Last modified: $Date: 2007-02-05 20:56:25 +0900 (Mon, 05 Feb 2007) $
TOMOYO Linux provides some binary kernel packages. If you want to use binary kernel packages, download and install.
RedHat Linux 9 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.4.20-46.9.legacy_tomoyo_1.3.1.i386.rpm |
Fedora Core 3 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.12-2.3.legacy_FC3_tomoyo_1.3.1.i586.rpm |
Fedora Core 4 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.17-1.2142_FC4_tomoyo_1.3.1.i586.rpm |
Fedora Core 5 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.18-1.2257.fc5_tomoyo_1.3.1.i586.rpm |
Fedora Core 6 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.19-1.2895.fc6_tomoyo_1.3.1.i586.rpm |
CentOS 4.4 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1.i586.rpm |
Debian Sarge (80586 and later) |
http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-image-2.4.27-10sarge5-ccs_1.3.1_i586.deb http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-image-2.6.8-16sarge6-ccs_1.3.1_i586.deb |
Debian Etch (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/linux-image-2.6.18-7-ccs_1.3.1_i586.deb |
OpenSUSE 10.1 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-default-2.6.16.27-0.6_tomoyo_1.3.1.i586.rpm |
OpenSUSE 10.2 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-default-2.6.18.2-34_tomoyo_1.3.1.i586.rpm |
Asianux 2.0 (80686 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.9-34.28AX_tomoyo_1.3.1.i686.rpm |
Ubuntu 6.10 (80586 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/linux-image-2.6.17.14-ubuntu1-ccs_1.3.1_i586.deb |
If the CPU architecture differs or you want to customize kernel configuration, you need to compile kernel. To compile kernel, see TOMOYO Linux kernel compilation.
If you are using distributions that support SELinux, you might encounter errors while installing packages if SELinux is not disabled. If you see error messages shown below while installing packages, retry after you disable SELinux. You can disable SELinux by either "changing SELINUX=disabled in /etc/selinux/config and reboot" or "adding selinux=0 to the kernel's boot paramaters".
[root@localhost ~]# rpm -ihv kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1.i586.rpm Preparing... ########################################### [100%] Error: %pre(kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1.i586) scriptlet failed, exit status 255 Error: install: %pre scriptlet failed (2), skipping kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1 |
TOMOYO Linux itself can coexist with SELinux. You may continue with SELinux enabled if you want.
If you install rpm package, the following entry is added to /boot/grub/grub.conf upon successful installation.
title CentOS (2.6.9-42.0.8.EL_tomoyo_1.3.1) root (hd0,0) kernel /vmlinuz-2.6.9-42.0.8.EL_tomoyo_1.3.1 ro root=/dev/VolGroup00/LogVol00 initrd /initrd-2.6.9-42.0.8.EL_tomoyo_1.3.1.img |
Append "init=/.init" to the line of "kernel".
title CentOS (2.6.9-42.0.8.EL_tomoyo_1.3.1) root (hd0,0) kernel /vmlinuz-2.6.9-42.0.8.EL_tomoyo_1.3.1 ro root=/dev/VolGroup00/LogVol00 init=/.init initrd /initrd-2.6.9-42.0.8.EL_tomoyo_1.3.1.img |
If you install deb package, the following entry is added to /boot/grub/menu.lst upon successful installation.
title Debian GNU/Linux, kernel 2.6.8-16sarge6-ccs root (hd0,0) kernel /boot/vmlinuz-2.6.8-16sarge6-ccs root=/dev/sda1 ro initrd /boot/initrd.img-2.6.8-16sarge6-ccs savedefault boot |
Append "init=/.init" to the line of "kernel".
title Debian GNU/Linux, kernel 2.6.8-16sarge6-ccs root (hd0,0) kernel /boot/vmlinuz-2.6.8-16sarge6-ccs root=/dev/sda1 ro init=/.init initrd /boot/initrd.img-2.6.8-16sarge6-ccs savedefault boot |
The "/.init" is a script to load TOMOYO Linux's policy files and is executed before starting /sbin/init .
The "/.init" is included in the TOMOYO Linux tools package.
TOMOYO Linux provides some pre-compiled tools. If you want to use pre-compiled tools, download and extract under /root/ directory.
RedHat Linux 9 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-RHL9.tar.gz |
Fedora Core 3 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC3.tar.gz |
Fedora Core 4 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC4.tar.gz |
Fedora Core 5 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC5.tar.gz |
Fedora Core 6 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC6.tar.gz |
CentOS 4.4 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-CentOS4.4.tar.gz |
Debian Sarge (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-Sarge.tar.gz |
Debian Etch (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-Etch.tar.gz |
OpenSUSE 10.1 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-SUSE10.1.tar.gz |
OpenSUSE 10.2 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-SUSE10.2.tar.gz |
Asianux 2.0 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-AX2.tar.gz |
Ubuntu 6.10 (80386 and later) | http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-Ubuntu6.10.tar.gz |
Move extracted ".init" (policy loader) to / .
mv ccstools/.init / |
If the CPU architecture differs, you need to compile tools. To compile tools, run the following commands.
cd /root/ # Download source of tools for TOMOYO Linux. wget http://osdn.dl.sourceforge.jp/tomoyo/22798/ccs-tools-1.3.1-20070107.tar.gz # Extract. tar -zxf ccs-tools-1.3.1-20070107.tar.gz # Compile. make -sC ccstools/ # Move policy loader to / . mv ccstools/.init / |
Add the location of TOMOYO Linux tools to environment variable PATH.
Add the following line to ~/.bashrc if you are using bash.
export PATH=$PATH:/root/ccstools |
Add the following line to ~/.tcshrc if you are using tcsh.
setenv PATH "$PATH:/root/ccstools" |
Check whether your box can boot with TOMOYO Linux kernel.
Create /etc/ccs/ directory in which TOMOYO Linux stores policy files.
Set owner and group to root and permission 700 since only root need to access the directory.
mkdir -m 700 /etc/ccs |
Create /etc/ccs/manager.txt and list up programs that are allowed to update policies via /proc/ccs/ interface.
Specifically, "loadpolicy" that reloads policy, "editpolicy" that edits policy, "setlevel" that changes control level, "setprofile" that changes profile number of domains, "ld-watch" that updates globally readable files, "ccs-queryd" that grants access requests interactively.
cat > /etc/ccs/manager.txt << EOF /root/ccstools/loadpolicy /root/ccstools/editpolicy /root/ccstools/setlevel /root/ccstools/setprofile /root/ccstools/ld-watch /root/ccstools/ccs-queryd EOF |
Reboot with TOMOYO Linux kernel.
reboot |
The following messages will appear upon successful execution of "/.init".
