TOMOYO Linux Install manual

Last modified: $Date: 2006-12-18 20:23:23 +0900 (Mon, 18 Dec 2006) $

Installation

Install TOMOYO Linux kernel

TOMOYO Linux provides some binary kernel packages. If you want to use binary kernel packages, download and install.

RedHat Linux 9 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-2.4.20-46.9.legacy_tomoyo_1.3.i386.rpm
Fedora Core 3 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-2.6.12-2.3.legacy_FC3_tomoyo_1.3.i586.rpm
Fedora Core 4 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-2.6.17-1.2142_FC4_tomoyo_1.3.i586.rpm
Fedora Core 5 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-2.6.18-1.2239.fc5_tomoyo_1.3.i586.rpm
Fedora Core 6 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-2.6.18-1.2849.fc6_tomoyo_1.3.i586.rpm
CentOS 4.4 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-2.6.9-42.0.3.EL_tomoyo_1.3.i586.rpm
Debian Sarge (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-image-2.4.27-10sarge4-ccs_1.3_i586.deb
http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-image-2.6.8-16sarge5-ccs_1.3_i586.deb
Debian Etch (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/linux-image-2.6.17-9-ccs_1.3_i586.deb
OpenSUSE 10.1 (80586 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/kernel-default-2.6.16.21-0.25_tomoyo_1.3.i586.rpm

If the CPU architecture differs or you want to customize kernel configuration, you need to compile kernel. To compile kernel, see TOMOYO Linux kernel compilation.

If you install rpm package, the following entry is added to /boot/grub/grub.conf upon successful installation.

title CentOS (2.6.9-42.0.3.EL_tomoyo_1.3)
    root (hd0,0)
    kernel /vmlinuz-2.6.9-42.0.3.EL_tomoyo_1.3 ro root=/dev/VolGroup00/LogVol00
    initrd /initrd-2.6.9-42.0.3.EL_tomoyo_1.3.img

Append "init=/.init" to the line of "kernel".

title CentOS (2.6.9-42.0.3.EL_tomoyo_1.3)
    root (hd0,0)
    kernel /vmlinuz-2.6.9-42.0.3.EL_tomoyo_1.3 ro root=/dev/VolGroup00/LogVol00 init=/.init
    initrd /initrd-2.6.9-42.0.3.EL_tomoyo_1.3.img

If you install deb package, the following entry is added to /boot/grub/menu.lst upon successful installation.

title Debian GNU/Linux, kernel 2.6.8-16sarge5-ccs
root (hd0,0)
kernel /boot/vmlinuz-2.6.8-16sarge5-ccs root=/dev/sda1 ro
initrd /boot/initrd.img-2.6.8-16sarge5-ccs
savedefault
boot

Append "init=/.init" to the line of "kernel".

title Debian GNU/Linux, kernel 2.6.8-16sarge5-ccs
root (hd0,0)
kernel /boot/vmlinuz-2.6.8-16sarge5-ccs root=/dev/sda1 ro init=/.init
initrd /boot/initrd.img-2.6.8-16sarge5-ccs
savedefault
boot

The "/.init" is a script to load TOMOYO Linux's policy files and is executed before starting /sbin/init .
The "/.init" is included in the TOMOYO Linux tools package.

Install TOMOYO Linux tools

TOMOYO Linux provides some pre-compiled tools. If you want to use pre-compiled tools, download and extract under /root/ directory.

RedHat Linux 9 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-RHL9.tar.gz
Fedora Core 3 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-FC3.tar.gz
Fedora Core 4 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-FC4.tar.gz
Fedora Core 5 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-FC5.tar.gz
Fedora Core 6 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-FC6.tar.gz
CentOS 4.4 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-CentOS4.4.tar.gz
Debian Sarge (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-Sarge.tar.gz
Debian Etch (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-Etch.tar.gz
OpenSUSE 10.1 (80386 and later) http://osdn.dl.sourceforge.jp/tomoyo/22560/ccs-tools-1.3-i386-SUSE10.1.tar.gz

Move extracted ".init" (policy loader) to / .

mv ccstools/.init /

If the CPU architecture differs, you need to compile tools. To compile tools, run the following commands.

cd /root/
# Download source of tools for TOMOYO Linux.
wget http://osdn.dl.sourceforge.jp/tomoyo/22559/ccs-tools-1.3-20061111.tar.gz
# Extract.
tar -zxf ccs-tools-1.3-20061111.tar.gz
# Compile.
make -sC ccstools/
# Move policy loader to / .
mv ccstools/.init /

Setting command search path

Add the location of TOMOYO Linux tools to environment variable PATH.

Add the following line to ~/.bashrc if you are using bash.

export PATH=$PATH:/root/ccstools

Add the following line to ~/.tcshrc if you are using tcsh.

setenv PATH "$PATH:/root/ccstools"

Boot Test

Check whether your box can boot with TOMOYO Linux kernel.

Create /etc/ccs/ directory in which TOMOYO Linux stores policy files.
Set owner and group to root and permission 700 since only root need to access the directory.

mkdir -m 700 /etc/ccs

Create /etc/ccs/manager.txt and list up programs that are allowed to update policies via /proc/ccs/ interface.
Specifically, "loadpolicy" that reloads policy, "editpolicy" that edits policy, "setlevel" that changes control level, "setprofile" that changes profile number of domains, "ld-watch" that updates globally readable files, "ccs-queryd" that grants access requests interactively.

cat > /etc/ccs/manager.txt << EOF
/root/ccstools/loadpolicy
/root/ccstools/editpolicy
/root/ccstools/setlevel
/root/ccstools/setprofile
/root/ccstools/ld-watch
/root/ccstools/ccs-queryd
EOF

Reboot with TOMOYO Linux kernel.

reboot

The following messages will appear upon successful execution of "/.init".

Press 'Enter' or wait for 10 seconds to use default status.
You may input 'disabled' and press 'Enter' to disable MAC in case of emergency.
>

Enter "boottest" and press Enter here, for currently no profiles are created.

boottest

/sbin/init will start and the system will boot if profiles are loaded successfully.
On failure, the following messages will appear and the system halts.

No profiles loaded. Run policy loader using 'init=' option.

If failed, check the following points.

After the system boots, login as root.
Save the profile by executing the following command.

cat /proc/ccs/status > /etc/ccs/status.txt

Preparation

About domains

The MAC in TOMOYO Linux is applied in the units of domains. Every process belongs to single domain, and basically the process will transit to different domain whenever it executes a program. The name of a domain is a concatenated string expression for the process execution history. For example, the name of domain which the kernel belongs to is "<kernel>", the name of domain which /sbin/init invoked by the kernel belongs to is "<kernel> /sbin/init", the name of domain which /etc/rc.d/rc invoked by the /sbin/init belongs to is "<kernel> /sbin/init /etc/rc.d/rc". The exceptions of this transition rule are described later.

