TOMOYO

Fork

[tomoyo-users-en 545] Re: Kernel Not Tracking New Domains

• Previous message (by thread): [tomoyo-users-en 544] Kernel Not Tracking New Domains
• Next message (by thread): [tomoyo-users-en 546] Problem with policy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

Abby Ricart wrote:
> Okay, I configured my kernel as such:
> 
> CONFIG_SECURITY_TOMOYO=y
> CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
> CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> # CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
> CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
> CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"
> 
> And installed the latest tomoyo-tools (2.5) for my kernel (3.8.2). I then
> initialized the policy (/usr/lib/tomoyo/init_policy).
> 
> Upon reboot, the Domain Transition Editor is still listing <kernel> as the
> only domain. In dmesg the only tomoyo related message I get is this:
> 
> [    0.000103] Security Framework initialized
> [    0.000126] TOMOYO Linux initialized
> 
> What am I doing wrong? The kernel doesn't seem to want to track new domains.

This is because the pathname specified via
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER ( /usr/lib/systemd/systemd in your
case) is not yet passed to execve() request after the pathname specified via
CONFIG_SECURITY_TOMOYO_POLICY_LOADER ( /sbin/tomoyo-init in your case) became
visible.

If the pathname specified via CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER is
passed to execve() request after the pathname specified via
CONFIG_SECURITY_TOMOYO_POLICY_LOADER became visible, the pathname specified via
CONFIG_SECURITY_TOMOYO_POLICY_LOADER is executed and messages like

  Calling /sbin/tomoyo-init to load policy. Please wait.
  TOMOYO: 2.5.0

should be printed in dmesg .

For example, we need to specify /usr/lib/systemd/systemd to
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER when using TOMOYO in Fedora 18,
for /init in Fedora 18's initramfs passes /usr/lib/systemd/systemd to the
execve() request.

Even if /sbin/init is a symlink to /lib/systemd/systemd or
/usr/lib/systemd/systemd , you need to specify /sbin/init to
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER if your /init tries to pass
/sbin/init to the execve() request.

You can try appending TOMOYO_trigger=/sbin/init to the kernel boot command line
in order to temporarily override CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER .

After you have found the correct pathname to specify, you can update
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER and rebuild your kernel.

If you still have problem, please tell me your distribution/version so that
I can try reproducing your problem.

Regards.

• Previous message (by thread): [tomoyo-users-en 544] Kernel Not Tracking New Domains
• Next message (by thread): [tomoyo-users-en 546] Problem with policy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]