Access Analysis using TOMOYO Linux

Last modified: $Date: 2007-02-05 20:56:25 +0900 (Mon, 05 Feb 2007) $

Since the policy of TOMOYO Linux is represented using pathnames, TOMOYO Linux is applicable for tracing file accesses.
You can use TOMOYO Linux to find how programs access files or what program is creating files on specific directories.

Preparation

Install TOMOYO Linux kernel

TOMOYO Linux provides some binary kernel packages. If you want to use binary kernel packages, download and install.

RedHat Linux 9 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.4.20-46.9.legacy_tomoyo_1.3.1.i386.rpm
Fedora Core 3 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.12-2.3.legacy_FC3_tomoyo_1.3.1.i586.rpm
Fedora Core 4 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.17-1.2142_FC4_tomoyo_1.3.1.i586.rpm
Fedora Core 5 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.18-1.2257.fc5_tomoyo_1.3.1.i586.rpm
Fedora Core 6 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.19-1.2895.fc6_tomoyo_1.3.1.i586.rpm
CentOS 4.4 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1.i586.rpm
Debian Sarge (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-image-2.4.27-10sarge5-ccs_1.3.1_i586.deb
http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-image-2.6.8-16sarge6-ccs_1.3.1_i586.deb
Debian Etch (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/linux-image-2.6.18-7-ccs_1.3.1_i586.deb
OpenSUSE 10.1 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-default-2.6.16.27-0.6_tomoyo_1.3.1.i586.rpm
OpenSUSE 10.2 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-default-2.6.18.2-34_tomoyo_1.3.1.i586.rpm
Asianux 2.0 (80686 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/kernel-2.6.9-34.28AX_tomoyo_1.3.1.i686.rpm
Ubuntu 6.10 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/linux-image-2.6.17.14-ubuntu1-ccs_1.3.1_i586.deb

If the CPU architecture differs or you want to customize kernel configuration, you need to compile kernel. To compile kernel, see TOMOYO Linux kernel compilation.

If you are using distributions that support SELinux, you might encounter errors while installing packages if SELinux is not disabled. If you see error messages shown below while installing packages, retry after you disable SELinux. You can disable SELinux by either "changing SELINUX=disabled in /etc/selinux/config and reboot" or "adding selinux=0 to the kernel's boot paramaters".

[root@localhost ~]# rpm -ihv kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1.i586.rpm
Preparing...                ########################################### [100%]
Error: %pre(kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1.i586) scriptlet failed, exit status 255
Error:   install: %pre scriptlet failed (2), skipping kernel-2.6.9-42.0.8.EL_tomoyo_1.3.1

TOMOYO Linux itself can coexist with SELinux. You may continue with SELinux enabled if you want.

If you install rpm package, the following entry is added to /boot/grub/grub.conf upon successful installation.

title CentOS (2.6.9-42.0.8.EL_tomoyo_1.3.1)
    root (hd0,0)
    kernel /vmlinuz-2.6.9-42.0.8.EL_tomoyo_1.3.1 ro root=/dev/VolGroup00/LogVol00
    initrd /initrd-2.6.9-42.0.8.EL_tomoyo_1.3.1.img

Append "init=/.init" to the line of "kernel".

title CentOS (2.6.9-42.0.8.EL_tomoyo_1.3.1)
    root (hd0,0)
    kernel /vmlinuz-2.6.9-42.0.8.EL_tomoyo_1.3.1 ro root=/dev/VolGroup00/LogVol00 init=/.init
    initrd /initrd-2.6.9-42.0.8.EL_tomoyo_1.3.1.img

If you install deb package, the following entry is added to /boot/grub/menu.lst upon successful installation.

title Debian GNU/Linux, kernel 2.6.8-16sarge6-ccs
root (hd0,0)
kernel /boot/vmlinuz-2.6.8-16sarge6-ccs root=/dev/sda1 ro
initrd /boot/initrd.img-2.6.8-16sarge6-ccs
savedefault
boot

Append "init=/.init" to the line of "kernel".

title Debian GNU/Linux, kernel 2.6.8-16sarge6-ccs
root (hd0,0)
kernel /boot/vmlinuz-2.6.8-16sarge6-ccs root=/dev/sda1 ro init=/.init
initrd /boot/initrd.img-2.6.8-16sarge6-ccs
savedefault
boot

The "/.init" is a script to load TOMOYO Linux's policy files and is executed before starting "/sbin/init" .
The "/.init" is included in the TOMOYO Linux tools package.

Install TOMOYO Linux tools

TOMOYO Linux provides some pre-compiled tools. If you want to use pre-compiled tools, download and extract under /root/ directory.

RedHat Linux 9 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-RHL9.tar.gz
Fedora Core 3 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC3.tar.gz
Fedora Core 4 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC4.tar.gz
Fedora Core 5 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC5.tar.gz
Fedora Core 6 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-FC6.tar.gz
CentOS 4.4 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-CentOS4.4.tar.gz
Debian Sarge (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-Sarge.tar.gz
Debian Etch (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-Etch.tar.gz
OpenSUSE 10.1 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-SUSE10.1.tar.gz
OpenSUSE 10.2 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-SUSE10.2.tar.gz
Asianux 2.0 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-AX2.tar.gz
Ubuntu 6.10 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22799/ccs-tools-1.3.1-i386-Ubuntu6.10.tar.gz

Move extracted ".init" (policy loader) to / .

mv ccstools/.init /

If the CPU architecture differs, you need to compile tools. To compile tools, run the following commands.

cd /root/
# Download source of tools for TOMOYO Linux.
wget http://osdn.dl.sourceforge.jp/tomoyo/22798/ccs-tools-1.3.1-20070107.tar.gz
# Extract.
tar -zxf ccs-tools-1.3.1-20070107.tar.gz
# Compile.
make -sC ccstools/
# Move policy loader to / .
mv ccstools/.init /

Create Policy

Create /etc/ccs/manager.txt with the following contents.

/root/ccstools/editpolicy

Create /etc/ccs/status.txt with the following contents.

MAC_FOR_FILE=1
MAX_ACCEPT_FILES=1048576
MAX_GRANT_LOG=0
MAX_REJECT_LOG=0
TOMOYO_VERBOSE=0

Save the output of the following commands as /etc/ccs/exception_policy.txt .

/root/ccstools/make_exception.sh | grep ^file_pattern | sort | uniq

Analysis

Reboot with TOMOYO Linux kernel.

The following messages will appear upon successful execution of "/.init", so press "Enter".

Press 'Enter' or wait for 10 seconds to use default status.
You may input 'disabled' and press 'Enter' to disable MAC in case of emergency.
>

/sbin/init will start and the system will boot if profiles are loaded successfully.
On failure, the following messages will appear and the system halts.

No profiles loaded. Run policy loader using 'init=' option.

If failed, check the following points.

Run applications you want to analyze.

You can see the list of programs executed until now by executing /root/ccstools/editpolicy . Choose a program and press "Enter" to see the list of files accessed by the program.

You can save the list of all accessed files until now as /etc/ccs/domain_policy.txt by executing /root/ccstools/savepolicy .