> Iustin Pop wrote: > > Note that I didn't actually install the tools on my machine, just compiled and > > testing from the build directory. Do the tools need installation to fix the > > below problem? > > I think /sbin/tomoyo-init (which is installed by "make install") is missing and > therefore TOMOYO is not yet activated. Please create /sbin/tomoyo-init by > "cp -p tomoyo-init /sbin/" from the build directory. Additional info: TOMOYO is activated when "/sbin/init is executed" && "/sbin/tomoyo-init exists". Thus, you need to reboot the system (or at least, execute /sbin/init) after creating /sbin/tomoyo-init in order to activate TOMOYO. /sbin/tomoyo-init loads policy from /etc/tomoyo/ directory when /sbin/init is executed. Before TOMOYO is activated, all programs can modify policy via /sys/kernel/security/tomoyo/ interface. But after TOMOYO is activated, only programs or domainnames listed in /sys/kernel/security/tomoyo/manager can. Therefore, you will see error messages like "$domainname ( $programname ) is not permitted to update policies." from /bin/dmesg output. Please append $domainname or $programname to /etc/tomoyo/manager.conf and reboot the system so that /sbin/tomoyo-init copies /etc/tomoyo/manager.conf to /sys/kernel/security/tomoyo/manager .
TOMOYO
Fork