$'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_write /etc/mtab~1860
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_write /etc/mtab~\$
Added 'allow_write /etc/mtab~\$'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_capability SYS_LINK
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_LINK
Added 'allow_capability SYS_LINK'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_link /etc/mtab~1860 /etc/mtab~
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_link /etc/mtab~\$
Added 'allow_link /etc/mtab~\$ /etc/mtab~'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_capability SYS_UNLINK
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_UNLINK
Added 'allow_capability SYS_UNLINK'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_unlink /etc/mtab~1860
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_unlink /etc/mtab~\$
Added 'allow_unlink /etc/mtab~\$'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_write /etc/mtab~
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_write /etc/mtab~
Added 'allow_write /etc/mtab~'.

<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_unlink /etc/mtab~
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_unlink /etc/mtab~
Added 'allow_unlink /etc/mtab~'.

−−−−−−−−−−　新しい /proc/ccs/query ログ　−−−−−−−−−−

#2008-06-06 10:49:25# profile=3 mode=enforcing pid=2391 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash
allow_capability SYS_IOCTL
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_IOCTL
Added 'allow_capability SYS_IOCTL'.

----------------------------------------
#2008-06-06 10:49:31# profile=3 mode=enforcing pid=2436 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 argc=3 envc=15 argv[]={ "who" "am" "i" } envp[]={ "HZ=100" "SHELL=/bin/bash" "TERM=linux" "HUSHLOGIN=FALSE" "USER=root" "MAIL=/var/mail/root" "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/lib/ccs" "PWD=/root" "LANG=C" "PS1=\\h:\\w\\$\040" "SHLVL=1" "HOME=/root" "LANGUAGE=en_JP:en_US:en_GB:en" "LOGNAME=root" "_=/usr/bin/who" }
<kernel> /sbin/getty /bin/login /bin/bash
allow_execute /usr/bin/who
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /usr/bin/who
Added 'allow_execute /usr/bin/who'.

#2008-06-06 10:49:35# profile=3 mode=enforcing pid=2436 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash
# wants to create domain
<kernel> /sbin/getty /bin/login /bin/bash /usr/bin/who
Allow? ('Y'es/'N'o):y

#2008-06-06 10:49:38# profile=3 mode=enforcing pid=2436 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /usr/bin/who
allow_read/write /var/run/utmp
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /var/run/utmp
Added 'allow_read/write /var/run/utmp'.

#2008-06-06 10:49:44# profile=3 mode=enforcing pid=2436 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /usr/bin/who
allow_capability SYS_IOCTL
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_IOCTL
Added 'allow_capability SYS_IOCTL'.

----------------------------------------
#2008-06-06 10:50:38# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 argc=3 envc=15 argv[]={ "sh" "-c" "id\040-a" } envp[]={ "HZ=100" "SHELL=/bin/bash" "TERM=linux" "HUSHLOGIN=FALSE" "USER=root" "MAIL=/var/mail/root" "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/lib/ccs" "PWD=/root" "LANG=C" "PS1=\\h:\\w\\$\040" "SHLVL=1" "HOME=/root" "LANGUAGE=en_JP:en_US:en_GB:en" "LOGNAME=root" "_=/bin/sh" }
<kernel> /sbin/getty /bin/login /bin/bash
allow_execute /bin/sh
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /bin/sh if exec.argc=3 exec.argv[1]="-c" exec.argv[2]="id\040-a"
Added 'allow_execute /bin/sh if exec.argc=3 exec.argv[1]="-c" exec.argv[2]="id\040-a"'.

#2008-06-06 10:51:22# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash
# wants to create domain
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
Allow? ('Y'es/'N'o):y

#2008-06-06 10:51:24# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
allow_read/write /dev/tty
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /dev/tty
Added 'allow_read/write /dev/tty'.

#2008-06-06 10:51:28# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
allow_read /etc/mtab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/mtab
Added 'allow_read /etc/mtab'.

#2008-06-06 10:51:31# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 argc=2 envc=14 argv[]={ "id" "-a" } envp[]={ "HZ=100" "TERM=linux" "SHELL=/bin/bash" "HUSHLOGIN=FALSE" "USER=root" "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/lib/ccs" "MAIL=/var/mail/root" "_=/usr/bin/id" "PWD=/root" "LANG=C" "HOME=/root" "SHLVL=2" "LANGUAGE=en_JP:en_US:en_GB:en" "LOGNAME=root" }
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
allow_execute /usr/bin/id
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /usr/bin/id
Added 'allow_execute /usr/bin/id'.

#2008-06-06 10:51:45# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh
# wants to create domain
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
Allow? ('Y'es/'N'o):y

#2008-06-06 10:51:48# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_capability SYS_IOCTL
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_IOCTL
Added 'allow_capability SYS_IOCTL'.

#2008-06-06 10:51:52# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_read /etc/nsswitch.conf
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/nsswitch.conf
Added 'allow_read /etc/nsswitch.conf'.

#2008-06-06 10:51:56# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_read /etc/passwd
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/passwd
Added 'allow_read /etc/passwd'.

#2008-06-06 10:51:59# profile=3 mode=enforcing pid=2443 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/sh /usr/bin/id
allow_read /etc/group
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/group
Added 'allow_read /etc/group'.

