gmane.linux.tomoyo.user.english

[tomoyo-users-en 493] about maintaining tomoyolinux

Pawan Kumar — 2012-05-14T09:49:52

Thanks for quick reply.

Currently I am learning things up and new to the world of masters like you.
I am developing myself and I guess by the end of this year I would have
achieved some of my targets about web, linux, cisco and I want to provide
free articles, tutorials, documentations to the people who are new to
tomoyo linux but at this stage I am very new to it. I will be playing with
it. I am sorry my friends are users of winodows and I moved to linux a few
months back so currently I do not have enough capabilities or resources and
I have not maintained any repo ever.

With time I would be developing things up and will start writing articles
and videos on tomoyo linux and its uses, at the moment I am just playing
with it.


Thanks for you time and quick reply
Pawan




On Sat, May 12, 2012 at 11:00 PM, <
tomoyo-users-en-request-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org> wrote:

_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+

[tomoyo-users-en 492] Re: tomoyo linux users request for 64 bitsystem

Tetsuo Handa — 2012-05-13T02:14:27

Hello.

Pawan Kumar wrote:

There are several build scripts at
http://sourceforge.jp/projects/tomoyo/svn/view/trunk/1.8.x/ccs-patch/specs/?root=tomoyo
which can be used for building distributor's latest kernels. (While these
scripts are also included in the ccs-patch tarball, the scripts on the SVN will
be up-to-date compared to the tarball.)

You can do

# wget -O /tmp/build-ubuntu_12.04.sh 'http://sourceforge.jp/projects/tomoyo/svn/view/trunk/1.8.x/ccs-patch/specs/build-ubuntu_12.04.sh?root=tomoyo&view=co&content-type=text%2Fplain'
# chmod 755 /tmp/build-ubuntu_12.04.sh
# /tmp/build-ubuntu_12.04.sh

to build the latest Ubuntu 12.04 kernel. The script will build 64bit kernel if
executed on 64bit environment, 32bit kernel if executed on 32bit environment.



Since building kernels causes a lots of file access, you might want to boot
with TOMOYO disabled when building kernels. To boot with TOMOYO disabled, pass
ccsecurity=off kernel boot command line parameter.



If you (or someone) have resource to maintain

[tomoyo-users-en 491] tomoyo linux users request for 64 bit system

Pawan Kumar — 2012-05-12T23:07:36

Hi,

Thanks for creating such a beautiful security system. I have seen tomoyo
linux live cd for ubuntu, thanks for making our life easier. My question
is, a big population of the world is using ubuntu and that too 64 bit, so
how tomoyo linux addresses porting tomoyo linux on 64 bit ubuntu. Sorry, I
am not aware of any manual way to do it for ubuntu 64 bit. If there is any
link that can help people like me using 64 bit ubuntu 12.04 to be able to
use tomoyo linux. it would be such a great help. It would be really great
for us if more videos are posted on youtube that can help new users of
linux start tomoyo linux with no problem at all. Things become much more
easier when we see something visually than read any manual. It would be
great if you can explain different situations that can help even the vast
number of desktop users of the world to be able to make their system more
secure.

Thanks for giving your valuable time to make peoples life easier!
Appreciate all your work!

Is it available for 64 bit opensus

[tomoyo-users-en 490] Re: Tomoyo Kernel Profiles have Disappeared

Milton Yates — 2012-05-11T21:16:48

Le 11/05/2012 16:48, Tetsuo Handa a écrit :

If I can add my 2 cents

Yes the current syntax might be improved slightly to avoid having to
write multiple lines to express "all files and folders of /foo", my
understanding is you currently have to write:
/foo/\*
/foo/\{\*\}/
/foo/\{\*\}/\*

but I can live with that, the syntax could be expanded to match all this
with a single wildcard, but I agree the current ones are good in that
they allow very fine grained matching for some cases, which is useful
sometimes indeed. I think they should not be dropped.

Personally I like more the #include feature of AppArmor
http://wiki.apparmor.net/index.php/QuickProfileLanguage#Include_Rules
this gets us back to my previous request on having multiple acl_groups
per domain ;) (yeah yeah here I go again ^^)

You told me some time ago you had a patch on the way for it, I would be
glad to test it and contribute as necessary (even if incomplete).

Regards,
Milton

[tomoyo-users-en 489] Re: Tomoyo Kernel Profiles have Disappeared

Tetsuo Handa — 2012-05-11T14:48:55

tomoyo-loadpolicy -p < /etc/tomoyo/profile.conf


Seems so.


/usr/lib/tomoyo/tomoyo_init_policy will create it if it does not exist.


Please use /usr/sbin/tomoyo-loadpolicy .


