[tomoyo-users 918] tomoyo-tools-2.4

Discussion:

早間義博

2011-10-10 04:57:16 UTC

$BAa4V$G$9!#(B
tomoyo-tools-2.3 $B$+$i(B
tomoyo-tools-2.4.0_p20110929 $B$KJQ99$7$^$7$?!#(B
$B2<5-$N$3$H$G$H$^$I$C$F$$$^$9!#(B
(1) file getattr
learning mode $B$G(B "file getattr" $B$H8@$&(B policy $B$,B?NL$K:***@.$5$l(B
$B$^$9!#%I%-%e%a%s%H$N$I$3(B(1.7 1.8 2.3 2.4 2.5)$B$r8+$F$***@bL@$,8+(B
$B$"$?$j$^$;$s!#(B
/etc/tomoyo/tools/editpolicy.conf $B$K(B
keyword_alias file getattr = file getattr
$B$H$"$k$@$1$G$9!#(B
$BCf$G$b(B
file getattr pipe:[1433947]
$B$H8@$&%?%$%W$,BgNL$K:***@.$5$l$^$9!#(B

file getattr $B$NBgNLH/@8$,(B quota $B$NH/F0$N860x$H$J$j$^$9!#(B

$BF|2]$H$7$F(B domain_policy.conf $B$N(B patternize $B$r<B9T$7$F$$$^$9$,!"(B
$B$^$@B3$-$=$&$G$9!#(B
(2) tomoyo-editpolicy -1
$B:n6HMQ$K(B /var/tmp/policy/current/ $B$r:***@.$7!"(Bdomain_policy.conf
$B$r:***@.$7!"(Btomoyo-editpolicy $B$r<B9T$7$?$N$G$9$,(B
use_profile
$B$NCM$,(B 0 $B$H$7$F$NI=<($,$5$l$^$9!#(B
/etc/tomoyo/policy/current/profile.conf $B$r(B
/var/tmp/policy/current/ $B$K%3%T!<$9$k$H(B
/var/tmp/policy/current/domain_policy.conf
$B$N(B use_profile $B$,@8$-$FMh$^$9!#(B
(3) tomoyo-editpolicy -2
$B>e5-(B(2)$B$G(Btomoyo-editpolicy $B$r(B q $B$G=*N;$5$;$?$H$-(B
Failed to save policy.
$B$HI=<($5$l!"(B
$BJQ99A0$N(B policy $B$,:o=|$5$lJQ998e$,DI2C$5$l$^$;$s!#(B
$B7k2L$H$7$F(B $B0U$K1h$o$J$$(B domain_policy.conf $B$H$J$j$^$9!#(B
/var/tmp/policy/ $B$K(B /etc/tomoyo/policy $B$HF1$8$h$&$K(B
$B%G%#%l%/%H%j(B 11-10-10.12:14:06 $B$r:***@.$7!"(B
ln -s 11-10-10.12:14:06 previous
ln -s 11-10-10.12:14:06 current
$B$H$9$k$HF/$/$h$&$G$9!#(B
current $B$O:n$i$l$F9T$-$^$9$,!"(B
previous $B$,(B symlink $B$G$J$$$HBLL\$J$h$&$G$9!#(B
(4) symlink
file symlink /etc/tomoyo/policy/current symlink.target="11-10-10.07:31:22/"
$B$H8@$&$N$,A}?#$7$F$$$^$9!#(B
file symlink /etc/tomoyo/policy/\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/
file symlink /etc/tomoyo/policy/current symlink.target="\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/"
$B$G$O(B o $B$GF1$8%Q%?!<%s$H$O8+$J$5$l$^$;$s!#(B
$B!VJQ?t$H$NHf3S$NBP>]$H$J$k?tCM$O#18D$N?tCM!"?tCM$NHO0O!"$"$k$$$OJL$NJQ?t$G$9!W(B
$B$3$NDj5A$K1h$C$F$I$N$h$&$JCM$r;XDj$9$l$PNI$$$N$G$7$g$&!#(B