About profiles

TOMOYO Linux can perform several MACs besides MAC for files, but to reduce the load of policy managements, you can disable MACs you think unnecessary. The configurable parameters are determined in the kernel compilation time. Only topics included in /proc/ccs/status are configurable.

NameControlDefault valueAccept mode supported
COMMENT A line of text that describes the content of the profile. -
MAC_FOR_FILE Enable Mandatory Access Control(MAC) for files. 0 Yes
MAC_FOR_ARGV0 Enable MAC for argv[0] checks. 0 Yes
MAC_FOR_CAPABILITY:: Enable MAC for capabilities. There are 29 types of capabilities and you can enable/disable selectively. 0 Yes
MAC_FOR_NETWORK Enable MAC for network addresses and ports. 0 Yes
MAC_FOR_BINDPORT Enable MAC for local ports. This is a subset of MAC_FOR_NETWORK. 0 Yes
MAC_FOR_CONNECTPORT Enable MAC for remote ports. This is a subset of MAC_FOR_NETWORK. 0 Yes
MAC_FOR_SIGNAL Enable MAC for signal. 0 Yes
DENY_CONCEAL_MOUNT Forbid mount requests that hides an existing mount. 0 No
RESTRICT_CHROOT Enable restrictions for chroot directories. 0 Yes
RESTRICT_MOUNT Enable restrictions for mount parameters. 0 Yes
RESTRICT_UNMOUNT Forbid unmount requests for specified directories. 0 No
DENY_PIVOT_ROOT Forbid pivot_root requests. 0 No
RESTRICT_AUTOBIND Forbid selecting specific local port number when automatic local port binding happens. 0 No
TRACE_READONLY Dump Canonicalized Pathname that write requests failed due to read only filesystem. 0 -
MAX_ACCEPT_FILES Limits the max number of file's read/write/execute ACL entries that are automatically appended during accept mode. 2048 -
MAX_GRANT_LOG Limits the max number of access requests that didn't violate policies. 1024 -
MAX_REJECT_LOG Limits the max number of access requests that violated policies. 1024 -
TOMOYO_VERBOSE Dump domain policy violation messages to syslog. 1 -
ALLOW_ENFORCE_GRACE Allow interactively permitting access requests that violated policy according to the administrator's decision. 0 -

You can give the following values for TRACE_READONLY and RESTRICT_AUTOBIND

Value Meaning
0 Off. Works as if regular kernel.
1 On

You can give any integer greater or equals to 0 for MAX_ACCEPT_FILES, MAX_GRANT_LOG and MAX_REJECT_LOG

You can give the following values for TOMOYO_VERBOSE

Value Meaning
0 Don't dump domain policy violation messages.
1 Dump domain policy violation messages.

You can give the following values for ALLOW_ENFORCE_GRACE

Value Meaning
0 Reject immediately if policy violation occurs in enforcing mode.
1 Allow interactively permitting access requests that violated policy in enforcing mode.

You can give the following values for all but listed above.

Value Meaning
0 Disabled. Works as if regular kernel.
1 Accept mode. Not rejected if the request violates policy. Automatically appended to policy.
2 Permissive mode. Not rejected if the request violates policy. Not appended to policy automatically.
3 Enforce mode. Rejected if the request violates policy.

Creating profiles

Write profiles for "disabled", "accept mode", "permissive mode" and "enforce mode" in /etc/ccs/status.txt . The following example is profiles for applying MAC for files and networks. The heading number is profile number that is used for assigning profiles to domains. The valid profile number range is between 0 and 255.

0-COMMENT=----- All Disabled -----
1-COMMENT=----- FILE and NETWORK with Accept Mode -----
1-MAC_FOR_FILE=1
1-MAC_FOR_NETWORK=1
2-COMMENT=----- FILE and NETWORK with Permissive Mode -----
2-MAC_FOR_FILE=2
2-MAC_FOR_NETWORK=2
3-COMMENT=----- FILE and NETWORK with Enforce Mode -----
3-MAC_FOR_FILE=3
3-MAC_FOR_NETWORK=3
3-MAX_GRANT_LOG=0
3-ALLOW_ENFORCE_GRACE=0
4-COMMENT=----- FILE and NETWORK with Delayed Enforce Mode -----
4-MAC_FOR_FILE=3
4-MAC_FOR_NETWORK=3
4-MAX_GRANT_LOG=0
4-MAX_REJECT_LOG=0
4-ALLOW_ENFORCE_GRACE=1

In this manual, we assume that
profile number 0 is for "disabled",
profile number 1 is for "accept mode",
profile number 2 is for "permissive mode",
profile number 3 is for "enforce mode",
profile number 4 is for "delayed accept mode" (same as "enforce mode" except that it allows administrators handle access requests that violated policy manually).

You won't need to edit profiles after you once create them because you can control how to apply MAC on per-a-domain basis by changing profile numbers of domains. But if you edited /etc/ccs/status.txt by some reason (for example, you want to add profiles), run the following command.

xargs -0 setlevel < /etc/ccs/status.txt

To see the profiles currently configured, run the following command.

cat /proc/ccs/status

Assigning profiles to domains

To assign profiles to domains, use "setprofile" command. For example,

setprofile -r 0 '<kernel>'

will assign profile number 0 to all domains. Also,

setprofile -r 1 '<kernel> /sbin/init'

will assign profile number 1 to all domains whose domainname starts with "<kernel> /sbin/init". Also,

setprofile 2 '<kernel> /sbin/init'

will assign profile number 2 to only domain whose domainname is "<kernel> /sbin/init".

To see the profiles currently assigned to domains, run the following command. A list with profile numbers and domainnames are shown.

cat /proc/ccs/policy/.domain_status

Basically, you don't need to switch profiles of all domains at boot because you can assign profiles by per-a-domain basis and the profile number last assigned remains in the domain policy file (/etc/ccs/domain_policy.txt) using "use_profile" directive. But if you can't boot by some reason (for example, you assigned profiles for "enforce mode" before giving enough permissions to domains), you can enter "disabled" and press "Enter" at the prompt of /.init to boot the system with MAC disabled.

To see the profiles of currently running processes and their domainnames, use ccstree command.

ccstree

The ccstree command will show a list of profile number, name of process, PID and name of domain the process belongs to like pstree command, as shown below.

