Discussion:
[tomoyo-users 860] no_keep_domain
早間義博
2011-06-04 02:46:45 UTC
Permalink
$BAa4V$G$9!#(B
$B4D6-(B
kernel linux-2.6.38-gentoo-r1 $B$H(B linux-2.6.38-gentoo-r6
$B$J$*!"$$$:$l$b(B[tomoyo-users 813] $B$N%Q%C%AL5$7(B
tomoyo tomoyo-tools-2.3.0_p20110511

(1) $B%o%$%k%I%+!<%H%I%a%$%s$N1F6A(B
keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge

$B;XDj$7$F$b(B
<kernel> /usr/bin/xterm
..
allow_execute /usr/bin/\*
allow_execute /usr/bin/emerge
..

$B$H(B <kernel> /usr/bin/xterm $B$KEv3:%3%^%s%I$rJq4^$9$k%o%$%k%I%+!<%H(B
$B$,$"$k$H%o%$%k%I%+!<%H$,M%@h$5$l(B
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge
$B$,5!G=$7$^$;$s!#(B
$B8=:_$OBP:v$H$7$F(B
$B!&(B allow_execute /usr/bin/\* $B$r:o=|$9$k(B
$B!&(B aggregator /usr/bin/emerge /usr/bin/portage/emerge $B$N$h$&$K(B
aggregator $B$K$h$C$F%o%$%k%I%+!<%H$+$iF($2$k!#(B
$BJ}K!$r;W$$$D$-$^$7$?$,!"B>$KJ}K!$O$"$k$N$G$7$g$&$+!#(B
$B%o%$%k%I%+!<%H$,$"$C$F$b8DJL$N(B allow_execute $B$,$"$k>l9g8DJL$N(B
allow_execute $B$rM%@h$7$F8DJL$N%I%a%$%sBP:v(B
$B!&(B $B2<0L%I%a%$%s$N:***@.(B
$B!&(B no_keep_domain
$B$r<B;\$9$k$H8@$&$3$H$O=PMh$J$$$N$G$7$g$&$+!#(B

(2) initialize_domain $B$,L5$$$H(Bkeep_domain $B$+$iC&=P(B(?)$B=PMh$J$$!#(B
$B>e5-(B(1)$B$HF1$8>r7o$G$9$,!"(B
domain_policy.conf $B$K(B
initialize_domain /usr/bin/emerge
$B$,L5$$>l9g!"(Bkeep_domain $B$G;XDj$5$l$?%I%a%$%s$+$iH4$1$F?7$7$$%I(B
$B%a%$%s(B <kernel> /usr/bin/kterm /usr/bin/emerge
$B$,:***@.$5$l$^$;$s!#(B

-- $BAa4V(B
早間義博
2011-06-04 04:14:57 UTC
Permalink
$BAa4V$G$9!#(B
Post by 早間義博
(2) initialize_domain $B$,L5$$$H(Bkeep_domain $B$+$iC&=P(B(?)$B=PMh$J$$!#(B
$B>e5-(B(1)$B$HF1$8>r7o$G$9$,!"(B
domain_policy.conf $B$K(B
exception_policy.conf

$B$N4V0c$$$G$9!#(B
Post by 早間義博
initialize_domain /usr/bin/emerge
$B$,L5$$>l9g!"(Bkeep_domain $B$G;XDj$5$l$?%I%a%$%s$+$iH4$1$F?7$7$$%I(B
$B%a%$%s(B <kernel> /usr/bin/kterm /usr/bin/emerge
-- $BAa4V(B
Tetsuo Handa
2011-06-04 04:51:10 UTC
Permalink
$BAa4V5AGn(B $B$5$s$O=q$-$^$7$?!'(B
aggregator /usr/bin/perl5.12.3 /usr/bin/perl
$B8=>u$G$OLdBj$OL5$$$h$&$G$9$,!"(B
/usr/bin/perl $B$O(B /usr/bin/perl5.12.3 $B$K(B symlink $B$5$l$F$$$^$9!#(B
$B$3$N%k!<%W$OLdBj$J$$$G$7$g$&$+!#(B
$B$"$j$^$;$s!#(B

aggregator $B$O(B /usr/bin/perl5.\$.\$ $B$N$h$&$J%Q%?!<%s$r(B //PERL5 $B$N$h$&$J(B
$B!J<B:_$7$J$/$F$b$h$$!K%Q%9L>$K%^%C%T%s%0$9$k$?$a$N$b$N$G$9!#%F%s%]%i%j$JL>A0$r(B
$B;}$D%W%m%0%i%`$KBP$7$F$b%I%a%$%sA+0\$,$G$-$k$h$&$K$9$k$?$a$KDI2C$5$l$^$7$?!#(B
$B4D6-(B
kernel linux-2.6.38-gentoo-r1 $B$H(B linux-2.6.38-gentoo-r6
$B$J$*!"$$$:$l$b(B[tomoyo-users 813] $B$N%Q%C%AL5$7(B
tomoyo tomoyo-tools-2.3.0_p20110511
(1) $B%o%$%k%I%+!<%H%I%a%$%s$N1F6A(B
keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge
$B;XDj$7$F$b(B
<kernel> /usr/bin/xterm
..
allow_execute /usr/bin/\*
allow_execute /usr/bin/emerge
..
$B$H(B <kernel> /usr/bin/xterm $B$KEv3:%3%^%s%I$rJq4^$9$k%o%$%k%I%+!<%H(B
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge
$B$,5!G=$7$^$;$s!#(B
$B$(!A$C$H!"(B

keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge

$B$NCf$K(B xterm $B$H(B kterm $B$,:.:_$7$F$$$^$9$,!"$3$l$O(B

keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/xterm /usr/bin/emerge

$B!J$"$k$$$O(B

keep_domain <kernel> /usr/bin/kterm
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge

$B!K$H8@$$$?$+$C$?$N$G$7$g$&$+!)$=$&$@$H$7$?$i!"(B no_keep_domain $B$N;H$$J}$r(B
$B4V0c$($F$$$^$9!#(B

no_keep_domain $B$O(B keep_domain $B$N8z2L$rBG$A>C$9$?$a$N$b$N$J$N$G!"(B
keep_domain $B;XDj$HAH$_9g$o$;$J$$$HL50UL#$G$9!#!JF1MM$K!"(B
no_initialize_domain $B$O(B initialize_domain $B$N8z2L$rBG$A>C$9$b$N$J$N$G!"(B
initialize_domain $B;XDj$HAH$_9g$o$;$J$$$HL50UL#$G$9!#!K(B

no_keep_domain $B$O0J2<$N$h$&$K;H$&$3$H$KCm0U$7$F$/$@$5$$!#(B

keep_domain $B%I%a%$%sL>(B
no_keep_domain $B%W%m%0%i%`L>(B from $B%I%a%$%sL>(B

$B$3$N$h$&$K;XDj$9$k$H!"!V%I%a%$%sL>!W$G;XDj$5$l$?%I%a%$%s$+$i!V%W%m%0%i%`L>!W$G(B
$B;XDj$5$l$?%W%m%0%i%`$,<B9T$5$l$?>l9g$K$O!"!J!V%I%a%$%sL>!W$G;XDj$5$l$?(B
$B%I%a%$%s$,(B keep_domain $B$K;XDj$5$l$F$$$?$H$7$F$b!K!V%I%a%$%sL>!W$K(B
$B!V%W%m%0%i%`L>!W$r7k9g$7$?%I%a%$%sL>$r;}$D%I%a%$%s$X$HA+0\$9$k$H$$$&0UL#$K(B
$B$J$j$^$9!#$D$^$j!"!V(B <kernel> /usr/bin/xterm $B%I%a%$%s$G$O86B'$H$7$F$=$N(B
$B;R%I%a%$%s$X$OA+0\$5$;$J$$$1$l$I!"(B /usr/bin/emerge $B$,<B9T$5$l$?>l9g$K$O(B
$B$=$N;R%I%a%$%s$XA+0\$5$;$?$$!W$H$$$&>l9g$K$O!"(B

keep_domain <kernel> /usr/bin/xterm
no_keep_domain /usr/bin/emerge from <kernel> /usr/bin/xterm

$B$N$h$&$K;XDj$9$kI,MW$,$"$j$^$9!#(B
$B8=:_$OBP:v$H$7$F(B
$B!&(B allow_execute /usr/bin/\* $B$r:o=|$9$k(B
$B!&(B aggregator /usr/bin/emerge /usr/bin/portage/emerge $B$N$h$&$K(B
aggregator $B$K$h$C$F%o%$%k%I%+!<%H$+$iF($2$k!#(B
$BJ}K!$r;W$$$D$-$^$7$?$,!"B>$KJ}K!$O$"$k$N$G$7$g$&$+!#(B
/usr/bin/\*\-emerge

$B$H$$$&;XDj$K$h$j!"(B /usr/bin/emerge $B0J30$N(B /usr/bin/\* $B$H$$$&%^%C%A%s%0$,(B
$B$G$-$^$9!#(B
$B%o%$%k%I%+!<%H$,$"$C$F$b8DJL$N(B allow_execute $B$,$"$k>l9g8DJL$N(B
$B!&(B no_keep_domain
$B$=$N$h$&$J[#Kf$J;XDj$OHr$1$k$h$&$K$9$k$N$,8-L@$G$9!#(B
$B$?$H$($P(B /tmp/test $B$H$$$&%W%m%0%i%`$KBP$9$k<B9T5v2D$rM?$($k>l9g!"(B

allow_execute /tmp/test
allow_execute /tmp/\*
allow_execute /tmp/\?\?\?\?
allow_execute /tmp/\@
allow_execute /tmp/t\*
allow_execute /tmp/\*est