-- $BAa4V(B

Tetsuo Handa

2011-10-10 05:39:14 UTC

Permalink

$BAa4V5AGn$5$s$O=q$-$^$7$?!'(B

Post by æ©éç¾©å
(1) file getattr
$B$"$?$j$^$;$s!#(B
$BCf$G$b(B
file getattr pipe:[1433947]

/etc/tomoyo/exception_policy.conf $B$K(B

acl_group 0 file getattr @ANY_PATHNAME
path_group ANY_PATHNAME /
path_group ANY_PATHNAME /\*
path_group ANY_PATHNAME /\{\*\}/
path_group ANY_PATHNAME /\{\*\}/\*
path_group ANY_PATHNAME \*:/
path_group ANY_PATHNAME \*:/\*
path_group ANY_PATHNAME \*:/\{\*\}/
path_group ANY_PATHNAME \*:/\{\*\}/\*
path_group ANY_PATHNAME \*:[\$]

$B$H$$$&;XDj$O4^$^$l$F$$$^$9$G$7$g$&$+!)(B tomoyo-tools-2.4 $B$N%$%s%9%H!<%k8e$K(B
/usr/lib/tomoyo/init_policy $B$r<B9T$9$k$3$H$G>e5-$N;XDj$r4^$s$@(B
exception_policy.conf $B$,:***@.$5$l$k$?$a!"(B use_group 0 $B$,;XDj$5$l$?%I%a%$%s$K(B
file getattr $B$N;XDj$,3X=,$5$l$k$3$H$OL5$$H&$G$9!#!J(B TOMOYO 2.3 $B$N%]%j%7!<$H(B

Post by æ©éç¾©å
(2) tomoyo-editpolicy -1
use_profile
$B$NCM$,(B 0 $B$H$7$F$NI=<($,$5$l$^$9!#(B
/etc/tomoyo/policy/current/profile.conf $B$r(B
/var/tmp/policy/current/ $B$K%3%T!<$9$k$H(B
/var/tmp/policy/current/domain_policy.conf

$B%]%j%7!<%G%#%l%/%H%j$K$O>o$K(B domain_policy.conf exception_policy.conf
manager.conf profile.conf $B$r%;%C%H$GG[CV$9$k$h$&$K$7$F$/$@$5$$!#(B
domain_policy.conf $B$N(B use_profile $B$NCM$O(B profile.conf $B$r;2>H$9$k$?$a!"(B
domain_policy.conf $B$,B8:_$7$F(B profile.conf $B$,B8:_$7$J$$>l9g$K$O(B
$B4|BTDL$j$KF0:n$7$J$$$H;W$$$^$9!#(B

Post by æ©éç¾©å
(3) tomoyo-editpolicy -2
$B>e5-(B(2)$B$G(Btomoyo-editpolicy $B$r(B q $B$G=*N;$5$;$?$H$-(B
Failed to save policy.
$B$HI=<($5$l!"(B
$BJQ99A0$N(B policy $B$,:o=|$5$lJQ998e$,DI2C$5$l$^$;$s!#(B
$B7k2L$H$7$F(B $B0U$K1h$o$J$$(B domain_policy.conf $B$H$J$j$^$9!#(B
/var/tmp/policy/ $B$K(B /etc/tomoyo/policy $B$HF1$8$h$&$K(B
ln -s 11-10-10.12:14:06 previous
ln -s 11-10-10.12:14:06 current
$B$H$9$k$HF/$/$h$&$G$9!#(B
current $B$O:n$i$l$F9T$-$^$9$,!"(B
previous $B$,(B symlink $B$G$J$$$HBLL\$J$h$&$G$9!#(B

$B$O$$!#(B current $B$H(B previous $B$O%7%s%\%j%C%/%j%s%/$G$"$kI,MW$,$"$j$^$9!#(B
$B$3$l$O!"(B domain_policy.conf exception_policy.conf manager.conf profile.conf $B$r(B

Post by æ©éç¾©å
(4) symlink
file symlink /etc/tomoyo/policy/current symlink.target="11-10-10.07:31:22/"
file symlink /etc/tomoyo/policy/\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/
file symlink /etc/tomoyo/policy/current symlink.target="\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/"
$B$G$O(B o $B$GF1$8%Q%?!<%s$H$O8+$J$5$l$^$;$s!#(B