Press 'Enter' or wait for 10 seconds to use default status. You may input 'disabled' and press 'Enter' to disable MAC in case of emergency. > |
Enter "boottest" and press Enter here, for currently no profiles are created.
boottest |
/sbin/init will start and the system will boot if profiles are loaded successfully.
On failure, the following messages will appear and the system halts.
No profiles loaded. Run policy loader using 'init=' option. |
If failed, check the following points.
After the system boots, login as root.
Save the profile by executing the following command.
cat /proc/ccs/status > /etc/ccs/status.txt |
The MAC in TOMOYO Linux is applied in the units of domains. Every process belongs to single domain, and basically the process will transit to different domain whenever it executes a program. The name of a domain is a concatenated string expression for the process execution history. For example, the name of domain which the kernel belongs to is "<kernel>", the name of domain which /sbin/init invoked by the kernel belongs to is "<kernel> /sbin/init", the name of domain which /etc/rc.d/rc invoked by the /sbin/init belongs to is "<kernel> /sbin/init /etc/rc.d/rc". The exceptions of this transition rule are described later.
TOMOYO Linux can perform several MACs besides MAC for files, but to reduce the load of policy managements, you can disable MACs you think unnecessary. The configurable parameters are determined in the kernel compilation time. Only topics included in /proc/ccs/status are configurable.
Name | Control | Default value | Accept mode supported |
COMMENT | A line of text that describes the content of the profile. | - | |
MAC_FOR_FILE | Enable Mandatory Access Control(MAC) for files. | 0 | Yes |
MAC_FOR_ARGV0 | Enable MAC for argv[0] checks. | 0 | Yes |
MAC_FOR_CAPABILITY:: | Enable MAC for capabilities. There are 29 types of capabilities and you can enable/disable selectively. | 0 | Yes |
MAC_FOR_NETWORK | Enable MAC for network addresses and ports. | 0 | Yes |
MAC_FOR_BINDPORT | Enable MAC for local ports. This is a subset of MAC_FOR_NETWORK. | 0 | Yes |
MAC_FOR_CONNECTPORT | Enable MAC for remote ports. This is a subset of MAC_FOR_NETWORK. | 0 | Yes |
MAC_FOR_SIGNAL | Enable MAC for signal. | 0 | Yes |
DENY_CONCEAL_MOUNT | Forbid mount requests that hides an existing mount. | 0 | No |
RESTRICT_CHROOT | Enable restrictions for chroot directories. | 0 | Yes |
RESTRICT_MOUNT | Enable restrictions for mount parameters. | 0 | Yes |
RESTRICT_UNMOUNT | Forbid unmount requests for specified directories. | 0 | No |
DENY_PIVOT_ROOT | Forbid pivot_root requests. | 0 | No |
RESTRICT_AUTOBIND | Forbid selecting specific local port number when automatic local port binding happens. | 0 | No |
TRACE_READONLY | Dump Canonicalized Pathname that write requests failed due to read only filesystem. | 0 | - |
MAX_ACCEPT_FILES | Limits the max number of file's read/write/execute ACL entries that are automatically appended during accept mode. | 2048 | - |
MAX_GRANT_LOG | Limits the max number of access requests that didn't violate policies. | 1024 | - |
MAX_REJECT_LOG | Limits the max number of access requests that violated policies. | 1024 | - |
TOMOYO_VERBOSE | Dump domain policy violation messages to syslog. | 1 | - |
ALLOW_ENFORCE_GRACE | Allow interactively permitting access requests that violated policy according to the administrator's decision. | 0 | - |
You can give the following values for TRACE_READONLY and RESTRICT_AUTOBIND
Value | Meaning |
0 | Off. Works as if regular kernel. |
1 | On |
You can give any integer greater or equals to 0 for MAX_ACCEPT_FILES, MAX_GRANT_LOG and MAX_REJECT_LOG
You can give the following values for TOMOYO_VERBOSE
Value | Meaning |
0 | Don't dump domain policy violation messages. |
1 | Dump domain policy violation messages. |
You can give the following values for ALLOW_ENFORCE_GRACE
Value | Meaning |
0 | Reject immediately if policy violation occurs in enforcing mode. |
1 | Allow interactively permitting access requests that violated policy in enforcing mode. |
You can give the following values for all but listed above.
Value | Meaning |
0 | Disabled. Works as if regular kernel. |
1 | Accept mode. Not rejected if the request violates policy. Automatically appended to policy. |
2 | Permissive mode. Not rejected if the request violates policy. Not appended to policy automatically. |
3 | Enforce mode. Rejected if the request violates policy. |
Write profiles for "disabled", "accept mode", "permissive mode" and "enforce mode" in /etc/ccs/status.txt . The following example is profiles for applying MAC for files and networks. The heading number is profile number that is used for assigning profiles to domains. The valid profile number range is between 0 and 255.
0-COMMENT=----- All Disabled ----- 1-COMMENT=----- FILE and NETWORK with Accept Mode ----- 1-MAC_FOR_FILE=1 1-MAC_FOR_NETWORK=1 2-COMMENT=----- FILE and NETWORK with Permissive Mode ----- 2-MAC_FOR_FILE=2 2-MAC_FOR_NETWORK=2 3-COMMENT=----- FILE and NETWORK with Enforce Mode ----- 3-MAC_FOR_FILE=3 3-MAC_FOR_NETWORK=3 3-MAX_GRANT_LOG=0 3-ALLOW_ENFORCE_GRACE=0 4-COMMENT=----- FILE and NETWORK with Delayed Enforce Mode ----- 4-MAC_FOR_FILE=3 4-MAC_FOR_NETWORK=3 4-MAX_GRANT_LOG=0 4-MAX_REJECT_LOG=0 4-ALLOW_ENFORCE_GRACE=1 |
In this manual, we assume that
profile number 0 is for "disabled",
profile number 1 is for "accept mode",
profile number 2 is for "permissive mode",
profile number 3 is for "enforce mode",
profile number 4 is for "delayed accept mode" (same as "enforce mode" except that it allows administrators handle access requests that violated policy manually).
You won't need to edit profiles after you once create them because you can control how to apply MAC on per-a-domain basis by changing profile numbers of domains. But if you edited /etc/ccs/status.txt by some reason (for example, you want to add profiles), run the following command.
xargs -0 setlevel < /etc/ccs/status.txt |
To see the profiles currently configured, run the following command.
cat /proc/ccs/status |
To assign profiles to domains, use "setprofile" command. For example,
setprofile -r 0 '<kernel>' |
will assign profile number 0 to all domains. Also,
setprofile -r 1 '<kernel> /sbin/init' |
will assign profile number 1 to all domains whose domainname starts with "<kernel> /sbin/init". Also,
setprofile 2 '<kernel> /sbin/init' |
will assign profile number 2 to only domain whose domainname is "<kernel> /sbin/init".