  0 init (1) <kernel> /sbin/init
  0  +- mingetty (743) <kernel> /sbin/mingetty
  0  +- mingetty (744) <kernel> /sbin/mingetty
  0  +- mingetty (745) <kernel> /sbin/mingetty
  0  +- mingetty (746) <kernel> /sbin/mingetty
  0  +- mingetty (747) <kernel> /sbin/mingetty
  0  +- rc (748) <kernel> /sbin/init /etc/rc.d/rc
  0      +- S91smb (3468) <kernel> /etc/rc.d/init.d/smb
  0          +- initlog (3475) <kernel> /etc/rc.d/init.d/smb /sbin/initlog
  0              +- nmbd (3476) <kernel> /etc/rc.d/init.d/smb /sbin/initlog /usr/sbin/nmbd
  0  +- syslogd (3158) <kernel> /etc/rc.d/init.d/syslog /sbin/initlog /sbin/syslogd
  0  +- klogd (3162) <kernel> /etc/rc.d/init.d/syslog /sbin/initlog /sbin/klogd
  0  +- portmap (3172) <kernel> /etc/rc.d/init.d/portmap /sbin/initlog /sbin/portmap
  0  +- rpc.statd (3191) <kernel> /etc/rc.d/init.d/nfslock /sbin/initlog /sbin/rpc.statd
  0  +- cardmgr (3245) <kernel> /etc/rc.d/init.d/pcmcia /sbin/cardmgr
  0  +- apmd (3270) <kernel> /etc/rc.d/init.d/apmd /sbin/initlog /usr/sbin/apmd
  0  +- sshd (3307) <kernel> /usr/sbin/sshd
  0      +- sshd (3393) <kernel> /usr/sbin/sshd
  0          +- tcsh (3434) <kernel> /usr/sbin/sshd /bin/tcsh
  0              +- ccstree (3477) <kernel> /usr/sbin/sshd /bin/tcsh /root/ccstools/ccstree
  0  +- xinetd (3321) <kernel> /usr/sbin/xinetd
  0  +- rpc.rquotad (3342) <kernel> /etc/rc.d/init.d/nfs /sbin/initlog /usr/sbin/rpc.rquotad
  0  +- rpc.mountd (3361) <kernel> /etc/rc.d/init.d/nfs /sbin/initlog /usr/sbin/rpc.mountd
  0  +- vsftpd (3371) <kernel> /usr/sbin/vsftpd
  0  +- sendmail (3395) <kernel> /etc/rc.d/init.d/sendmail /sbin/initlog /usr/sbin/sendmail.sendmail
  0  +- sendmail (3404) <kernel> /etc/rc.d/init.d/sendmail /sbin/initlog /usr/sbin/sendmail.sendmail
  0  +- spamd (3414) <kernel> /etc/rc.d/init.d/spamassassin /sbin/initlog /usr/bin/spamd
  0  +- gpm (3423) <kernel> /etc/rc.d/init.d/gpm /sbin/initlog /usr/sbin/gpm
  0  +- httpd (3455) <kernel> /usr/sbin/httpd
  0  +- crond (3464) <kernel> /usr/sbin/crond
  0  +- smbd (3473) <kernel> /usr/sbin/smbd

If you give -a option to ccstree, you can also see kernel processes that are out of TOMOYO Linux's MAC scope.

Changes for Audit Logs

TOMOYO Linux can record "access granted logs" (access requests that didn't violate domain policy) and "access rejected logs" (access requests that violated domain policy).

The logs are in the form of domain policy so that the logs can be directly appended to domain policy. Add the "access rejected logs" to domain policy if you consider you should allow the access.

You can use a daemon program that reads from /proc/ccs/info/grant_log and /proc/ccs/info/reject_log and writes to files. Run in the following way from (for example) /etc/rc.local .

/root/ccstools/ccs-auditd $location_to_store_access_granted_logs $location_to_store_access_rejected_logs

You may give MAX_GRANT_LOG=0 for profiles and give /dev/null for $location_to_store_access_granted_logs if you don't want "access granted logs". Since "ccs-auditd" doesn't have filtering functions, be careful with the disk's free space if you want to save "access granted logs".

You may give MAX_REJECT_LOG=0 for profiles and give /dev/null for $location_to_store_access_rejected_logs if you don't want "access rejected logs". But I recommend you to save "access rejected logs". This manual assumes that "access rejected logs" is saved in /var/log/tomoyo/reject_log.txt .

/root/ccstools/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt

Create directories manually for storing access logs.

mkdir -p /var/log/tomoyo

If you want to rotate using "logrotate", create /etc/logrotate.d/tomoyo with the following content. Be sure to give "nocreate" option, or logs after the first rotation will not be saved.

/var/log/tomoyo/reject_log.txt {
  weekly
  rotate 9
  missingok
  notifempty
  nocreate
}

If you don't want neither "access granted logs" nor "access rejected logs", you needn't to run "ccs-auditd" and you can give MAX_GRANT_LOG=0 and MAX_REJECT_LOG=0 for profiles to save memory and improve performance.

Creating exception policy

Create /etc/ccs/exception_policy.txt and define the following types of exceptions.

  1. Pathname pattern
  2. Unconditionally readable files
  3. Non-rewritable files
  4. Domain transition initializers
  5. Programs invocable via symbolic links
  6. Program aggregations
  7. Trusted domain

TOMOYO Linux tools package contains two scripts, make_exception.sh and make_alias.sh, that automatically generate these exceptions. Run the following commands. The execution of make_alias.sh will take long time (may be longer than 10 minutes in some environment).

make_exception.sh | sort | uniq > /etc/ccs/exception_policy.txt
make_alias.sh >> /etc/ccs/exception_policy.txt

Be sure to review the content of automatically generated exceptions because there would be redundant or dangerous entries.

(1) Pathname pattern

Register pathnames with patterns using the "file_pattern" directive. When a file operation is performed and the requested pathname matches to a patterned pathname registered with "file_pattern" directive, policy is generated using patterned pathnames.
The following is the guideline.

TOMOYO Linux needs more patterned pathnames depending on the applications installed and their configurations. You can add missing patterned pathnames after running the system.

(2) Unconditionally readable files

Register files that are allowed to be read by all programs using the "allow_read" directive. No patterns allowed. When a read access is requested and the requested pathname matches to a pathname registered with "allow_read" directive, the read access is granted without checking domain policy.
The following is the guideline.

You may find more files depending on applications in your system or configurations. Add missing files after observing which files are used for read access.

