Info: Version 1.7.x is available.

Japanese Page

TOMOYO Linux Maintenance manual

Last modified: $Date: 2011-07-01 13:55:23 +0900 (Fri, 01 Jul 2011) $

Notes for updating packages

Since the behavior of the system is restricted by policy, you may need to update policy when you update packages.

You need to update policy in the following cases.

The ideal way to update policy is to rebuild from the scratch using learning mode. But it is not desirable to change from enforcing mode to other mode if the system has once entered in production state. Suppose MAC could support per-application enforcing mode, the MAC becomes useless if an application that is not running in enforcing mode was cracked. For example, the whole system becomes vulnerable if only HTTP server application is running in learning mode to rebuild policy for the application. So, in TOMOYO Linux, updating policy is done while the system is running in enforcing mode.

TOMOYO Linux includes tools that help administrators update policy while the system is running in enforcing mode. By using these tools, you can continue running the system without rebuilding from the scratch using learning mode if the modification is trivial. But note that these tools cannot always support every cases and the result of updated policy is not always the optimized.

The procedure explained in this page is for TOMOYO Linux 1.6.2 and later. See here for the procedure for TOMOYO Linux 1.6.1 and earlier.

Demo

You can see a demo movie that explains you how to handle software updates.

To see this movie, you need to install VMware codec. You can download the codec from here if you are using Windows.

Procedure

Open a console or terminal window. Then, start the following program.

/usr/sbin/ccs-queryd

The "ccs-queryd" automatically appends shared libraries to exception policy using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed. The example shown below indicates that the pathname /lib/libnss_hesiod-2.5.so was appended to exception policy because it was created and was registered to /etc/ld.so.cache .

The pathname /lib/libnss_hesiod-2.5.so was created. Appended to globally readable file.

Also, the "ccs-queryd" automatically removes the pathname registered as globally readable files in exception policy when it was deleted. The example shown below indicates that the pathname /lib/libnss_hesiod-2.4.so was removed from exception policy because it was deleted.

The pathname /lib/libnss_hesiod-2.4.so was deleted. Deleted from globally readable file.

Run the commands for updating packages.

If you use "yum", run "you update". If you use "apt", run "apt-get update" and "apt-get upgrade".

Policy violation might occur while updating packages due to unusual behavior such as restarting daemons. When a policy violation occurs, a prompt shown below appears in the "ccs-queryd".

#2008-06-18 20:54:37# profile=3 mode=enforcing pid=2546 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
<kernel> /sbin/mingetty /bin/login /bin/bash /bin/cat
allow_read /etc/fstab
Allow? ('Y'es/Yes and 'A'ppend to policy/'N'o):

The example shown above indicates that a process which belongs to the domain "<kernel> /sbin/mingetty /bin/login /bin/bash /bin/cat" attempted to open /etc/fstab for reading but the attempt was denied by policy, and the kernel is asking for your decision. Validate whether or not to permit the request and tell the kernel your decision (and also the attempt should be granted from the next time by adding to domain policy). You can press "Y" to grant the request. You can press "N" to reject the request. You can press "A" to grant the request and also append to domain policy after editing the request.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

If "ccs-queryd" is running, the access requests that violated policy are kept pending. Thus, you had better not to logout while "ccs-queryd" is running.

Do a series of operations to confirm that programs that are protected by MAC can run properly. If some access permissions are missing, the messages will be printed to "ccs-queryd", so don't forget to monitor "ccs-queryd".

Note that "ccs-queryd" directly edits the policy currently loaded into the kernel. Thus, the changes made by "ccs-queryd" are lost by the system's shutdown. Be sure to run "ccs-savepolicy" to save the latest policy.

/usr/sbin/ccs-savepolicy

You have finished updating policies. Close the console or terminal you executed "ccs-queryd".

sflogo.php