To see the profiles currently assigned to domains, run the following command. A list with profile numbers and domainnames are shown.
cat /proc/ccs/policy/.domain_status |
Basically, you don't need to switch profiles of all domains at boot because you can assign profiles by per-a-domain basis and the profile number last assigned remains in the domain policy file (/etc/ccs/domain_policy.txt) using "use_profile" directive. But if you can't boot by some reason (for example, you assigned profiles for "enforce mode" before giving enough permissions to domains), you can enter "disabled" and press "Enter" at the prompt of /.init to boot the system with MAC disabled.
To see the profiles of currently running processes and their domainnames, use ccstree command.
ccstree |
The ccstree command will show a list of profile number, name of process, PID and name of domain the process belongs to like pstree command, as shown below.
0 init (1) <kernel> /sbin/init 0 +- mingetty (743) <kernel> /sbin/mingetty 0 +- mingetty (744) <kernel> /sbin/mingetty 0 +- mingetty (745) <kernel> /sbin/mingetty 0 +- mingetty (746) <kernel> /sbin/mingetty 0 +- mingetty (747) <kernel> /sbin/mingetty 0 +- rc (748) <kernel> /sbin/init /etc/rc.d/rc 0 +- S91smb (3468) <kernel> /etc/rc.d/init.d/smb 0 +- initlog (3475) <kernel> /etc/rc.d/init.d/smb /sbin/initlog 0 +- nmbd (3476) <kernel> /etc/rc.d/init.d/smb /sbin/initlog /usr/sbin/nmbd 0 +- syslogd (3158) <kernel> /etc/rc.d/init.d/syslog /sbin/initlog /sbin/syslogd 0 +- klogd (3162) <kernel> /etc/rc.d/init.d/syslog /sbin/initlog /sbin/klogd 0 +- portmap (3172) <kernel> /etc/rc.d/init.d/portmap /sbin/initlog /sbin/portmap 0 +- rpc.statd (3191) <kernel> /etc/rc.d/init.d/nfslock /sbin/initlog /sbin/rpc.statd 0 +- cardmgr (3245) <kernel> /etc/rc.d/init.d/pcmcia /sbin/cardmgr 0 +- apmd (3270) <kernel> /etc/rc.d/init.d/apmd /sbin/initlog /usr/sbin/apmd 0 +- sshd (3307) <kernel> /usr/sbin/sshd 0 +- sshd (3393) <kernel> /usr/sbin/sshd 0 +- tcsh (3434) <kernel> /usr/sbin/sshd /bin/tcsh 0 +- ccstree (3477) <kernel> /usr/sbin/sshd /bin/tcsh /root/ccstools/ccstree 0 +- xinetd (3321) <kernel> /usr/sbin/xinetd 0 +- rpc.rquotad (3342) <kernel> /etc/rc.d/init.d/nfs /sbin/initlog /usr/sbin/rpc.rquotad 0 +- rpc.mountd (3361) <kernel> /etc/rc.d/init.d/nfs /sbin/initlog /usr/sbin/rpc.mountd 0 +- vsftpd (3371) <kernel> /usr/sbin/vsftpd 0 +- sendmail (3395) <kernel> /etc/rc.d/init.d/sendmail /sbin/initlog /usr/sbin/sendmail.sendmail 0 +- sendmail (3404) <kernel> /etc/rc.d/init.d/sendmail /sbin/initlog /usr/sbin/sendmail.sendmail 0 +- spamd (3414) <kernel> /etc/rc.d/init.d/spamassassin /sbin/initlog /usr/bin/spamd 0 +- gpm (3423) <kernel> /etc/rc.d/init.d/gpm /sbin/initlog /usr/sbin/gpm 0 +- httpd (3455) <kernel> /usr/sbin/httpd 0 +- crond (3464) <kernel> /usr/sbin/crond 0 +- smbd (3473) <kernel> /usr/sbin/smbd |
If you give -a option to ccstree, you can also see kernel processes that are out of TOMOYO Linux's MAC scope.
TOMOYO Linux can record "access granted logs" (access requests that didn't violate domain policy) and "access rejected logs" (access requests that violated domain policy).
The logs are in the form of domain policy so that the logs can be directly appended to domain policy. Add the "access rejected logs" to domain policy if you consider you should allow the access.You can use a daemon program that reads from /proc/ccs/info/grant_log and /proc/ccs/info/reject_log and writes to files. Run in the following way from (for example) /etc/rc.local .
/root/ccstools/ccs-auditd $location_to_store_access_granted_logs $location_to_store_access_rejected_logs |
You may give MAX_GRANT_LOG=0 for profiles and give /dev/null for $location_to_store_access_granted_logs if you don't want "access granted logs". Since "ccs-auditd" doesn't have filtering functions, be careful with the disk's free space if you want to save "access granted logs".
You may give MAX_REJECT_LOG=0 for profiles and give /dev/null for $location_to_store_access_rejected_logs if you don't want "access rejected logs". But I recommend you to save "access rejected logs". This manual assumes that "access rejected logs" is saved in /var/log/tomoyo/reject_log.txt .
/root/ccstools/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt |
Create directories manually for storing access logs.
mkdir -p /var/log/tomoyo |
If you want to rotate using "logrotate", create /etc/logrotate.d/tomoyo with the following content. Be sure to give "nocreate" option, or logs after the first rotation will not be saved.
/var/log/tomoyo/reject_log.txt { weekly rotate 9 missingok notifempty nocreate } |
If you don't want neither "access granted logs" nor "access rejected logs", you needn't to run "ccs-auditd" and you can give MAX_GRANT_LOG=0 and MAX_REJECT_LOG=0 for profiles to save memory and improve performance.
Create /etc/ccs/exception_policy.txt and define the following types of exceptions.
TOMOYO Linux tools package contains two scripts, make_exception.sh and make_alias.sh, that automatically generate these exceptions. Run the following commands. The execution of make_alias.sh will take long time (may be longer than 10 minutes in some environment).
make_exception.sh | sort | uniq > /etc/ccs/exception_policy.txt make_alias.sh >> /etc/ccs/exception_policy.txt |
Be sure to review the content of automatically generated exceptions because there would be redundant or dangerous entries.