(3) Non-rewritable files

Register files that you don't want to allow overwriting existing contents (like log files) using "deny_rewrite" directive. Patterns are allowed. Files registered with "deny_rewrite" directive are (as long as it is not explicitly given by "allow_rewrite" directive in domain policy) forbidden to "open for writing but not append mode" and "truncate".
The following is the guideline.

You may find more files depending on applications in your system or configurations. Add missing files after observing which files are used for append-only access.

(4) Domain transition initializers

Register programs that initializes the domain transition history using the "initializer" directive. No patterns allowed. When a program that is registered with "initializer" directive is executed, the program runs just under the <kernel> domain.
The following is the guideline.

You may find more programs depending on applications in your system or configurations. Add missing programs after observing which programs should be initialize their domain transition history. But be careful with the side effect of other domains. For example, when the domain policy already includes

<kernel> ... /bin/bash
use_profile 3
1 /bin/tcsh

<kernel> ... /bin/bash /bin/tcsh
use_profile 3
1 /bin/cat

<kernel> ... /bin/bash /bin/tcsh /bin/cat
use_profile 3
4 /etc/fstab

and you add /bin/tcsh as initializer, "<kernel> ... /bin/bash /bin/tcsh" will become unreachable domain because /bin/tcsh runs in "<kernel> /bin/tcsh" domain. In that case, you will need to replace "<kernel> ... /bin/bash /bin/tcsh" with "<kernel> /bin/tcsh" as shown below.

<kernel> ... /bin/bash
use_profile 3
1 /bin/tcsh

<kernel> /bin/tcsh
use_profile 3
1 /bin/cat

<kernel> /bin/tcsh /bin/cat
use_profile 3
4 /etc/fstab

(5) Programs invocable via symbolic links

Basically, TOMOYO Linux checks execute permissions using the dereferenced pathname if the requested program is a symbolic link. But to handle programs that behave differently depending on the name of invocation, you may define domains using the name of symbolic links.
To allow executing programs using the name of symbolic links, use alias directive followed by dereferenced pathname and reference pathname. No patterns are allowed.
For example, /sbin/pidof is a symbolic link to /sbin/killall5 . In normal case, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed. By specifying "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the domain for /sbin/pidof .

(6) Program aggregations

To deal multiple programs as a single program, use aggregator directive followed by name of original program and aggregated program. Patterns are allowed for name of original program.
For example, /usr/bin/tac and /bin/cat are similar. By specifying "aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the domain for /bin/cat .

(7) Trusted domain

To declare trusted domain, use "trust_domain" directive followed by domain definition.
For example, if "trust_domain /usr/sbin/sshd /bin/tcsh" is given, " /usr/sbin/sshd /bin/tcsh" domain and its descendents (such as " /usr/sbin/sshd /bin/tcsh /bin/cat") are free from per-a-domain basis MAC.
Note that in TOMOYO Linux 1.3, you can assign profiles by per-a-domain basis, you needn't to use "trust_domain" directive to create domains that per-a-domain basis MAC won't be applied.

Creating Domain Policy

Basic Procedure

The following is the basic procedure for creating domain policy.

  1. Create domains
  2. Append ACLs to domains
  3. Confirm ACLs for domains
  4. Enforce using ACLs

You don't need to create the whole policy for all allications at one time.

(1) Create domains

Assign a profile that doesn't perform MAC (in this manual, profile 0) and invoke applications. The purpose of this procedure is to create domains for applications.

For example, if you want to protect /usr/sbin/httpd , firstly create domains for /usr/sbin/httpd . If /usr/sbin/httpd is registered with "initializer", a domain named "<kernel> /usr/sbin/httpd" is created by invoking /usr/sbin/httpd . If not registered, a child domain of invoker domain (for example, if you invoked from "<kernel> /usr/sbin/mingetty /bin/login /bin/bash", it is "<kernel> /usr/sbin/mingetty /bin/login /bin/bash /usr/sbin/httpd") is created. This manual assumes that /usr/sbin/httpd is registered with "initializer".

Assign a profile that doesn't perform MAC (in this manual, profile 0) to the domain current process (normally a shell) belongs to using "setprofile" command.

xargs -0 setprofile 0 < /proc/ccs/info/self_domain

This is needed to avoid assigning a profile that performs MAC in "enforce mode" to the newly created domain, for newly created domain inherits the creator's profile.

Start /usr/sbin/httpd .

service httpd start

You can use the following command to confirm that the domain is created. Make sure the domain for application you want to protect is created.

less /proc/ccs/policy/.domain_status

After you confirmed that the domain is created, proceed to the next step.

(2) Append ACLs to domains

After you confirmed that the domain is created, assign a profile that perform MAC in "accept mode" (in this manual, profile 1) to the domain using "setprofile" command.

setprofile -r 1 '<kernel> /usr/sbin/httpd'

Start /usr/sbin/httpd and let the system append ACLs needed for /usr/sbin/httpd .

service httpd restart

If the profile is configured as "1-TOMOYO-VERBOSE=1" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs. But as with "accept mode", the "TOMOYO-WARNING:" messages are printed only once because necessary ACLs are automatically appended when you do the same operation again.

If the "TOMOYO-WARNING:" messages are no longer printed when you do the operation you want to allow, proceed to the next step.

(3) Confirm ACLs for domains

After you judged that necessary ACLs are appended, assign a profile that perform MAC in "permissive mode" (in this manual, profile 2) to the domain using "setprofile" command.

setprofile -r 2 '<kernel> /usr/sbin/httpd'

Start /usr/sbin/httpd and confirm that all necessary ACLs are appended.

If the profile is configured as "2-TOMOYO-VERBOSE=1" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs. As with "permissive mode", the "TOMOYO-WARNING:" messages are printed again because necessary ACLs are not automatically appended when you do the same operation again.

If the "TOMOYO-WARNING:" messages are no longer printed when you do the operation you want to allow, proceed to the next step.

(4) Enforce using ACLs

After you judged that necessary ACLs are given, assign a profile that perform MAC in "enforce mode" (in this manual, profile 3) to the domain using "setprofile" command.

setprofile -r 3 '<kernel> /usr/sbin/httpd'

And now, /usr/sbin/httpd is protected by MAC.

If the profile is configured with "3-TOMOYO-VERBOSE=1" (this is default), the "TOMOYO-ERROR:" messages will be printed to the console and the requests are rejected when policy violation occurs. Also, the history of policy violation is accumulated to /proc/ccs/info/reject_log .

