Info: Version 1.5.x is available.

How to use Policy Editor

Last modified: $Date: 2011-07-01 13:55:23 +0900 (Fri, 01 Jul 2011) $

Common Operations

(0) Before you use this editor

TOMOYO Linux includes a CUI based Policy Editor.

You need to register either "the domainname that this editor belongs to" or "the pathname of this editor (usually /root/ccstools/editpolicy)" with /proc/ccs/policy/manager before you use this editor.

You can start this editor by typing "editpolicy" at the prompt.

(1) To quit policy editor

Press "Q" key to quit.

(2) To refresh the contents

Press "R" key.

(3) To move cursor in a vertical direction

Press "Up-Arrow"/"Down-Arrow" keys or "PageUp"/"PageDown" keys.

(4) To scroll screen in a horizontal direction

Press "Left-Arrow"/"Right-Arrow" keys or "Home"/"End" keys.

(5) To search strings

To start searching, press "F" and enter strings to search and press "Enter" key.
Find First

To continue searching in forward direction, press "N" key.

To continue searching in backward direction, press "P" key.

(6) To switch screen

The policy editor has 4 screens.

(1) Screen for editing domain transition tree
(2) Screen for editing system policy
(3) Screen for editing exception policy
(4) Screen for editing specific domain's policy

The screen changes in (1)->(2)->(3)->(1) order by pressing "Tab" key.

The screen (1) changes to (4) by pressing "Enter" key.

The screen (4) changes to (1) by pressing either "Enter" or "Tab" keys.

A screenshot of domain transition tree
Screen for Domain List

A screenshot of system policy
Screen for System Policy

A screenshot of exception policy
Screen for Exception Policy

A screenshot of specific domain's policy
Screen for Domain Policy

(7) To add an entry

To add an entry, press "A" and enter strings to add and press "Enter" key. The strings you entered are saved in the history buffer and you can see them by pressing "Insert" key. To load strings in the history buffer, press "Up-Arrow"/"Down-Arrow" keys.

An example operation in domain transition tree
Adding an entry into  List

An example operation in system policy
Adding System Policy

An example operation in exception policy
Adding Exception Policy

An example operation in specific domain's policy
Adding Domain Policy

(8) To select an entry

Move the cursor to the entry you want to select and then press "Space" key. When an entry is selected, "&" mark will appear at the top of the line.
Selecting an entry

To unselect an entry, press "Space" key again. When an entry is unselected, "&" mark will disappear.

(9) To select entries collectively

The selection state (the "&" mark at the top of the line) of the cursor line will be copied to all entries under the cursor line by pressing "C" key.
Copying selection state

To select specific range, mark "&" at the first entry of the range and press "C" key, then unmark "&" at the next of the last entry of the range and press "C" key.

(10) To delete an entry

Mark "&" for entries you want to delete and press "D" key. Press "Y" key to the confirmation message, and the entries will be deleted.
Deleting selected entries

Operations specific to screen for editing domain transition tree

(0) About this screen

This screen shows all domains and their transitions in a tree structure with indent. You can see possible domain transitions using this screen.

The "profile number" of the domain is shown on the right side of the "line number". The last "pathname of program" in the domainname is shown on the right side of the "profile number". The "#" "*" "!" marks may be shown between the "profile number" and the last "pathname of program" depending on the attribute of the domain.

(1) To change "profile number" of a domain

Select domains you want to change "profile number" and press "S" key. Enter "profile number" in the prompt and press "Enter" key.
Setting profile number

(2) About domains with "!" mark

A domain with "!" mark means that the domain in unreachable due to either "initialize_domain" or "keep_domain" directives. The reason is shown on the right side of the last "pathname of program".
Unreachable Domain

(3) About domains with "*" mark

A domain with "*" mark means that multiple domains might transit to this domain due to "initialize_domain" directive. A domain without "*" mark transits only from the domain's parent domain.
Initialization Target

(4) About domains with "#" mark

A domain with "#" mark means that multiple programs might belong to this domain (a domain transition may not occur when a program is invoked) due to "keep_domain" directive.
Keeping Domain

(5) About domains with "( -> "line number" )" after the last "pathname of program"

This is not a real domain. The process transits to a domain with "line number" when the program is invoked from the parent domain since the last "pathname of program" is registered with "initialize_domain" directive.
Initialization Source