Register pathnames with patterns using the "file_pattern" directive. When a file operation is performed and the requested pathname matches to a patterned pathname registered with "file_pattern" directive, policy is generated using patterned pathnames.
The following is the guideline.
TOMOYO Linux needs more patterned pathnames depending on the applications installed and their configurations. You can add missing patterned pathnames after running the system.
Register files that are allowed to be read by all programs using the "allow_read" directive. No patterns allowed. When a read access is requested and the requested pathname matches to a pathname registered with "allow_read" directive, the read access is granted without checking domain policy.
The following is the guideline.
You may find more files depending on applications in your system or configurations. Add missing files after observing which files are used for read access.
Register files that you don't want to allow overwriting existing contents (like log files) using "deny_rewrite" directive. Patterns are allowed. Files registered with "deny_rewrite" directive are (as long as it is not explicitly given by "allow_rewrite" directive in domain policy) forbidden to "open for writing but not append mode" and "truncate".
The following is the guideline.
You may find more files depending on applications in your system or configurations. Add missing files after observing which files are used for append-only access.
Register programs that initializes the domain transition history using the "initializer" directive. No patterns allowed. When a program that is registered with "initializer" directive is executed, the program runs just under the <kernel> domain.
The following is the guideline.
You may find more programs depending on applications in your system or configurations. Add missing programs after observing which programs should be initialize their domain transition history. But be careful with the side effect of other domains. For example, when the domain policy already includes
<kernel> ... /bin/bash use_profile 3 1 /bin/tcsh <kernel> ... /bin/bash /bin/tcsh use_profile 3 1 /bin/cat <kernel> ... /bin/bash /bin/tcsh /bin/cat use_profile 3 4 /etc/fstab |
and you add /bin/tcsh as initializer, "<kernel> ... /bin/bash /bin/tcsh" will become unreachable domain because /bin/tcsh runs in "<kernel> /bin/tcsh" domain. In that case, you will need to replace "<kernel> ... /bin/bash /bin/tcsh" with "<kernel> /bin/tcsh" as shown below.
<kernel> ... /bin/bash use_profile 3 1 /bin/tcsh <kernel> /bin/tcsh use_profile 3 1 /bin/cat <kernel> /bin/tcsh /bin/cat use_profile 3 4 /etc/fstab |
Basically, TOMOYO Linux checks execute permissions using the dereferenced pathname if the requested program is a symbolic link. But to handle programs that behave differently depending on the name of invocation, you may define domains using the name of symbolic links.
To allow executing programs using the name of symbolic links, use alias directive followed by dereferenced pathname and reference pathname. No patterns are allowed.
For example, /sbin/pidof is a symbolic link to /sbin/killall5 . In normal case, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed. By specifying "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the domain for /sbin/pidof .
To deal multiple programs as a single program, use aggregator directive followed by name of original program and aggregated program. Patterns are allowed for name of original program.
For example, /usr/bin/tac and /bin/cat are similar. By specifying "aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the domain for /bin/cat .
To declare domain keepers, use "keep_domain" directive followed by domain definition.
For example, if "keep_domain <kernel> /usr/sbin/sshd /bin/tcsh" is given, any process that belongs to "<kernel> /usr/sbin/sshd /bin/tcsh" domain stays at that domain unless any program registered with "initializer" directive is executed.
The following is the basic procedure for creating domain policy.
You don't need to create the whole policy for all allications at one time.
Assign a profile that doesn't perform MAC (in this manual, profile 0) and invoke applications. The purpose of this procedure is to create domains for applications.
For example, if you want to protect /usr/sbin/httpd , firstly create domains for /usr/sbin/httpd . If /usr/sbin/httpd is registered with "initializer", a domain named "<kernel> /usr/sbin/httpd" is created by invoking /usr/sbin/httpd . If not registered, a child domain of invoker domain (for example, if you invoked from "<kernel> /usr/sbin/mingetty /bin/login /bin/bash", it is "<kernel> /usr/sbin/mingetty /bin/login /bin/bash /usr/sbin/httpd") is created. This manual assumes that /usr/sbin/httpd is registered with "initializer".
Assign a profile that doesn't perform MAC (in this manual, profile 0) to the domain current process (normally a shell) belongs to using "setprofile" command.
xargs -0 setprofile 0 < /proc/ccs/info/self_domain |
This is needed to avoid assigning a profile that performs MAC in "enforce mode" to the newly created domain, for newly created domain inherits the creator's profile.
Start /usr/sbin/httpd .
service httpd start |
You can use the following command to confirm that the domain is created. Make sure the domain for application you want to protect is created.
less /proc/ccs/policy/.domain_status |
After you confirmed that the domain is created, proceed to the next step.
After you confirmed that the domain is created, assign a profile that perform MAC in "accept mode" (in this manual, profile 1) to the domain using "setprofile" command.
setprofile -r 1 '<kernel> /usr/sbin/httpd' |
Start /usr/sbin/httpd and let the system append ACLs needed for /usr/sbin/httpd .
service httpd restart |
If the profile is configured as "1-TOMOYO-VERBOSE=1" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs. But as with "accept mode", the "TOMOYO-WARNING:" messages are printed only once because necessary ACLs are automatically appended when you do the same operation again.
If the "TOMOYO-WARNING:" messages are no longer printed when you do the operation you want to allow, proceed to the next step.
After you judged that necessary ACLs are appended, assign a profile that perform MAC in "permissive mode" (in this manual, profile 2) to the domain using "setprofile" command.
setprofile -r 2 '<kernel> /usr/sbin/httpd' |
Start /usr/sbin/httpd and confirm that all necessary ACLs are appended.
If the profile is configured as "2-TOMOYO-VERBOSE=1" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs. As with "permissive mode", the "TOMOYO-WARNING:" messages are printed again because necessary ACLs are not automatically appended when you do the same operation again.
If the "TOMOYO-WARNING:" messages are no longer printed when you do the operation you want to allow, proceed to the next step.
After you judged that necessary ACLs are given, assign a profile that perform MAC in "enforce mode" (in this manual, profile 3) to the domain using "setprofile" command.
setprofile -r 3 '<kernel> /usr/sbin/httpd' |
And now, /usr/sbin/httpd is protected by MAC.
If the profile is configured with "3-TOMOYO-VERBOSE=1" (this is default), the "TOMOYO-ERROR:" messages will be printed to the console and the requests are rejected when policy violation occurs. Also, the history of policy violation is accumulated to /proc/ccs/info/reject_log .
