Info: Version 1.7.x is available.

Japanese Page

How to use Policy Editor

Last modified: $Date: 2011-07-01 13:55:23 +0900 (Fri, 01 Jul 2011) $

Common Operations

(0) Before you use this editor

TOMOYO Linux includes a CUI based Policy Editor.

You need to register either "the domainname that this editor belongs to" or "the pathname of this editor (usually /usr/lib/ccs/editpolicy)" with /proc/ccs/manager before you use this editor.

You can start this editor by typing "/usr/sbin/ccs-editpolicy" at the prompt.

(1) To quit policy editor

Press "Q" key to quit.

(2) To refresh the contents

Press "R" key.

(3) To move cursor in a vertical direction

Press "Up-Arrow"/"Down-Arrow" keys or "PageUp"/"PageDown" keys.

(4) To scroll screen in a horizontal direction

Press "Left-Arrow"/"Right-Arrow" keys or "Home"/"End" keys.

(5) To switch screen

The policy editor has 7 screens. Press "W" key to show the window list.
Window List

Screen for editing system policy will appear if you press "S" key from the window list screen.
Screen for System Policy

Screen for editing exception policy will appear if you press "E" key from the window list screen.
Screen for Exception Policy

Screen for editing domain transition tree will appear if you press "D" key from the window list screen.
Screen for Domain List

Screen for editing specific domain's policy will appear if you press "A" key from the window list screen.
Screen for Domain Policy

Screen for editing profiles will appear if you press "P" key from the window list screen.
Screen for Profile List

Screen for editing managers will appear if you press "M" key from the window list screen.
Screen for Manager List

Screen for browsing memory usage will appear if you press "U" key from the window list screen.
Screen for Memory Usage

(6) To search strings

To start searching, press "F" and enter strings to search and press "Enter" key.
Find First

To continue searching in forward direction, press "N" key.

To continue searching in backward direction, press "P" key.

(7) To add an entry

To add an entry, press "A" and enter strings to add and press "Enter" key. The strings you entered are saved in the history buffer and you can see them by pressing "Insert" key. To load strings in the history buffer, press "Up-Arrow"/"Down-Arrow" keys.

An example operation in domain transition tree
Adding an entry into  List

An example operation in system policy
Adding System Policy

An example operation in exception policy
Adding Exception Policy

An example operation in specific domain's policy
Adding Domain Policy

(8) To select an entry

Move the cursor to the entry you want to select and then press "Space" key. When an entry is selected, "&" mark will appear at the top of the line.
Selecting an entry

To unselect an entry, press "Space" key again. When an entry is unselected, "&" mark will disappear.

(9) To select entries collectively

The selection state (the "&" mark at the top of the line) of the cursor line will be copied to all entries under the cursor line by pressing "C" key.
Copying selection state

To select specific range, mark "&" at the first entry of the range and press "C" key, then unmark "&" at the next of the last entry of the range and press "C" key.

(10) To delete an entry

Mark "&" for entries you want to delete and press "D" key. Press "Y" key to the confirmation message, and the entries will be deleted.
Deleting selected entries

Operations specific to screen for editing domain transition tree

(0) About this screen

This screen shows all domains and their transitions in a tree structure with indent. You can see possible domain transitions using this screen.

The "profile number" of the domain is shown on the right side of the "line number". The last "pathname of program" in the domainname is shown on the right side of the "profile number". The "#" "*" "!" marks may be shown between the "profile number" and the last "pathname of program" depending on the attribute of the domain.

(1) To change "profile number" of a domain

Select domains you want to change "profile number" and press "S" key. Enter "profile number" in the prompt and press "Enter" key.
Setting profile number

(2) About domains with "!" mark

A domain with "!" mark means that the domain in unreachable due to either "initialize_domain" or "keep_domain" directives. The reason is shown on the right side of the last "pathname of program".
Unreachable Domain

(3) About domains with "*" mark

A domain with "*" mark means that multiple domains might transit to this domain due to "initialize_domain" directive. A domain without "*" mark transits only from the domain's parent domain.
Initialization Target

(4) About domains with "#" mark

A domain with "#" mark means that multiple programs might belong to this domain (a domain transition may not occur when a program is invoked) due to "keep_domain" directive.
Keeping Domain

(5) About domains with "( -> "line number" )" after the last "pathname of program"

This is not a real domain. The process transits to a domain with "line number" when the program is invoked from the parent domain since the last "pathname of program" is registered with "initialize_domain" directive.
Initialization Source

(6) About domains with "( -> Not Found )" after the last "pathname of program"

This is not a real domain. Although the last "pathname of program" is registered with "initialize_domain" directive, the destination domain is not created yet.
No Initialization Target

(7) About domains with "( the last "pathname of program" )"

This means that this domain doesn't exist due to deletion of domains. This domain appears when the parent domain doesn't exist but descendant domains exist to not to break indent. To create this domain, move the cursor to this domain and press "Insert" -> "A" -> "UpArrow" -> "Enter" keys.
Deleted Domain

(8) To initialize domain transition

TOMOYO Linux in principle transits domains whenever a program is invoked, and the next domain differs if the previous domain differs even if the two domains are invoking the same program. But it would be convenient that some programs, such as daemons, run in the same domain regardless of the previous domain. In such cases, you can run such programs just under the "<kernel>" domain regardless of the previous domain by using "initialize_domain" and "no_initialize_domain" directives.