Creating policy all at once using "permissive mode"

TOMOYO Linux allows administrators generate domain policy from policy violation logs. If you want to do so, assign a profile that perform MAC in "permissive mode" (in this manual, profile 2) to the domain.

setprofile -r 2 '<kernel> /usr/sbin/httpd'

The log file /var/log/tomoyo/reject_log.txt created by "ccs-auditd" contains list of ACLs that violated domain policy in time series. Select appropriate range and pass to the filter as show below. This filter program sorts by domains and removes duplicated entries. (In other words, "sort" by domains and "uniq".)

sortpolicy < /var/log/tomoyo/reject_log.txt

Check the output and judge whether these ACLs should be added or not. And if you judged to add, add to /etc/ccs/domain_policy.txt and run "loadpolicy" to reload domain policy.

loadpolicy d

If you run "loadpolicy" with "f" option (that is "loadpolicy df"), the domain policy currently in the kernel are erased before the domain policy currently on the disk is loaded.

Operation Example

Rename the current reject log file. "ccs-auditd" will detect the disappearance of the current reject log file and recreates it.

[root@sakura tomoyo]# mv /var/log/tomoyo/reject_log.txt /var/log/tomoyo/reject_log.tmp

Check the logs. Select ranges you want to use using some text editor if necessary.

[root@sakura tomoyo]# cat /var/log/tomoyo/reject_log.tmp
#2006-11-10 10:17:29# pid=4498 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0
<kernel> /usr/sbin/sshd /bin/tcsh /bin/cat
4 /etc/inittab

#2006-11-10 10:17:41# pid=4501 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0
<kernel> /usr/sbin/sshd /bin/tcsh /bin/cat
4 /etc/resolv.conf

#2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0
<kernel> /usr/sbin/sshd /bin/tcsh
1 /usr/bin/whoami

#2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0
<kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami
4 /etc/nsswitch.conf

#2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0
<kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami
4 /etc/passwd

Sort the log by domains.

[root@sakura tomoyo]# sortpolicy < /var/log/tomoyo/reject_log.tmp
<kernel> /usr/sbin/sshd /bin/tcsh

1 /usr/bin/whoami
#2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0

<kernel> /usr/sbin/sshd /bin/tcsh /bin/cat

4 /etc/inittab
4 /etc/resolv.conf
#2006-11-10 10:17:41# pid=4501 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0
#2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0

<kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami

4 /etc/nsswitch.conf
4 /etc/passwd
#2006-11-10 10:18:00# pid=4502 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0

Since the line of timestamp is disturbing, remove lines starting with # before sorting.

[root@sakura tomoyo]# grep -v '^#' /var/log/tomoyo/reject_log.tmp | sortpolicy > /var/log/tomoyo/diff.tmp

Check the output. This is in the form of domain policy.

[root@sakura tomoyo]# cat /var/log/tomoyo/diff.tmp
<kernel> /usr/sbin/sshd /bin/tcsh

1 /usr/bin/whoami

<kernel> /usr/sbin/sshd /bin/tcsh /bin/cat

4 /etc/inittab
4 /etc/resolv.conf

<kernel> /usr/sbin/sshd /bin/tcsh /usr/bin/whoami

4 /etc/nsswitch.conf
4 /etc/passwd

Creating policy interactively using "enforce mode"

TOMOYO Linux allows administrators modify policies when the system is running in "enforce mode". If you want to do so, assign a profile that perform MAC in "delayed enforce mode" (in this manual, profile 4) to the domain.

setprofile -r 4 '<kernel> /usr/sbin/httpd'

Next, start "ccs-queryd" command. The "ccs-queryd" command detects the policy violations and shows ACLs needed for allowing the requests. You can judge and append these ACLs to domain policy manually.

ccs-queryd

If the profile is configured with "ALLOW_ENFORCE_GRACE=1" and "ccs-queryd" is running, the access requests that violated policy are kept pending. Otherwise, the access requests that violated policy are rejected immediately.

To avoid sleeping forever because of pending access requests, never logout (for example, detaching from screen(1)) if the profile is configured with "ALLOW_ENFORCE_GRACE=1" and "ccs-queryd" is running.

To terminate "ccs-queryd", use Ctrl-C. After you terminate "ccs-queryd", assign a profile that performs MAC in "enforce mode" (in this manual, profile 3) using "setprofile" command.

setprofile -r 3 '<kernel> /usr/sbin/httpd'

Saving Policy

To save the policy currently in the kernel onto the disk, use "savepolicy" command.

savepolicy

By executing "savepolicy", three files ("system_policy.txt", "exception_policy.txt", "domain_policy.txt") are created in the /etc/ccs/ directory. To be accurate, they are symbolic links to text files whose filenames contain the creation time.

Loading Policy

To load the policy currently on the disk into the kernel, use "loadpolicy" command.

loadpolicy af

The "a" option means load three files ("system_policy.txt", "exception_policy.txt", "domain_policy.txt"). The "f" option means erase the policy currently in the kernel before loading the policy currently on the disk. If "f" is not given, the policy currently on the disk will be added to the policy currently in the kernel.

Editing Policy

To edit the policy currently in the kernel, use "editpolicy" command. See Using Policy Editor for usage.

editpolicy

To edit the policy currently on the disk, use "editpolicy_offline" command. You can use "editpolicy_offline" when you are not running the system with TOMOYO Linux kernel.

editpolicy_offline

Tuning Policy

Patterning File Access Permissions

Append access permissions for files that are not necessarily accessed in the accept mode such as WWW contents for WWW service to /etc/ccs/domain_policy.txt .
The following example allows /usr/sbin/httpd to read files in the /var/www/html/ directory.

<kernel> /usr/sbin/httpd
use_profile 3
4 /var/www/html/\*
4 /var/www/html/\*/\*
4 /var/www/html/\*/\*/\*
4 /var/www/html/\*/\*/\*/\*
4 /var/www/html/\*/\*/\*/\*/\*

In the same way, modify access permissions for files using patterns that should be grouped.
The following example shows /usr/sbin/smbd should handle all log files equally.

BeforeAfter
<kernel> /usr/sbin/smbd
use_profile 3
2 /var/log/samba/host1.log
2 /var/log/samba/host2.log
2 /var/log/samba/host3.log
2 /var/log/samba/host4.log
2 /var/log/samba/host5.log
<kernel> /usr/sbin/smbd
use_profile 3
2 /var/log/samba/\*.log

You can confirm the range of accessible files by using pathmatch command that lists pathnames matching to the given pathname patterns.

[root@sakura ~]# pathmatch '/var/log/samba/\*.log'
/var/log/samba/host1.log /var/log/samba/host2.log /var/log/samba/host3.log /var/log/samba/host4.log /var/log/samba/host5.log

Operation example

Save the domain policy currently in the kernel onto the disk.