TOMOYO Linux allows administrators generate domain policy from policy violation logs. If you want to do so, assign a profile that perform MAC in "permissive mode" (in this manual, profile 2) to the domain.
setprofile -r 2 '<kernel> /usr/sbin/httpd' |
The log file /var/log/tomoyo/reject_log.txt created by "ccs-auditd" contains list of ACLs that violated domain policy in time series. Select appropriate range and pass to the filter as show below. This filter program sorts by domains and removes duplicated entries. (In other words, "sort" by domains and "uniq".)
sortpolicy < /var/log/tomoyo/reject_log.txt |
Check the output and judge whether these ACLs should be added or not. And if you judged to add, add to /etc/ccs/domain_policy.txt and run "loadpolicy" to reload domain policy.
loadpolicy d |
If you run "loadpolicy" with "f" option (that is "loadpolicy df"), the domain policy currently in the kernel are erased before the domain policy currently on the disk is loaded.
Rename the current reject log file. "ccs-auditd" will detect the disappearance of the current reject log file and recreates it.
[root@sakura tomoyo]# mv /var/log/tomoyo/reject_log.txt /var/log/tomoyo/reject_log.tmp |
Check the logs. Select ranges you want to use using some text editor if necessary.
[root@sakura tomoyo]# cat /var/log/tomoyo/reject_log.tmp #2006-11-10 10:17:29# pid=4498 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh /bin/cat 4 /etc/inittab #2006-11-10 10:17:41# pid=4501 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh /bin/cat 4 /etc/resolv.conf #2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh 1 /usr/bin/whoami #2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami 4 /etc/nsswitch.conf #2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami 4 /etc/passwd |
Sort the log by domains.
[root@sakura tomoyo]# sortpolicy < /var/log/tomoyo/reject_log.tmp <kernel> /usr/sbin/sshd /bin/tcsh 1 /usr/bin/whoami #2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh /bin/cat 4 /etc/inittab 4 /etc/resolv.conf #2006-11-10 10:17:41# pid=4501 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 #2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 <kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami 4 /etc/nsswitch.conf 4 /etc/passwd #2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 |
Since the line of timestamp is disturbing, remove lines starting with # before sorting.
[root@sakura tomoyo]# grep -v '^#' /var/log/tomoyo/reject_log.tmp | sortpolicy > /var/log/tomoyo/diff.tmp |
Check the output. This is in the form of domain policy.
[root@sakura tomoyo]# cat /var/log/tomoyo/diff.tmp <kernel> /usr/sbin/sshd /bin/tcsh 1 /usr/bin/whoami <kernel> /usr/sbin/sshd /bin/tcsh /bin/cat 4 /etc/inittab 4 /etc/resolv.conf <kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami 4 /etc/nsswitch.conf 4 /etc/passwd |
TOMOYO Linux allows administrators modify policies when the system is running in "enforce mode". If you want to do so, assign a profile that perform MAC in "delayed enforce mode" (in this manual, profile 4) to the domain.
setprofile -r 4 '<kernel> /usr/sbin/httpd' |
Next, start "ccs-queryd" command. The "ccs-queryd" command detects the policy violations and shows ACLs needed for allowing the requests. You can judge and append these ACLs to domain policy manually.
ccs-queryd |
If the profile is configured with "ALLOW_ENFORCE_GRACE=1" and "ccs-queryd" is running, the access requests that violated policy are kept pending. Otherwise, the access requests that violated policy are rejected immediately.
To avoid sleeping forever because of pending access requests, never logout (for example, detaching from screen(1)) if the profile is configured with "ALLOW_ENFORCE_GRACE=1" and "ccs-queryd" is running.
To terminate "ccs-queryd", use Ctrl-C. After you terminate "ccs-queryd", assign a profile that performs MAC in "enforce mode" (in this manual, profile 3) using "setprofile" command.
setprofile -r 3 '<kernel> /usr/sbin/httpd' |
To save the policy currently in the kernel onto the disk, use "savepolicy" command.
savepolicy |
By executing "savepolicy", three files ("system_policy.txt", "exception_policy.txt", "domain_policy.txt") are created in the /etc/ccs/ directory. To be accurate, they are symbolic links to text files whose filenames contain the creation time.
To load the policy currently on the disk into the kernel, use "loadpolicy" command.
loadpolicy af |
The "a" option means load three files ("system_policy.txt", "exception_policy.txt", "domain_policy.txt"). The "f" option means erase the policy currently in the kernel before loading the policy currently on the disk. If "f" is not given, the policy currently on the disk will be added to the policy currently in the kernel.
To edit the policy currently in the kernel, use "editpolicy" command. See Using Policy Editor for usage.
editpolicy |
To edit the policy currently on the disk, use "editpolicy_offline" command. You can use "editpolicy_offline" when you are not running the system with TOMOYO Linux kernel.
editpolicy_offline |
Append access permissions for files that are not necessarily accessed in the accept mode such as WWW contents for WWW service to /etc/ccs/domain_policy.txt .
The following example allows /usr/sbin/httpd to read files in the /var/www/html/ directory.
<kernel> /usr/sbin/httpd use_profile 3 4 /var/www/html/\* 4 /var/www/html/\*/\* 4 /var/www/html/\*/\*/\* 4 /var/www/html/\*/\*/\*/\* 4 /var/www/html/\*/\*/\*/\*/\* |
In the same way, modify access permissions for files using patterns that should be grouped.
The following example shows /usr/sbin/smbd should handle all log files equally.
Before | After |
<kernel> /usr/sbin/smbd use_profile 3 2 /var/log/samba/host1.log 2 /var/log/samba/host2.log 2 /var/log/samba/host3.log 2 /var/log/samba/host4.log 2 /var/log/samba/host5.log |
<kernel> /usr/sbin/smbd use_profile 3 2 /var/log/samba/\*.log |
You can confirm the range of accessible files by using pathmatch command that lists pathnames matching to the given pathname patterns.
[root@sakura ~]# pathmatch '/var/log/samba/\*.log' /var/log/samba/host1.log /var/log/samba/host2.log /var/log/samba/host3.log /var/log/samba/host4.log /var/log/samba/host5.log |
Save the domain policy currently in the kernel onto the disk.
[root@sakura ~]# savepolicy d |
List up pathnames that can be temporary files.
[root@sakura ~]# findtemp < /etc/ccs/domain_policy.txt /etc/mtab.tmp /etc/mtab~ /etc/mtab~2302 /etc/mtab~2328 /etc/mtab~2329 /etc/mtab~2330 /etc/mtab~2331 /etc/mtab~2332 /etc/mtab~2339 /etc/mtab~2383 /halt /selinux/disable /selinux/enforce /selinux/policyvers /tmp/sh-thd-1163110572 /tmp/sh-thd-1163113704 /var/cache/samba/browse.dat. /var/lib/nfs/etab.tmp /var/lib/nfs/xtab.tmp /var/lock/mrtg/mrtg_l |
Find domains that access these files.