For example, the following procedure makes /usr/sbin/sendmail.sendmail always run in the "<kernel> /usr/sbin/sendmail.sendmail" domain.

Before you specify "initialize_domain" directive, the same program is invoked from multiple domains, as shown below.
Before initialize_domain
Before initialize_domain

Switch to the screen for editing exception policy. Press "A" key and enter "initialize_domain /usr/sbin/sendmail.sendmail" and press "Enter" key. This entry means that "transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked".
Adding initialize_domain

Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail now marked with "!". Also, the domains with "( -> Not Found )" are appeared because the destination ("<kernel> /usr/sbin/sendmail.sendmail") domain doesn't exist.
After initialize_domain

To correct "( -> Not Found )" part, press "A" key and enter "<kernel> /usr/sbin/sendmail.sendmail" and press "Enter" key.
Adding initialization target

And now, "( -> Not Found )" part has changed to "( -> "line number" )".
After initialize_domain target
Added initialization target

But regarding /usr/sbin/sendmail.sendmail invoked by /bin/mail, you may wish not to transit to "<kernel> /usr/sbin/sendmail.sendmail" domain because it is not invoked for daemons.
Before no_initialize_domain

In such case, switch to the screen for editing exception policy. Press "A" key and enter "no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail" and press "Enter" key. This entry means that "don't transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked by a domain whose the last "pathname of program" in the domainname is "/bin/mail".
Adding no_initialize_domain

Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail invoked by /bin/mail now not marked with "!".
After no_initialize_domain

(9) To suppress domain transition

TOMOYO Linux in principle transits domains whenever a program is invoked. But it would be convenient that some programs run in the same domain. In such cases, you can suppress domain transitions by using "keep_domain" and "no_keep_domain" directives.

For example, the following procedure makes console login ( "<kernel> /sbin/mingetty /bin/login /bin/bash" ) domain suppress domain transition.

Before you specify "keep_domain" directive, domain transitions occur, as shown below.
Before keep_domain

Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash" and press "Enter" key.
Adding keep_domain

Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash" domain is marked with "#" and its descendant domains are marked with "!".
After keep_domain

The "man" command is invoked after login. But the "man" command performs some complicated tasks. So, let's run "man" in a different domain.
Before no_keep_domain

Switch to the screen for editing exception policy. Press "A" key and enter "no_keep_domain /usr/bin/man from /bin/bash" (or no_keep_domain /usr/bin/man from <kernel> /sbin/mingetty /bin/login /bin/bash") and press "Enter" key.
Adding no_keep_domain

Return to the screen for editing domain transition tree. Now the "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain and its descendants are not marked with "!".
After no_keep_domain

Some commands are invoked by "/usr/bin/man" command, but it doesn't worth doing domain transitions. So, let's make /usr/bin/man not to transit domains. Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain /usr/bin/man" (or "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man") and press "Enter" key.
Addint keep_domain

Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain is marked with "#" and its descendant domains are marked with "!".
After keep_domain

It is meaningless to keep unreachable domains, let's delete them. Select domains that are marked with "!", and press "D" key and "Y" key.
Before deleting unreachable domains

The following is the screen for editing domain transition tree after deleting unreachable domains.
After deleting unreachable domains

If you are going to apply access restrictions, be sure to use "learning mode" to add necessary ACLs and assign profile for "enforcing mode" to enforce.

Operations specific to screen for editing ACL entries given to the domain

(0) About this screen

This screen shows all ACL entries given to the selected domain. You can confirm and add/delete ACL entries as needed.

(1) To change sort order

You can toggle sort order (by operand or by keyword) by pressing "@" key.
Sort by operand
Sort by keyword

(2) To remove redundant ACL entries

You can use "O" key to mark "&" to the entries that are implied by the entry at the cursor line, then you can press "D" key to delete redundant ACL entries after confirmation.

(A-1) The next picture is a screenshot which is before adding patterned entry.
Before adding patterned entry

(A-2) The next picture is a screenshot which is after adding patterned entry.
After adding patterned entry

(A-3) The next picture is a screenshot which is after pressing "O" key on the line of patterned entry.
After entering optimize key

(A-4) The next picture is a screenshot which is after pressing "D" key.
After entering delete key

(A-5) The next picture is a screenshot which is after pressing "Y" key.
After entering yes key

(B-1) Same approach for network ACL entries. The next picture is a screenshot which is before adding patterned entry.
Before adding patterned entry

(B-2) The next picture is a screenshot which is after adding patterned entry.
After adding patterned entry

(B-3) The next picture is a screenshot which is after pressing "O" key on the line of patterned entry.
After entering optimize key

(B-4) The next picture is a screenshot which is after pressing "D" key.
After entering delete key

(B-5) The next picture is a screenshot which is after pressing "Y" key.
After entering yes key

(C-1) Same approach for path_group entries. The next picture is a screenshot which is after adding path_group entry.
After adding path_group

(C-2) The next picture is a screenshot which is before adding path_group entry.
Before adding path_group entry

(C-3) The next picture is a screenshot which is after adding path_group entry.
After adding path_group entry

(C-4) The next picture is a screenshot which is after pressing "O" key on the line of path_group entry.
After entering optimize key

(C-5) The next picture is a screenshot which is after pressing "D" key.
After entering delete key

(C-6) The next picture is a screenshot which is after pressing "Y" key.
After entering yes key

sflogo.php