[root@sakura ~]# savepolicy d

List up pathnames that can be temporary files.

[root@sakura ~]# findtemp < /etc/ccs/domain_policy.txt
/etc/mtab.tmp
/etc/mtab~
/etc/mtab~2302
/etc/mtab~2328
/etc/mtab~2329
/etc/mtab~2330
/etc/mtab~2331
/etc/mtab~2332
/etc/mtab~2339
/etc/mtab~2383
/halt
/selinux/disable
/selinux/enforce
/selinux/policyvers
/tmp/sh-thd-1163110572
/tmp/sh-thd-1163113704
/var/cache/samba/browse.dat.
/var/lib/nfs/etab.tmp
/var/lib/nfs/xtab.tmp
/var/lock/mrtg/mrtg_l

Find domains that access these files.

[root@sakura ~]# domainmatch /etc/mtab~2302
<kernel> /sbin/init /etc/rc.d/rc.sysinit /sbin/initlog /etc/rc.d/rc.sysinit /sbin/initlog /bin/mount
allow_create /etc/mtab~2302
2 /etc/mtab~2302
allow_link /etc/mtab~2302 /etc/mtab~
allow_unlink /etc/mtab~2302
[root@sakura ~]# domainmatch /tmp/sh-thd-1163113704
<kernel> /etc/rc.d/init.d/smartd /sbin/initlog /usr/sbin/smartd /bin/sh
allow_create /tmp/sh-thd-1163113704
6 /tmp/sh-thd-1163113704
allow_unlink /tmp/sh-thd-1163113704

Save the exception policy currently in the kernel onto the disk.

[root@sakura ~]# savepolicy e

Append patterns to the exception policy on the disk if needed.

[root@sakura ~]# echo 'file_pattern /etc/mtab~\$' >> /etc/ccs/exception_policy.txt
[root@sakura ~]# echo 'file_pattern /tmp/sh-thd-\$' >> /etc/ccs/exception_policy.txt

Load the exception policy on the disk to the kernel.

[root@sakura ~]# loadpolicy ef

Patternize pathnames that match to '/etc/mtab~\$' and '/tmp/sh-thd-\$'.

[root@sakura ~]# patternize '/etc/mtab~\$' '/tmp/sh-thd-\$' < /etc/ccs/domain_policy.txt > /etc/ccs/domain_policy.tmp

Confirm that these files are patternized.

[root@sakura ~]# findtemp < /etc/ccs/domain_policy.tmp
/etc/mtab.tmp
/etc/mtab~
/halt
/selinux/disable
/selinux/enforce
/selinux/policyvers
/var/cache/samba/browse.dat.
/var/lib/nfs/etab.tmp
/var/lib/nfs/xtab.tmp
/var/lock/mrtg/mrtg_l

Verify that the patterning are done as you have intended by diff'ing the domain policy before patternize and the one after the patternize.

[root@sakura ~]# diff /etc/ccs/domain_policy.txt /etc/ccs/domain_policy.tmp
2326,2331c2326,2331
< 6 /tmp/sh-thd-1163110572
< 6 /tmp/sh-thd-1163113704
< allow_create /tmp/sh-thd-1163110572
< allow_create /tmp/sh-thd-1163113704
< allow_unlink /tmp/sh-thd-1163110572
< allow_unlink /tmp/sh-thd-1163113704
---
> 6 /tmp/sh-thd-\$
> 6 /tmp/sh-thd-\$
> allow_create /tmp/sh-thd-\$
> allow_create /tmp/sh-thd-\$
> allow_unlink /tmp/sh-thd-\$
> allow_unlink /tmp/sh-thd-\$
3331,3336c3331,3336
< 2 /etc/mtab~2328
< 2 /etc/mtab~2329
< 2 /etc/mtab~2330
< 2 /etc/mtab~2331
< 2 /etc/mtab~2332
< 2 /etc/mtab~2383
---
> 2 /etc/mtab~\$
> 2 /etc/mtab~\$
> 2 /etc/mtab~\$
> 2 /etc/mtab~\$
> 2 /etc/mtab~\$
> 2 /etc/mtab~\$
3338,3349c3338,3349
< allow_create /etc/mtab~2328
< allow_create /etc/mtab~2329
< allow_create /etc/mtab~2330
< allow_create /etc/mtab~2331
< allow_create /etc/mtab~2332
< allow_create /etc/mtab~2383
< allow_link /etc/mtab~2328 /etc/mtab~
< allow_link /etc/mtab~2329 /etc/mtab~
< allow_link /etc/mtab~2330 /etc/mtab~
< allow_link /etc/mtab~2331 /etc/mtab~
< allow_link /etc/mtab~2332 /etc/mtab~
< allow_link /etc/mtab~2383 /etc/mtab~
---
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
3351,3356c3351,3356
< allow_unlink /etc/mtab~2328
< allow_unlink /etc/mtab~2329
< allow_unlink /etc/mtab~2330
< allow_unlink /etc/mtab~2331
< allow_unlink /etc/mtab~2332
< allow_unlink /etc/mtab~2383
---
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$
3439,3440c3439,3440
< 2 /etc/mtab~2302
< 2 /etc/mtab~2339
---
> 2 /etc/mtab~\$
> 2 /etc/mtab~\$
3443,3446c3443,3446
< allow_create /etc/mtab~2302
< allow_create /etc/mtab~2339
< allow_link /etc/mtab~2302 /etc/mtab~
< allow_link /etc/mtab~2339 /etc/mtab~
---
> allow_create /etc/mtab~\$
> allow_create /etc/mtab~\$
> allow_link /etc/mtab~\$ /etc/mtab~
> allow_link /etc/mtab~\$ /etc/mtab~
3449,3450c3449,3450
< allow_unlink /etc/mtab~2302
< allow_unlink /etc/mtab~2339
---
> allow_unlink /etc/mtab~\$
> allow_unlink /etc/mtab~\$

Update the domain policy on the disk.

[root@sakura ~]# cat /etc/ccs/domain_policy.tmp > /etc/ccs/domain_policy.txt

Load the domain policy on the disk to the kernel.

[root@sakura ~]# loadpolicy df

Confirm that the domain policy currently in the kernel is updated.

[root@sakura ~]# findtemp < /proc/ccs/policy/domain_policy
/etc/mtab.tmp
/etc/mtab~
/halt
/selinux/disable
/selinux/enforce
/selinux/policyvers
/var/cache/samba/browse.dat.
/var/lib/nfs/etab.tmp
/var/lib/nfs/xtab.tmp
/var/lock/mrtg/mrtg_l

Patterning Network Access Permissions

There are programs (for example, portmap) that requests privileged ports (local port numbers less that 1024) at random. It is impossible to know all local ports that might be used by such applications using accept mode. Repeat running such programs for several times using accept mode, guess the range of local ports such program would request, and grant network access permissions using range.
An example is shown below. Don't copy the following permissions because the range may vary depending on distributions and configurations.