----------------------------------------
#2008-06-06 10:52:17# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 argc=5 envc=15 argv[]={ "mount" "-t" "tmpfs" "none" "/mnt/" } envp[]={ "HZ=100" "SHELL=/bin/bash" "TERM=linux" "HUSHLOGIN=FALSE" "USER=root" "MAIL=/var/mail/root" "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/lib/ccs" "PWD=/root" "LANG=C" "PS1=\\h:\\w\\$\040" "SHLVL=1" "HOME=/root" "LANGUAGE=en_JP:en_US:en_GB:en" "LOGNAME=root" "_=/bin/mount" }
<kernel> /sbin/getty /bin/login /bin/bash
allow_execute /bin/mount
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_execute /bin/mount if exec.argc=5 exec.argv[1]="-t" exec.argv[2]="tmpfs" exec.argv[3]="none" exec.argv[4]="/mnt/"
Added 'allow_execute /bin/mount if exec.argc=5 exec.argv[1]="-t" exec.argv[2]="tmpfs" exec.argv[3]="none" exec.argv[4]="/mnt/"'.

#2008-06-06 10:53:19# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash
# wants to create domain
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
Allow? ('Y'es/'N'o):y

#2008-06-06 10:53:22# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_read/write /dev/null
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /dev/null
Added 'allow_read/write /dev/null'.

#2008-06-06 10:53:26# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_read /etc/blkid.tab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read /etc/blkid.tab
Added 'allow_read /etc/blkid.tab'.

#2008-06-06 10:53:28# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_capability SYS_MOUNT
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_MOUNT
Added 'allow_capability SYS_MOUNT'.

#2008-06-06 10:53:31# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
# /bin/mount is requesting
mount -t tmpfs none /mnt/ 0x0
Allow? ('Y'es/'N'o):y

#2008-06-06 10:53:35# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_read/write /etc/mtab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_read/write /etc/mtab
Added 'allow_read/write /etc/mtab'.

#2008-06-06 10:53:40# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_create /etc/mtab~2450
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_create /etc/mtab~\$
Added 'allow_create /etc/mtab~\$'.

#2008-06-06 10:53:48# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_write /etc/mtab~2450
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_write /etc/mtab~\$
Added 'allow_write /etc/mtab~\$'.

#2008-06-06 10:53:56# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_capability SYS_LINK
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_LINK
Added 'allow_capability SYS_LINK'.

#2008-06-06 10:54:01# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_link /etc/mtab~2450 /etc/mtab~
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_link /etc/mtab~\$
Added 'allow_link /etc/mtab~\$ /etc/mtab~'.

#2008-06-06 10:54:11# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_capability SYS_UNLINK
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_capability SYS_UNLINK
Added 'allow_capability SYS_UNLINK'.

#2008-06-06 10:54:14# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_unlink /etc/mtab~2450
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_unlink /etc/mtab~\$
Added 'allow_unlink /etc/mtab~\$'.

#2008-06-06 10:54:22# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_write /etc/mtab~
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_write /etc/mtab~
Added 'allow_write /etc/mtab~'.

#2008-06-06 10:54:26# profile=3 mode=enforcing pid=2450 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/getty /bin/login /bin/bash /bin/mount
allow_unlink /etc/mtab~
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):a
Enter new entry> allow_unlink /etc/mtab~
Added 'allow_unlink /etc/mtab~'.



　従来のログは、 TOMOYO 1.1.3 までと同じ形式（ドメイン名と要求された
アクセス許可の内容のみ）であるのに対し、新しいログでは TOMOYO 1.6.0 以降の
アクセスログ形式（プロセスＩＤやプログラム実行時のパラメータなども含む）と
なっています。

　従来のログには、プロセスＩＤやプログラム実行時のパラメータなどが
含まれていないため、ドメイン名をキーとしてセパレータ（ ----- の行）を
挿入するようにしていました。また、シェルの実行要求に対して、
許可すべきかどうかの参考となる情報がありませんでした。

　それに対し、新しいログでは、プロセスＩＤをキーとしてセパレータを
挿入するようにしています。また、シェル実行時に渡されるパラメータも表示される
ことで、許可すべきかどうかの参考にすることができます。 1.5.3/1.6.0 で追加された
ccs-notifyd も /proc/ccs/query を情報源としているので、
/var/log/tomoyo/reject_log.txt と同等の情報を取得できるようになります。
そのため、 ccs-auditd により保存された /var/log/tomoyo/reject_log.txt を
定期的に cron で検査するよりも早いタイミングで報告を行うことが
できるようになります。

　この変更は ccs-queryd および ccs-notifyd にしか影響しませんので、
ccs-queryd および ccs-notifyd を両方のログを認識できるように拡張することで
対処できます。リビジョン 1261 以降で試すことができます。

　情報量が増えて鬱陶しいと感じるのであれば、 ccs-queryd を従来のログ形式で
表示させるコマンドラインオプションを追加することもできると思います。
いかがでしょう？

• 前の記事 [Tomoyo-dev 839] Ubuntu 8.04 + TOMOYO 1.6.1 LiveCDをアップデートしました
• 次の記事 [Tomoyo-dev 831] /sbin/ccs-init の入力待ちに関して
• 記事の並び順: [ 日付 ] [ スレッド ] [ 件名 ] [ 著者 ]