[root@sakura ~]# domainmatch /etc/mtab~2302 <kernel> /sbin/init /etc/rc.d/rc.sysinit /sbin/initlog /etc/rc.d/rc.sysinit /sbin/initlog /bin/mount allow_create /etc/mtab~2302 2 /etc/mtab~2302 allow_link /etc/mtab~2302 /etc/mtab~ allow_unlink /etc/mtab~2302 [root@sakura ~]# domainmatch /tmp/sh-thd-1163113704 <kernel> /etc/rc.d/init.d/smartd /sbin/initlog /usr/sbin/smartd /bin/sh allow_create /tmp/sh-thd-1163113704 6 /tmp/sh-thd-1163113704 allow_unlink /tmp/sh-thd-1163113704 |
Save the exception policy currently in the kernel onto the disk.
[root@sakura ~]# savepolicy e |
Append patterns to the exception policy on the disk if needed.
[root@sakura ~]# echo 'file_pattern /etc/mtab~\$' >> /etc/ccs/exception_policy.txt [root@sakura ~]# echo 'file_pattern /tmp/sh-thd-\$' >> /etc/ccs/exception_policy.txt |
Load the exception policy on the disk to the kernel.
[root@sakura ~]# loadpolicy ef |
Patternize pathnames that match to '/etc/mtab~\$' and '/tmp/sh-thd-\$'.
[root@sakura ~]# patternize '/etc/mtab~\$' '/tmp/sh-thd-\$' < /etc/ccs/domain_policy.txt > /etc/ccs/domain_policy.tmp |
Confirm that these files are patternized.
[root@sakura ~]# findtemp < /etc/ccs/domain_policy.tmp /etc/mtab.tmp /etc/mtab~ /halt /selinux/disable /selinux/enforce /selinux/policyvers /var/cache/samba/browse.dat. /var/lib/nfs/etab.tmp /var/lib/nfs/xtab.tmp /var/lock/mrtg/mrtg_l |
Verify that the patterning are done as you have intended by diff'ing the domain policy before patternize and the one after the patternize.
[root@sakura ~]# diff /etc/ccs/domain_policy.txt /etc/ccs/domain_policy.tmp 2326,2331c2326,2331 < 6 /tmp/sh-thd-1163110572 < 6 /tmp/sh-thd-1163113704 < allow_create /tmp/sh-thd-1163110572 < allow_create /tmp/sh-thd-1163113704 < allow_unlink /tmp/sh-thd-1163110572 < allow_unlink /tmp/sh-thd-1163113704 --- > 6 /tmp/sh-thd-\$ > 6 /tmp/sh-thd-\$ > allow_create /tmp/sh-thd-\$ > allow_create /tmp/sh-thd-\$ > allow_unlink /tmp/sh-thd-\$ > allow_unlink /tmp/sh-thd-\$ 3331,3336c3331,3336 < 2 /etc/mtab~2328 < 2 /etc/mtab~2329 < 2 /etc/mtab~2330 < 2 /etc/mtab~2331 < 2 /etc/mtab~2332 < 2 /etc/mtab~2383 --- > 2 /etc/mtab~\$ > 2 /etc/mtab~\$ > 2 /etc/mtab~\$ > 2 /etc/mtab~\$ > 2 /etc/mtab~\$ > 2 /etc/mtab~\$ 3338,3349c3338,3349 < allow_create /etc/mtab~2328 < allow_create /etc/mtab~2329 < allow_create /etc/mtab~2330 < allow_create /etc/mtab~2331 < allow_create /etc/mtab~2332 < allow_create /etc/mtab~2383 < allow_link /etc/mtab~2328 /etc/mtab~ < allow_link /etc/mtab~2329 /etc/mtab~ < allow_link /etc/mtab~2330 /etc/mtab~ < allow_link /etc/mtab~2331 /etc/mtab~ < allow_link /etc/mtab~2332 /etc/mtab~ < allow_link /etc/mtab~2383 /etc/mtab~ --- > allow_create /etc/mtab~\$ > allow_create /etc/mtab~\$ > allow_create /etc/mtab~\$ > allow_create /etc/mtab~\$ > allow_create /etc/mtab~\$ > allow_create /etc/mtab~\$ > allow_link /etc/mtab~\$ /etc/mtab~ > allow_link /etc/mtab~\$ /etc/mtab~ > allow_link /etc/mtab~\$ /etc/mtab~ > allow_link /etc/mtab~\$ /etc/mtab~ > allow_link /etc/mtab~\$ /etc/mtab~ > allow_link /etc/mtab~\$ /etc/mtab~ 3351,3356c3351,3356 < allow_unlink /etc/mtab~2328 < allow_unlink /etc/mtab~2329 < allow_unlink /etc/mtab~2330 < allow_unlink /etc/mtab~2331 < allow_unlink /etc/mtab~2332 < allow_unlink /etc/mtab~2383 --- > allow_unlink /etc/mtab~\$ > allow_unlink /etc/mtab~\$ > allow_unlink /etc/mtab~\$ > allow_unlink /etc/mtab~\$ > allow_unlink /etc/mtab~\$ > allow_unlink /etc/mtab~\$ 3439,3440c3439,3440 < 2 /etc/mtab~2302 < 2 /etc/mtab~2339 --- > 2 /etc/mtab~\$ > 2 /etc/mtab~\$ 3443,3446c3443,3446 < allow_create /etc/mtab~2302 < allow_create /etc/mtab~2339 < allow_link /etc/mtab~2302 /etc/mtab~ < allow_link /etc/mtab~2339 /etc/mtab~ --- > allow_create /etc/mtab~\$ > allow_create /etc/mtab~\$ > allow_link /etc/mtab~\$ /etc/mtab~ > allow_link /etc/mtab~\$ /etc/mtab~ 3449,3450c3449,3450 < allow_unlink /etc/mtab~2302 < allow_unlink /etc/mtab~2339 --- > allow_unlink /etc/mtab~\$ > allow_unlink /etc/mtab~\$ |
Update the domain policy on the disk.
[root@sakura ~]# cat /etc/ccs/domain_policy.tmp > /etc/ccs/domain_policy.txt |
Load the domain policy on the disk to the kernel.
[root@sakura ~]# loadpolicy df |
Confirm that the domain policy currently in the kernel is updated.