$B$J$I$?$/$5$s$NJ}K!$,9M$($i$l$^$9!#%o%$%k%I%+!<%I$r4^$^$J$$%(%s%H%j$r(B
$B%o%$%k%I%+!<%I$r4^$`%(%s%H%j$h$j$bM%@h$9$k$H$$$&%m%8%C%/$O<B8=$G$-$^$9$,!"(B
$B%o%$%k%I%+!<%I$r4^$`%(%s%H%j$NCf$+$i$I$l$r;HMQ$9$k$+$H$$$&%m%8%C%/$O<B8=(B
$B$G$-$J$$$N$G!":G=i$K0lCW$7$?%(%s%H%j$rMxMQ$9$k$H$$$&;EMM$K$J$C$F$$$^$9!#(B
(2) initialize_domain $B$,L5$$$H(Bkeep_domain $B$+$iC&=P(B(?)$B=PMh$J$$!#(B
$B>e5-(B(1)$B$HF1$8>r7o$G$9$,!"(B
domain_policy.conf $B$K(B
initialize_domain /usr/bin/emerge
$B$,L5$$>l9g!"(Bkeep_domain $B$G;XDj$5$l$?%I%a%$%s$+$iH4$1$F?7$7$$%I(B
$B%a%$%s(B <kernel> /usr/bin/kterm /usr/bin/emerge
$B$3$l$b!"A0=R$7$?(B no_keep_domain $B$N;H$$J}$r4V0c$($F$$$k$N$,860x$@$H;W$$$^$9!#(B
http://tomoyo.sourceforge.jp/2.3/policy-specification/domain-transition-procedure.html
$B$r;2>H$7$F$/$@$5$$!#(B



$B$H$3$m$G!";EMM$NJQ99$K$D$$$FMWK>$9$k>l9g$K$O!"(B TOMOYO 2.x $B$KBP$7$F$G$O$J$/(B
TOMOYO 1.x $B$N:G?7HG$KBP$7$F9T$&$h$&$K$7$F$/$@$5$$!#(B TOMOYO 2.3 $B$O(B TOMOYO 1.7 $B$N(B
$B%5%V%;%C%H$G$"$j!"5!G=E*$K$b;H$$>!<jE*$K$bCfESH>C<$J>uBV$K$"$j$^$9!#(B TOMOYO 2.4
$B$N%Y!<%9$H$J$k(B TOMOYO 1.8 $B$KBP$7$FDs0F$9$kJ}$,@8;:E*$G$9!#(B

TOMOYO 1.8.2 $B$GDI2C$5$l$k%]%j%7!<L>A06u4V$N;EMM$K$D$$$F$N%Z!<%8$rDI2C$7$^$7$?!#(B
http://tomoyo.sourceforge.jp/1.8/chapter-15.html
早間義博
2011-06-04 09:23:34 UTC
Permalink
$BAa4V$G$9!#(B
Post by Tetsuo Handa
$B$(!A$C$H!"(B
keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge
$B$NCf$K(B xterm $B$H(B kterm $B$,:.:_$7$F$$$^$9$,!"$3$l$O(B
keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/xterm /usr/bin/emerge
$B!J$"$k$$$O(B
keep_domain <kernel> /usr/bin/kterm
no_keep_domain <kernel> /usr/bin/kterm /usr/bin/emerge
$B4V0c$($F$$$^$9!#(B
$B=q$-4V0c$($G$9!#(B
keep_domain <kernel> /usr/bin/xterm
no_keep_domain <kernel> /usr/bin/xterm /usr/bin/emerge
$B$G$9!#(B

$B$7$+$7!"MxMQJ}K!$,4V0c$C$F$$$k$N$,H=$j$^$7$?!#(B
$B$"$j$,$H$&$4$6$$$^$9!#(B
Post by Tetsuo Handa
Post by 早間義博
$B8=:_$OBP:v$H$7$F(B
$B!&(B allow_execute /usr/bin/\* $B$r:o=|$9$k(B
$B!&(B aggregator /usr/bin/emerge /usr/bin/portage/emerge $B$N$h$&$K(B
aggregator $B$K$h$C$F%o%$%k%I%+!<%H$+$iF($2$k!#(B
$BJ}K!$r;W$$$D$-$^$7$?$,!"B>$KJ}K!$O$"$k$N$G$7$g$&$+!#(B
/usr/bin/\*\-emerge
$B$H$$$&;XDj$K$h$j!"(B /usr/bin/emerge $B0J30$N(B /usr/bin/\* $B$H$$$&%^%C%A%s%0$,(B
$B$G$-$^$9!#(B
allow_execute /usr/bin/\*\-emerge\-ebuild\-genkernel\-revdep-rebuild

$B$H$7$F$_$^$9!#(B

aggregator $B$K$h$k;XDj$O(B
allow_read $B$J$IB>$N9=J8$K$bM-8z$G$9$+!#(B

-- $BAa4V(B
Tetsuo Handa
2011-06-04 09:29:03 UTC
Permalink
$BAa4V5AGn(B $B$5$s$O=q$-$^$7$?!'(B
Post by 早間義博
aggregator $B$K$h$k;XDj$O(B
allow_read $B$J$IB>$N9=J8$K$bM-8z$G$9$+!#(B
$B$$$$$(!#(B aggregator $B$O(B allow_execute $B$KBP$7$F$N$_M-8z$G$9!#(B
Loading...