$B>r7o<0!J(B symlink.target $B$J$I!K$NItJ,$O(B o $B%-!<$G$N:GE,2=$KBP1~$7$F$$$^$;$s!#(B
$B%4%a%s%J%5%$!#(B

file symlink /etc/tomoyo/policy/current

$B$^$?$O(B

file symlink /etc/tomoyo/policy/current symlink.target="\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/"

$B$rDI2C8e!"(B o $B%-!<$r;H$o$:$K(B

file symlink /etc/tomoyo/policy/current symlink.target="11-10-10.07:31:22/"

$B$rA*Br$7$F:o=|$7$F$/$@$5$$!#(B

早間義博

2011-10-10 12:49:46 UTC

Permalink

$BAa4V$G$9!#(B
$B$*4j$$$7$^$9!#(B

Post by Tetsuo Handa
/etc/tomoyo/exception_policy.conf $B$K(B
path_group ANY_PATHNAME /
path_group ANY_PATHNAME /\*
path_group ANY_PATHNAME /\{\*\}/
path_group ANY_PATHNAME /\{\*\}/\*
path_group ANY_PATHNAME \*:/
path_group ANY_PATHNAME \*:/\*
path_group ANY_PATHNAME \*:/\{\*\}/
path_group ANY_PATHNAME \*:/\{\*\}/\*
path_group ANY_PATHNAME \*:[\$]
$B$H$$$&;XDj$O4^$^$l$F$$$^$9$G$7$g$&$+!)(B tomoyo-tools-2.4 $B$N%$%s%9%H!<%k8e$K(B
file getattr $B$N;XDj$,3X=,$5$l$k$3$H$OL5$$H&$G$9!#!J(B TOMOYO 2.3 $B$N%]%j%7!<$H(B

tomoyo-tools-2.4 $B$N%$%s%9%H!<%k8e$K(B/usr/lib/tomoyo/init_policy $B$O<B(B
$B9T$7$^$7$?!#(B/etc/tomoyo $B$N9=@.!"$"$k$$$OFbMF$H(B $B%+!<%M%k$,9g$o$J$$$H(B
panic $B$K$J$k$N$G$S$C$/$j$7$^$7$?!#$7$+$7!"(B2.3 $B$N;~$N(B conf $B$r2DG=$J(B
$B8B$j;HMQ$7$^$7$?!#(Bexception_policy.conf $B$O(B 2.3 $B$N>uBV$G%(%i!<$b=P(B
$B$J$+$C$?$N$G(B($BL5;k$5$l$?$b$N$O$"$j$^$7$?$,(B) 2.3 $B$N(B conf $B$r>e=q$-$7(B
$B$^$7$?!#(B

$B$4;XE&$r$$$?$@$-$^$7$?$N$G!":FEY(B/usr/lib/tomoyo/init_policy$B$r<B9T(B
$B$7!":***@.$5$l$?(Bexception_policy.conf $B$K(B 2.3 $B$N;~$N(B conf$B$rDI2C$7$^$7(B
$B$?!#(B

Post by Tetsuo Handa

$B%]%j%7!<%G%#%l%/%H%j$K$O>o$K(B domain_policy.conf exception_policy.conf
domain_policy.conf $B$N(B use_profile $B$NCM$O(B profile.conf $B$r;2>H$9$k$?$a!"(B
domain_policy.conf $B$,B8:_$7$F(B profile.conf $B$,B8:_$7$J$$>l9g$K$O(B
$B4|BTDL$j$KF0:n$7$J$$$H;W$$$^$9!#(B

tomoyo-editpolicy.8.bz2 $B$K2?$+=q$$$F$"$C$?J}$,$"$j$,$?$$$G$9!#(B

Post by Tetsuo Handa

$B$O$$!#(B current $B$H(B previous $B$O%7%s%\%j%C%/%j%s%/$G$"$kI,MW$,$"$j$^$9!#(B
$B$3$l$O!"(B domain_policy.conf exception_policy.conf manager.conf profile.conf $B$r(B

current $B$O%G%#%l%/%H%j(B(symkink $B$G$J$$(B)$B;~$G$b!"6/0z!)$K(B symlink $B$K(B
$BJQ99$7$F$$$/$N$KHf$Y$F!"(Bprevious $B$O%7%c%$$G$9$M!#(B