[root@sakura ~]# findtemp < /proc/ccs/policy/domain_policy /etc/mtab.tmp /etc/mtab~ /halt /selinux/disable /selinux/enforce /selinux/policyvers /var/cache/samba/browse.dat. /var/lib/nfs/etab.tmp /var/lib/nfs/xtab.tmp /var/lock/mrtg/mrtg_l |
There are programs (for example, portmap) that requests privileged ports (local port numbers less that 1024) at random. It is impossible to know all local ports that might be used by such applications using accept mode. Repeat running such programs for several times using accept mode, guess the range of local ports such program would request, and grant network access permissions using range.
An example is shown below. Don't copy the following permissions because the range may vary depending on distributions and configurations.
<kernel> /sbin/portmap use_profile 7 allow_bind TCP/0 allow_bind TCP/111 allow_bind TCP/600-1023 allow_bind UDP/0 allow_bind UDP/111 allow_bind UDP/600-1023 allow_connect UDP/32768-65535 allow_connect UDP/600-1023 <kernel> /sbin/rpc.statd use_profile 7 allow_bind TCP/0 allow_bind TCP/600-1023 allow_bind UDP/0 allow_bind UDP/600-1023 allow_connect UDP/111 <kernel> /usr/sbin/rpc.mountd use_profile 7 allow_bind TCP/0 allow_bind TCP/600-1023 allow_bind UDP/0 allow_bind UDP/600-1023 allow_connect UDP/111 <kernel> /usr/sbin/rpc.nfsd use_profile 7 allow_capability inet_tcp_create allow_capability use_inet_udp allow_connect UDP/111 allow_connect UDP/32768-65535 <kernel> /usr/sbin/rpc.rquotad use_profile 7 allow_bind TCP/600-1023 allow_bind UDP/600-1023 allow_connect UDP/111 <kernel> /usr/sbin/rpcinfo use_profile 7 allow_bind UDP/600-1023 allow_connect UDP/111 allow_connect UDP/2049 <kernel> /usr/sbin/xinetd use_profile 7 allow_bind TCP/0 allow_bind UDP/69 allow_bind UDP/600-1023 allow_connect UDP/111 |
If you don't need services like NFS or NIS that needs RPC, you should disable such services.
Similarly, make patterns for "allow_network" directives. Don't copy the following permissions.
Before | After |
<kernel> /usr/sbin/sshd use_profile 7 allow_network TCP accept 0:0:0:0:0:0:0:1 43768 allow_network TCP accept 0:0:0:0:0:ffff:a00:1 35086 allow_network TCP accept 0:0:0:0:0:ffff:a00:a1 47590 allow_network TCP accept 10.0.0.10 56709 allow_network TCP accept 10.0.0.200 16384 |
<kernel> /usr/sbin/sshd use_profile 7 allow_network TCP accept 0:0:0:0:0:0:0:1 1024-65535 allow_network TCP accept 0:0:0:0:0:ffff:a00:1-0:0:0:0:0:ffff:a00:ff 1024-65535 allow_network TCP accept 10.0.0.1-10.0.0.255 1024-65535 |
You can add conditions to individual ACLs if necessary. By using this feature, you can control system's user ID based access control.
If you want to protect non-anonymous FTP service, by adding conditions in the following manner, you can forbid access to directories outside the user's home directory. To reduce damages when it is cracked, it is recommended that you should expose directories only under specific (such as "ftp") directory rather than exposing whole of home directories. If you use vsftpd, you can give like the following way.
Before |
<kernel> /usr/sbin/vsftpd use_profile 3 6 /home/\*/ftp/\* 6 /home/\*/ftp/\*/\* 6 /home/\*/ftp/\*/\*/\* 6 /home/\*/ftp/\*/\*/\*/\* allow_mkdir /home/\*/ftp/\*/ allow_mkdir /home/\*/ftp/\*/\*/ allow_mkdir /home/\*/ftp/\*/\*/\*/ allow_rmdir /home/\*/ftp/\*/ allow_rmdir /home/\*/ftp/\*/\*/ allow_rmdir /home/\*/ftp/\*/\*/\*/ allow_create /home/\*/ftp/\* allow_create /home/\*/ftp/\*/\* allow_create /home/\*/ftp/\*/\*/\* allow_create /home/\*/ftp/\*/\*/\*/\* allow_truncate /home/\*/ftp/\* allow_truncate /home/\*/ftp/\*/\* allow_truncate /home/\*/ftp/\*/\*/\* allow_truncate /home/\*/ftp/\*/\*/\*/\* allow_unlink /home/\*/ftp/\* allow_unlink /home/\*/ftp/\*/\* allow_unlink /home/\*/ftp/\*/\*/\* allow_unlink /home/\*/ftp/\*/\*/\*/\* allow_rename /home/\*/ftp/\* /home/\*/ftp/\* allow_rename /home/\*/ftp/\*/\* /home/\*/ftp/\*/\* allow_rename /home/\*/ftp/\*/\*/\* /home/\*/ftp/\*/\*/\* allow_rename /home/\*/ftp/\*/\*/\*/\* /home/\*/ftp/\*/\*/\*/\* allow_rename /home/\*/ftp/\*/ /home/\*/ftp/\*/ allow_rename /home/\*/ftp/\*/\*/ /home/\*/ftp/\*/\*/ allow_rename /home/\*/ftp/\*/\*/\*/ /home/\*/ftp/\*/\*/\*/ |
After |
<kernel> /usr/sbin/vsftpd use_profile 3 6 /home/\*/ftp/\* if task.uid=path1.uid 6 /home/\*/ftp/\*/\* if task.uid=path1.uid 6 /home/\*/ftp/\*/\*/\* if task.uid=path1.uid 6 /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.uid allow_mkdir /home/\*/ftp/\*/ if task.uid=path1.parent.uid allow_mkdir /home/\*/ftp/\*/\*/ if task.uid=path1.parent.uid allow_mkdir /home/\*/ftp/\*/\*/\*/ if task.uid=path1.parent.uid allow_rmdir /home/\*/ftp/\*/ if task.uid=path1.uid allow_rmdir /home/\*/ftp/\*/\*/ if task.uid=path1.uid allow_rmdir /home/\*/ftp/\*/\*/\*/ if task.uid=path1.uid allow_create /home/\*/ftp/\* if task.uid=path1.parent.uid allow_create /home/\*/ftp/\*/\* if task.uid=path1.parent.uid allow_create /home/\*/ftp/\*/\*/\* if task.uid=path1.parent.uid allow_create /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.parent.uid allow_truncate /home/\*/ftp/\* if task.uid=path1.uid allow_truncate /home/\*/ftp/\*/\* if task.uid=path1.uid allow_truncate /home/\*/ftp/\*/\*/\* if task.uid=path1.uid allow_truncate /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.uid allow_unlink /home/\*/ftp/\* if task.uid=path1.uid allow_unlink /home/\*/ftp/\*/\* if task.uid=path1.uid allow_unlink /home/\*/ftp/\*/\*/\* if task.uid=path1.uid allow_unlink /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.uid allow_rename /home/\*/ftp/\* /home/\*/ftp/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid allow_rename /home/\*/ftp/\*/\* /home/\*/ftp/\*/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid allow_rename /home/\*/ftp/\*/\*/\* /home/\*/ftp/\*/\*/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid allow_rename /home/\*/ftp/\*/\*/\*/\* /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid allow_rename /home/\*/ftp/\*/ /home/\*/ftp/\*/ if task.uid=path1.parent.uid task.uid=path2.parent.uid allow_rename /home/\*/ftp/\*/\*/ /home/\*/ftp/\*/\*/ if task.uid=path1.parent.uid task.uid=path2.parent.uid allow_rename /home/\*/ftp/\*/\*/\*/ /home/\*/ftp/\*/\*/\*/ if task.uid=path1.parent.uid task.uid=path2.parent.uid |
If you want to protect Samba service, by adding conditions in the following manner, you can forbid access to directories outside the user's home directory. To reduce damages when it is cracked, it is recommended that you should expose directories only under specific (such as "samba") directory rather than exposing whole of home directories.