(6) About domains with "( -> Not Found )" after the last "pathname of program"

This is not a real domain. Although the last "pathname of program" is registered with "initialize_domain" directive, the destination domain is not created yet.
No Initialization Target

(7) About domains with "( the last "pathname of program" )"

This means that this domain doesn't exist due to deletion of domains. This domain appears when the parent domain doesn't exist but descendant domains exist to not to break indent. To create this domain, move the cursor to this domain and press "Insert" -> "A" -> "UpArrow" -> "Enter" keys.
Deleted Domain

(8) To initialize domain transition

TOMOYO Linux in principle transits domains whenever a program is invoked, and the next domain differs if the previous domain differs even if the two domains are invoking the same program. But it would be convenient that some programs, such as daemons, run in the same domain regardless of the previous domain. In such cases, you can run such programs just under the "<kernel>" domain regardless of the previous domain by using "initialize_domain" and "no_initialize_domain" directives.

For example, the following procedure makes /usr/sbin/sendmail.sendmail always run in the "<kernel> /usr/sbin/sendmail.sendmail" domain.

Before you specify "initialize_domain" directive, the same program is invoked from multiple domains, as shown below.
Before initialize_domain
Before initialize_domain

Switch to the screen for editing exception policy. Press "A" key and enter "initialize_domain /usr/sbin/sendmail.sendmail" and press "Enter" key. This entry means that "transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked".
Adding initialize_domain

Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail now marked with "!". Also, the domains with "( -> Not Found )" are appeared because the destination ("<kernel> /usr/sbin/sendmail.sendmail") domain doesn't exist.
After initialize_domain

To correct "( -> Not Found )" part, press "A" key and enter "<kernel> /usr/sbin/sendmail.sendmail" and press "Enter" key.
Adding initialization target

And now, "( -> Not Found )" part has changed to "( -> "line number" )".
After initialize_domain target
Added initialization target

But regarding /usr/sbin/sendmail.sendmail invoked by /bin/mail, you may wish not to transit to "<kernel> /usr/sbin/sendmail.sendmail" domain because it is not invoked for daemons.
Before no_initialize_domain

In such case, switch to the screen for editing exception policy. Press "A" key and enter "no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail" and press "Enter" key. This entry means that "don't transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked by a domain whose the last "pathname of program" in the domainname is "/bin/mail".
Adding no_initialize_domain

Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail invoked by /bin/mail now not marked with "!".
After no_initialize_domain

(9) To suppress domain transition

TOMOYO Linux in principle transits domains whenever a program is invoked. But it would be convenient that some programs run in the same domain. In such cases, you can suppress domain transitions by using "keep_domain" and "no_keep_domain" directives.

For example, the following procedure makes console login ( "<kernel> /sbin/mingetty /bin/login /bin/bash" ) domain suppress domain transition.

Before you specify "keep_domain" directive, domain transitions occur, as shown below.
Before keep_domain

Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash" and press "Enter" key.
Adding keep_domain

Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash" domain is marked with "#" and its descendant domains are marked with "!".
After keep_domain

The "man" command is invoked after login. But the "man" command performs some complicated tasks. So, let's run "man" in a different domain.
Before no_keep_domain

Switch to the screen for editing exception policy. Press "A" key and enter "no_keep_domain /usr/bin/man from /bin/bash" (or no_keep_domain /usr/bin/man from <kernel> /sbin/mingetty /bin/login /bin/bash") and press "Enter" key.
Adding no_keep_domain

Return to the screen for editing domain transition tree. Now the "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain and its descendants are not marked with "!".
After no_keep_domain

Some commands are invoked by "/usr/bin/man" command, but it doesn't worth doing domain transitions. So, let's make /usr/bin/man not to transit domains. Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain /usr/bin/man" (or "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man") and press "Enter" key.
Addint keep_domain

Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain is marked with "#" and its descendant domains are marked with "!".
After keep_domain

It is meaningless to keep unreachable domains, let's delete them. Select domains that are marked with "!", and press "D" key and "Y" key.
Before deleting unreachable domains

The following is the screen for editing domain transition tree after deleting unreachable domains.
After deleting unreachable domains

If you are going to apply access restrictions, be sure to use "learning mode" to add necessary ACLs and assign profile for "enforce mode" to enforce.

sflogo.php