<kernel> /sbin/portmap
use_profile 7
allow_bind TCP/0
allow_bind TCP/111
allow_bind TCP/600-1023
allow_bind UDP/0
allow_bind UDP/111
allow_bind UDP/600-1023
allow_connect UDP/32768-65535
allow_connect UDP/600-1023

<kernel> /sbin/rpc.statd
use_profile 7
allow_bind TCP/0
allow_bind TCP/600-1023
allow_bind UDP/0
allow_bind UDP/600-1023
allow_connect UDP/111

<kernel> /usr/sbin/rpc.mountd
use_profile 7
allow_bind TCP/0
allow_bind TCP/600-1023
allow_bind UDP/0
allow_bind UDP/600-1023
allow_connect UDP/111

<kernel> /usr/sbin/rpc.nfsd
use_profile 7
allow_capability inet_tcp_create
allow_capability use_inet_udp
allow_connect UDP/111
allow_connect UDP/32768-65535

<kernel> /usr/sbin/rpc.rquotad
use_profile 7
allow_bind TCP/600-1023
allow_bind UDP/600-1023
allow_connect UDP/111

<kernel> /usr/sbin/rpcinfo
use_profile 7
allow_bind UDP/600-1023
allow_connect UDP/111
allow_connect UDP/2049

<kernel> /usr/sbin/xinetd
use_profile 7
allow_bind TCP/0
allow_bind UDP/69
allow_bind UDP/600-1023
allow_connect UDP/111

If you don't need services like NFS or NIS that needs RPC, you should disable such services.

Similarly, make patterns for "allow_network" directives. Don't copy the following permissions.

BeforeAfter
<kernel> /usr/sbin/sshd
use_profile 7
allow_network TCP accept 0:0:0:0:0:0:0:1 43768
allow_network TCP accept 0:0:0:0:0:ffff:a00:1 35086
allow_network TCP accept 0:0:0:0:0:ffff:a00:a1 47590
allow_network TCP accept 10.0.0.10 56709
allow_network TCP accept 10.0.0.200 16384
<kernel> /usr/sbin/sshd
use_profile 7
allow_network TCP accept 0:0:0:0:0:0:0:1 1024-65535
allow_network TCP accept 0:0:0:0:0:ffff:a00:1-0:0:0:0:0:ffff:a00:ff 1024-65535
allow_network TCP accept 10.0.0.1-10.0.0.255 1024-65535

Add conditions to ACLs

You can add conditions to individual ACLs if necessary. By using this feature, you can control system's user ID based access control.

If you want to protect non-anonymous FTP service, by adding conditions in the following manner, you can forbid access to directories outside the user's home directory. To reduce damages when it is cracked, it is recommended that you should expose directories only under specific (such as "ftp") directory rather than exposing whole of home directories. If you use vsftpd, you can give like the following way.

Before
<kernel> /usr/sbin/vsftpd
use_profile 3

6 /home/\*/ftp/\*
6 /home/\*/ftp/\*/\*
6 /home/\*/ftp/\*/\*/\*
6 /home/\*/ftp/\*/\*/\*/\*

allow_mkdir /home/\*/ftp/\*/
allow_mkdir /home/\*/ftp/\*/\*/
allow_mkdir /home/\*/ftp/\*/\*/\*/

allow_rmdir /home/\*/ftp/\*/
allow_rmdir /home/\*/ftp/\*/\*/
allow_rmdir /home/\*/ftp/\*/\*/\*/

allow_create /home/\*/ftp/\*
allow_create /home/\*/ftp/\*/\*
allow_create /home/\*/ftp/\*/\*/\*
allow_create /home/\*/ftp/\*/\*/\*/\*

allow_truncate /home/\*/ftp/\*
allow_truncate /home/\*/ftp/\*/\*
allow_truncate /home/\*/ftp/\*/\*/\*
allow_truncate /home/\*/ftp/\*/\*/\*/\*

allow_unlink /home/\*/ftp/\*
allow_unlink /home/\*/ftp/\*/\*
allow_unlink /home/\*/ftp/\*/\*/\*
allow_unlink /home/\*/ftp/\*/\*/\*/\*

allow_rename /home/\*/ftp/\* /home/\*/ftp/\*
allow_rename /home/\*/ftp/\*/\* /home/\*/ftp/\*/\*
allow_rename /home/\*/ftp/\*/\*/\* /home/\*/ftp/\*/\*/\*
allow_rename /home/\*/ftp/\*/\*/\*/\* /home/\*/ftp/\*/\*/\*/\*

allow_rename /home/\*/ftp/\*/ /home/\*/ftp/\*/
allow_rename /home/\*/ftp/\*/\*/ /home/\*/ftp/\*/\*/
allow_rename /home/\*/ftp/\*/\*/\*/ /home/\*/ftp/\*/\*/\*/
After
<kernel> /usr/sbin/vsftpd
use_profile 3

6 /home/\*/ftp/\* if task.uid=path1.uid
6 /home/\*/ftp/\*/\* if task.uid=path1.uid
6 /home/\*/ftp/\*/\*/\* if task.uid=path1.uid
6 /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.uid

allow_mkdir /home/\*/ftp/\*/ if task.uid=path1.parent.uid
allow_mkdir /home/\*/ftp/\*/\*/ if task.uid=path1.parent.uid
allow_mkdir /home/\*/ftp/\*/\*/\*/ if task.uid=path1.parent.uid

allow_rmdir /home/\*/ftp/\*/ if task.uid=path1.uid
allow_rmdir /home/\*/ftp/\*/\*/ if task.uid=path1.uid
allow_rmdir /home/\*/ftp/\*/\*/\*/ if task.uid=path1.uid

allow_create /home/\*/ftp/\* if task.uid=path1.parent.uid
allow_create /home/\*/ftp/\*/\* if task.uid=path1.parent.uid
allow_create /home/\*/ftp/\*/\*/\* if task.uid=path1.parent.uid
allow_create /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.parent.uid

allow_truncate /home/\*/ftp/\* if task.uid=path1.uid
allow_truncate /home/\*/ftp/\*/\* if task.uid=path1.uid
allow_truncate /home/\*/ftp/\*/\*/\* if task.uid=path1.uid
allow_truncate /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.uid

