TOMOYO Linux Maintenance manual

Last modified: $Date: 2007-01-30 20:01:40 +0900 (Tue, 30 Jan 2007) $

Notes for updating packages

Since the behavior of the system is restricted by policy, you may need to update policy when you update packages.

You need to update policy in the following cases.

The ideal way to update policy is to rebuild from the scratch using accept mode. But it is not desirable to change from enforce mode to other mode if the system has once entered in production state. Suppose MAC could support per-application enforce mode, the MAC becomes useless if an application that is not running in enforce mode was cracked. For example, the whole system becomes vulnerable if only HTTP server application is running in accept mode to rebuild policy for the application. So, in TOMOYO Linux, updating policy is done while the system is running in enforce mode.

TOMOYO Linux includes tools that helps administrators update policy while the system is running in enforce mode. By using these tools, you can continue running the system without rebuilding from the scratch using accept mode if the modification is trivial. But note that these tools cannot always support every cases and the result of updated policy is not always the optimized.

Procedure

Open three windows. Hereafter, this manual refers these windows as "Window-1", "Window-2" and "Window-3".

First, switch to Window-1. And switch to ALLOW_ENFORCE_GRACE=1 for profiles which you want to allow interactively. For example, if you want to switch for profile 3, do the following command.

setlevel 3-ALLOW_ENFORCE_GRACE=1

You may assign profiles for "enforce mode" that only differ the value of ALLOW_ENFORCE_GRACE using "setprofile" command instead for directly changing the values of ALLOW_ENFORCE_GRACE of existent profiles for "enforce mode" using "setlevel" command.

Start the following command.

ccs-queryd

The "ccs-queryd" detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

If either the profiles are configured with "ALLOW_ENFORCE_GRACE=0" or "ccs-queryd" is not running, the access requests that violated policy are rejected immediately. if both the profiles are configured with "ALLOW_ENFORCE_GRACE=0" and "ccs-queryd" is running, the access requests that violated policy are kept pending. Thus, you had better not to logout while "ccs-queryd" is running.

Next, start the following command at Window-2.

ld-watch

The "ld-watch" automatically appends shared libraries to exception policy using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed. By using "ld-watch", you can avoid errors "unable to start applications because shared libraries are unreadable" when the pathnames of shared libraries accessed by general programs has changed.

Next, switch to Window-3, and run the commands for updating packages.

If you use "yum", run "you update". If you use "apt", run "apt-get update" and "apt-get upgrade".

Policy violation occurs while updating packages due to unusual behavior such as restarting daemons. So, don't forget to monitor Window-1.

After you finished updating packages, wait for 10 seconds, then, terminate "ld-watch" with Ctrl-C that is running in Window-2.

Next, save current policy manually.

savepolicy

Run the following command to get the list of nonexistent pathnames.

findtemp < /etc/ccs/exception_policy.txt

Open /etc/ccs/exception_policy.txt using text editor and remove "allow_read" lines for nonexistent shared libraries. Then, reload the exception policy using the following command.

loadpolicy ef

Run the following command to get the list of nonexistent pathnames.

findtemp < /etc/ccs/domain_policy.txt

You need to be careful if a lot of pathnames appeared. The directory part of pathnames may have changed by updating packages.

For example, logwatch included in Fedora Core 4 changes the pathnames by updating. The logwatch included in Fedora Core 4's installation CD holds configuration files in /etc/log.d/ directory. But by updating, the location changes to /etc/logwatch/ directory and /etc/log.d/ directory is removed.

If the patterns of changes are obvious, you can edit /etc/ccs/domain_policy.txt using text editor. Then, reload the domain policy using the following command.

loadpolicy df

Do a series of operations to confirm that programs that are protected by MAC can run properly. If some access permissions are missing, the messages will be printed to Window-1, so don't forget to monitor Window-1.

Save policy again after you finished operation check.

savepolicy

Terminate "ccs-queryd" with Ctrl-C that is running in Window-1.

Finally, switch the profiles back to "ALLOW_ENFORCE_GRACE=0". For example, if you switched profile 3, do the following command.

setlevel 3-ALLOW_ENFORCE_GRACE=0

You have finished updating policies. Close all windows.