Policy Editor

Last modified: $Date: 2006-11-25 10:18:46 +0900 (Sat, 25 Nov 2006) $

About this page

TOMOYO Linux includes a CUI based Policy Editor. It is possible to use arbitrary editors such as vi and emacs, for TOMOYO Linux's policy is text files. But using the Policy Editor is recommended, for when editors attempt to write to /proc/ccs interfaces, they produce a lot of noisy error messages such as "Can't create backup file".

Preparation

You need to register the location of policy editor ( /root/ccstools/editpolicy ) in the /root/security/manager.txt before booting with TOMOYO Linux kernel.

Invocation

You can start this editor by typing /root/ccstools/editpolicy at the prompt.

Accept Mode

The screenshot below is the policy after booting Red Hat Linux 9 with "accept mode" and doing the operations listed above.
This screen shows the list of domains and domain transitions. You can analyze how Linux operates on bootup.

Policy Editor

Let's browse the policy recorded by the kernel for startup script of anacron.
The policy editor has two modes. One is to show domains and domain transitions, the other is to edit ACLs within the selected domain. The former mode is default.
You can switch to the mode to edit ACLs within the selected domain after choosing the domain you want to know the ACLs.
You can use arrow keys to move cursor. Select the line for anacron and press Enter, and the screenshot below (ACLs for executing startup script for anacron) will appear.

Policy Editor

The integer next to the line number is an octal representation of Linux's permission(rwx). For example, 4 is r--(read), 6 is rw-(read/write), 1 is --x(execute).
You will see the ACLs needed for executing the startup script for anacron is automatically recorded by the kernel.

Next, press Enter to go back to the screen to show domains and domain transitions, and search the domain for /sbin/mingetty.

You will find that /bin/bash is invoked by /bin/login and /bin/login is invoked by mingetty by logging into the system, and the entity of /bin/sh is /bin/bash.
Also, you will find that commands you have invoked before invoking this policy editor such as head and date are recorded.
Now move the cursor to the domain for head and press Enter.

Policy Editor

Policy Editor

The /usr/bin/head invoked by /bin/bash invoked by /bin/login invoked by /sbin/mingetty is granted to read /etc/passwd .
You will find that "domains are distinguished and ACLs are granted independently for the same program if the process's invocation histories differ" and "ACLs are granted with fine-grained objects".
Moreover, since these distinctions are made automatically by the kernel, it is possible for all administrators who have standard skill of administrating Linux to master TOMOYO Linux.

Footnote

The /root/ccstools/editpolicy is for editing policy in the kernel directly when the system is running with the TOMOYO Linux's kernel. You can switch to the screen for editing exception policy or system policy by pressing Tab key.