allow_unlink /home/\*/ftp/\* if task.uid=path1.uid
allow_unlink /home/\*/ftp/\*/\* if task.uid=path1.uid
allow_unlink /home/\*/ftp/\*/\*/\* if task.uid=path1.uid
allow_unlink /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.uid

allow_rename /home/\*/ftp/\* /home/\*/ftp/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid
allow_rename /home/\*/ftp/\*/\* /home/\*/ftp/\*/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid
allow_rename /home/\*/ftp/\*/\*/\* /home/\*/ftp/\*/\*/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid
allow_rename /home/\*/ftp/\*/\*/\*/\* /home/\*/ftp/\*/\*/\*/\* if task.uid=path1.parent.uid task.uid=path2.parent.uid

allow_rename /home/\*/ftp/\*/ /home/\*/ftp/\*/ if task.uid=path1.parent.uid task.uid=path2.parent.uid
allow_rename /home/\*/ftp/\*/\*/ /home/\*/ftp/\*/\*/ if task.uid=path1.parent.uid task.uid=path2.parent.uid
allow_rename /home/\*/ftp/\*/\*/\*/ /home/\*/ftp/\*/\*/\*/ if task.uid=path1.parent.uid task.uid=path2.parent.uid

If you want to protect Samba service, by adding conditions in the following manner, you can forbid access to directories outside the user's home directory. To reduce damages when it is cracked, it is recommended that you should expose directories only under specific (such as "samba") directory rather than exposing whole of home directories.

Before
<kernel> /usr/sbin/smbd
use_profile 3

6 /home/\*/samba/\*
6 /home/\*/samba/\*/\*
6 /home/\*/samba/\*/\*/\*
6 /home/\*/samba/\*/\*/\*/\*

allow_mkdir /home/\*/samba/\*/
allow_mkdir /home/\*/samba/\*/\*/
allow_mkdir /home/\*/samba/\*/\*/\*/

allow_rmdir /home/\*/samba/\*/
allow_rmdir /home/\*/samba/\*/\*/
allow_rmdir /home/\*/samba/\*/\*/\*/

allow_create /home/\*/samba/\*
allow_create /home/\*/samba/\*/\*
allow_create /home/\*/samba/\*/\*/\*
allow_create /home/\*/samba/\*/\*/\*/\*

allow_truncate /home/\*/samba/\*
allow_truncate /home/\*/samba/\*/\*
allow_truncate /home/\*/samba/\*/\*/\*
allow_truncate /home/\*/samba/\*/\*/\*/\*

allow_unlink /home/\*/samba/\*
allow_unlink /home/\*/samba/\*/\*
allow_unlink /home/\*/samba/\*/\*/\*
allow_unlink /home/\*/samba/\*/\*/\*/\*

allow_rename /home/\*/samba/\* /home/\*/samba/\*
allow_rename /home/\*/samba/\*/\* /home/\*/samba/\*/\*
allow_rename /home/\*/samba/\*/\*/\* /home/\*/samba/\*/\*/\*
allow_rename /home/\*/samba/\*/\*/\*/\* /home/\*/samba/\*/\*/\*/\*

allow_rename /home/\*/samba/\*/ /home/\*/samba/\*/
allow_rename /home/\*/samba/\*/\*/ /home/\*/samba/\*/\*/
allow_rename /home/\*/samba/\*/\*/\*/ /home/\*/samba/\*/\*/\*/
After
<kernel> /usr/sbin/smbd
use_profile 3

6 /home/\*/samba/\* if task.euid=path1.uid
6 /home/\*/samba/\*/\* if task.euid=path1.uid
6 /home/\*/samba/\*/\*/\* if task.euid=path1.uid
6 /home/\*/samba/\*/\*/\*/\* if task.euid=path1.uid

allow_mkdir /home/\*/samba/\*/ if task.euid=path1.parent.uid
allow_mkdir /home/\*/samba/\*/\*/ if task.euid=path1.parent.uid
allow_mkdir /home/\*/samba/\*/\*/\*/ if task.euid=path1.parent.uid

allow_rmdir /home/\*/samba/\*/ if task.euid=path1.uid
allow_rmdir /home/\*/samba/\*/\*/ if task.euid=path1.uid
allow_rmdir /home/\*/samba/\*/\*/\*/ if task.euid=path1.uid

allow_create /home/\*/samba/\* if task.euid=path1.parent.uid
allow_create /home/\*/samba/\*/\* if task.euid=path1.parent.uid
allow_create /home/\*/samba/\*/\*/\* if task.euid=path1.parent.uid
allow_create /home/\*/samba/\*/\*/\*/\* if task.euid=path1.parent.uid

allow_truncate /home/\*/samba/\* if task.euid=path1.uid
allow_truncate /home/\*/samba/\*/\* if task.euid=path1.uid
allow_truncate /home/\*/samba/\*/\*/\* if task.euid=path1.uid
allow_truncate /home/\*/samba/\*/\*/\*/\* if task.euid=path1.uid

allow_unlink /home/\*/samba/\* if task.euid=path1.uid
allow_unlink /home/\*/samba/\*/\* if task.euid=path1.uid
allow_unlink /home/\*/samba/\*/\*/\* if task.euid=path1.uid
allow_unlink /home/\*/samba/\*/\*/\*/\* if task.euid=path1.uid

allow_rename /home/\*/samba/\* /home/\*/samba/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid
allow_rename /home/\*/samba/\*/\* /home/\*/samba/\*/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid
allow_rename /home/\*/samba/\*/\*/\* /home/\*/samba/\*/\*/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid
allow_rename /home/\*/samba/\*/\*/\*/\* /home/\*/samba/\*/\*/\*/\* if task.euid=path1.parent.uid task.euid=path2.parent.uid

allow_rename /home/\*/samba/\*/ /home/\*/samba/\*/ if task.euid=path1.parent.uid task.euid=path2.parent.uid
allow_rename /home/\*/samba/\*/\*/ /home/\*/samba/\*/\*/ if task.euid=path1.parent.uid task.euid=path2.parent.uid
allow_rename /home/\*/samba/\*/\*/\*/ /home/\*/samba/\*/\*/\*/ if task.euid=path1.parent.uid task.euid=path2.parent.uid

If you want to protect SSH service, by adding conditions in the following manner, you can forbid login as user "root".

BeforeAfter
<kernel> /usr/sbin/sshd
use_profile 3

1 /bin/bash
<kernel> /usr/sbin/sshd
use_profile 3

1 /bin/bash if task.uid!=0 task.euid!=0

Updating softwares

You may need to adjust policies due to software updates and configuration changes. To adjust policy, see TOMOYO Linux Maintenance manual.