Before |
<kernel> /usr/sbin/smbd use_profile 3 6 /home/\*/samba/\* 6 /home/\*/samba/\*/\* 6 /home/\*/samba/\*/\*/\* 6 /home/\*/samba/\*/\*/\*/\* allow_mkdir /home/\*/samba/\*/ allow_mkdir /home/\*/samba/\*/\*/ allow_mkdir /home/\*/samba/\*/\*/\*/ allow_rmdir /home/\*/samba/\*/ allow_rmdir /home/\*/samba/\*/\*/ allow_rmdir /home/\*/samba/\*/\*/\*/ allow_create /home/\*/samba/\* allow_create /home/\*/samba/\*/\* allow_create /home/\*/samba/\*/\*/\* allow_create /home/\*/samba/\*/\*/\*/\* allow_truncate /home/\*/samba/\* allow_truncate /home/\*/samba/\*/\* allow_truncate /home/\*/samba/\*/\*/\* allow_truncate /home/\*/samba/\*/\*/\*/\* allow_unlink /home/\*/samba/\* allow_unlink /home/\*/samba/\*/\* allow_unlink /home/\*/samba/\*/\*/\* allow_unlink /home/\*/samba/\*/\*/\*/\* allow_rename /home/\*/samba/\* /home/\*/samba/\* allow_rename /home/\*/samba/\*/\* /home/\*/samba/\*/\* allow_rename /home/\*/samba/\*/\*/\* /home/\*/samba/\*/\*/\* allow_rename /home/\*/samba/\*/\*/\*/\* /home/\*/samba/\*/\*/\*/\* allow_rename /home/\*/samba/\*/ /home/\*/samba/\*/ allow_rename /home/\*/samba/\*/\*/ /home/\*/samba/\*/\*/ allow_rename /home/\*/samba/\*/\*/\*/ /home/\*/samba/\*/\*/\*/ |
After |
<kernel> /usr/sbin/smbd use_profile 3 6 /home/\*/samba/\* if task.euid=path1.uid 6 /home/\*/samba/\*/\* if task.euid=path1.uid 6 /home/\*/samba/\*/\*/\* if task.euid=path1.uid 6 /home/\*/samba/\*/\*/\*/\* if task.euid=path1.uid allow_mkdir /home/\*/samba/\*/ if task.euid=path1.parent.uid allow_mkdir /home/\*/samba/\*/\*/ if task.euid=path1.parent.uid allow_mkdir /home/\*/samba/\*/\*/\*/ if task.euid=path1.parent.uid allow_rmdir /home/\*/samba/\*/ if task.euid=path1.uid allow_rmdir /home/\*/samba/\*/\*/ if task.euid=path1.uid allow_rmdir /home/\*/samba/\*/\*/\*/ if task.euid=path1.uid allow_create /home/\*/samba/\* if task.euid=path1.parent.uid allow_create /home/\*/samba/\*/\* if task.euid=path1.parent.uid allow_create /home/\*/samba/\*/\*/\* if task.euid=path1.parent.uid allow_create /home/\*/samba/\*/\*/\*/\* if task.euid=path1.parent.uid allow_truncate /home/\*/samba/\* if task.euid=path1.uid allow_truncate /home/\*/samba/\*/\* if task.euid=path1.uid allow_truncate /home/\*/samba/\*/\*/\* if task.euid=path1.uid allow_truncate /home/\*/samba/\*/\*/\*/\* if task.euid=path1.uid allow_unlink /home/\*/samba/\* if task.euid=path1.uid allow_unlink /home/\*/samba/\*/\* if task.euid=path1.uid allow_unlink /home/\*/samba/\*/\*/\* if task.euid=path1.uid allow_unlink /home/\*/samba/\*/\*/\*/\* if task.euid=path1.uid allow_rename /home/\*/samba/\* /home/\*/samba/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid allow_rename /home/\*/samba/\*/\* /home/\*/samba/\*/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid allow_rename /home/\*/samba/\*/\*/\* /home/\*/samba/\*/\*/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid allow_rename /home/\*/samba/\*/\*/\*/\* /home/\*/samba/\*/\*/\*/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid allow_rename /home/\*/samba/\*/ /home/\*/samba/\*/ if task.euid=path1.parent.uid task.euid=path2.parent.uid allow_rename /home/\*/samba/\*/\*/ /home/\*/samba/\*/\*/ if task.euid=path1.parent.uid task.euid=path2.parent.uid allow_rename /home/\*/samba/\*/\*/\*/ /home/\*/samba/\*/\*/\*/ if task.euid=path1.parent.uid task.euid=path2.parent.uid |
If you want to protect SSH service, by adding conditions in the following manner, you can forbid login as user "root".
Before | After |
<kernel> /usr/sbin/sshd use_profile 3 1 /bin/bash |
<kernel> /usr/sbin/sshd use_profile 3 1 /bin/bash if task.uid!=0 task.euid!=0 |
You may need to adjust policies due to software updates and configuration changes. To adjust policy, see TOMOYO Linux Maintenance manual.