Post by Tetsuo Handa

Post by æ©éç¾©å
(4) symlink
file symlink /etc/tomoyo/policy/current symlink.target="11-10-10.07:31:22/"
file symlink /etc/tomoyo/policy/\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/
file symlink /etc/tomoyo/policy/current symlink.target="\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/Cd"
$B$G$O(B o $B$GF1$8%Q%?!<%s$H$O8+$J$5$l$^$;$s!#(B

$B>r7o<0!J(B symlink.target $B$J$I!K$NItJ,$O(B o $B%-!<$G$N:GE,2=$KBP1~$7$F$$$^$;$s!#(B
$B%4%a%s%J%5%$!#(B
file symlink /etc/tomoyo/policy/current
$B$^$?$O(B
file symlink /etc/tomoyo/policy/current symlink.target="\+\+-\+\+-\+\+.\+\+:\+\+:\+\+/"
$B$rDI2C8e!"(B o $B%-!<$r;H$o$:$K(B
file symlink /etc/tomoyo/policy/current symlink.target="11-10-10.07:31:22/"

$B:o=|$7$^$7$?!#(B

-- $BAa4V(B

早間義博

2011-10-14 07:00:14 UTC

Permalink

$BAa4V$G$9!#(B

2.3 $B$G$OF/$$$F$$$?(Bcgi$B$,(B
#2011/10/14 02:03:16# profile=3 mode=enforcing granted=no (global-pid=5882) task={ pid=5882 ppid=5881 uid=xxx gid=xxx euid=xxx egid=xxx suid=xxx sgid=xxx
fsuid=xxx fsgid=xxx } path1={ uid=xxx gid=xxx ino=703055 major=0 minor=5 perm=0777 type=socket } path1.parent={ uid=xxx gid=xxx ino=703055 perm=0777 }
<kernel> ...... /bin/cat
file getattr socket:[family=1:type=1:protocol=0]

$B$H<B9T$7$F$b$i$($^$;$s$G$7$?!#(B
reject_002.log $B$r8+$?$H$3$m(B
# grep getattr reject_002.log| sort -u
file getattr socket:[family=10:type=1:protocol=6]
file getattr socket:[family=10:type=2:protocol=17]
file getattr socket:[family=16:type=2:protocol=15]
file getattr socket:[family=17:type=10:protocol=0]
file getattr socket:[family=1:type=1:protocol=0]
file getattr socket:[family=1:type=2:protocol=0]
file getattr socket:[family=2:type=1:protocol=6]
file getattr socket:[family=2:type=2:protocol=17]
file getattr socket:[family=2:type=3:protocol=1]

$B$H8@$&%m%0$,BgNL$K$"$j$^$7$?!#(B

acl_group 0 file getattr socket:[family=\$:type=\$:protocol=\$]
$B$"$k$$$O(B
acl_group 0 file getattr \*:[\*]
$B$^$?$O(B
path_group ANY_PATHNAME \*:[\$] -->
path_group ANY_PATHNAME \*:[\*]
$B$H$9$k!#(B
$B$H8@$&=$@5$G$I$l$,NI$$$G$7$g$&$+(B

-- $BAa4V(B $B5AGn(B

Tetsuo Handa

2011-10-14 07:11:24 UTC

Permalink

$BAa4V5AGn(B $B$5$s$O=q$-$^$7$?!'(B

$B$*$C$H!"(B socket $B$OJL07$$$J$N$G(B ANY_PATHNAME $B$K0lCW$7$F$$$^$;$s$G$7$?$M!#(B

Post by æ©éç¾©å
acl_group 0 file getattr socket:[family=\$:type=\$:protocol=\$]
$B$"$k$$$O(B
acl_group 0 file getattr \*:[\*]
$B$^$?$O(B
path_group ANY_PATHNAME \*:[\$] -->
path_group ANY_PATHNAME \*:[\*]
$B$H$9$k!#(B

path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]

$B$rDI2C$9$k$N$,NI$$$H;W$$$^$9!#(B