TOMOYO thinks basename component of pathnames very important, for multicall
binary applications decide their default behaviour based on basename component
(and optionally change their behaviour based on command line arguments).
It is an advantage of pathname based access control that can restrict
possible names within a directory. Therefore, TOMOYO's /\{ \}/ operator (oops,
this operator is not available on Debian Squeeze because it is using 2.6.32:
http://tomoyo.sourceforge.jp/2.2/policy-reference.html#wildcard_expression_rules )
was designed not to match basename component of pathnames.

However, despite my wish that users benefit from ability to restrict basename
component, most users do not care basename component; they simply specify
"foo directory and its descendants". (Only few power users are utilizing
ability to restrict b

[tomoyo-users-en 488] Re: Tomoyo Kernel Profiles have Disappeared

Cam McK — 2012-05-11T03:17:28

HI Tetsuo,

I have answered my own question from a previous post of yours:
http://comments.gmane.org/gmane.linux.tomoyo.user.english/118

I think in summary I had two issues:

1. profile.conf had got deleted somehow.

2. system came backup with no profiles, I unknowingly created profile.conf
again but they hadn't got loaded into the kernel.
I tried to load them via: /sbin/tomoyo-init but recieved: <kernel>
/usr/sbin/sshd /bin/bash /bin/su /bin/bash ( /bin/bash ) is not permitted
to update policies. which meant I had to reboot regardless so that:

"/sbin/tomoyo-init copies /etc/tomoyo/manager.conf to
/sys/kernel/security/tomoyo/manager",

in which case I may as well reboot so that /sbin/tomoyo-init loads in
profile.conf anyway!

Thank you for your help.

[tomoyo-users-en 487] Re: Tomoyo Kernel Profiles have Disappeared

Cam McK — 2012-05-10T22:27:40

Hello,


to 3

No, you are correct that I didn't save the profile after I changed it to
use_profile 3 but the rest of the profile was saved.



Hmm not sure how I OR if I deleted but i think I recreated it running:
/usr/lib/tomoyo/tomoyo_init_policy  after it stopped working after the
reboot.


/sys/kernel/security/tomoyo/domain_policy ?

The problem I have is that the Kernel does not know about profiles 2 or 3.

Please double check the below output: The reason there is even a profile
"2" is because I created one within tomoyo-editpolicy's Profile Editor, Yes
the correct profiles are defined in the profile.conf, but it doesn't match
what is in the kernel.


root< at >www:~# cat  /sys/kernel/security/tomoyo/profile
0-COMMENT=disabled
0-MAC_FOR_FILE=disabled
0-MAX_ACCEPT_ENTRY=0
0-TOMOYO_VERBOSE=disabled
1-COMMENT=disabled
1-MAC_FOR_FILE=disabled
1-MAX_ACCEPT_ENTRY=0
1-TOMOYO_VERBOSE=disabled
2-COMMENT=
2-MAC_FOR_FILE=disabled
2-MAX_ACCEPT_ENTRY=2048
2-TOMOYO_VERBOSE=enabled

^^ Note: Profile 2 isn't the same, and

[tomoyo-users-en 486] Re: Tomoyo Kernel Profiles have Disappeared

Tetsuo Handa — 2012-05-10T13:51:41

I set up 2.6.32-5-amd64 and tested.

# cat /proc/version
Linux version 2.6.32-5-amd64 (Debian 2.6.32-44) (dannf-8fiUuRrzOP0dnm+yROfE0A< at >public.gmane.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Sat May 5 01:12:59 UTC 2012



If /etc/tomoyo/profile.conf exists, it boots normally.

  [    3.131467] PM: Resume from disk failed.
  [    3.170967] kjournald starting.  Commit interval 5 seconds
  [    3.171366] EXT3-fs: mounted filesystem with ordered data mode.
  [    3.367417] Calling /sbin/tomoyo-init to load policy. Please wait.
  [    3.581394] TOMOYO: 2.2.0   2009/04/01
  [    3.581706] Mandatory Access Control activated.
  [    4.204435] udev[348]: starting version 164
  [    4.337875] input: Sleep Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0E:00/input/input2



If /etc/tomoyo/ exists but /etc/tomoyo/profile.conf does not exist,
it waits for your input.

  Begin: Running /scripts/local-premount ... [    4.357857] PM: Starting manual resume from disk
  done.
  [    4.421423] kjournald starting.  Comm

[tomoyo-users-en 485] Re: Tomoyo Kernel Profiles have Disappeared

Tetsuo Handa — 2012-05-10T08:52:06

Hello.

Cam McK wrote:

According to INFO below, it seems to me that profiles 2 and 3 are defined.
You meant "use_profile 2" and "use_profile 3" lines have gone from
/etc/tomoyo/domain_policy.conf and /sys/kernel/security/tomoyo/domain_policy ?


tomoyo-editpolicy directly modifies /sys/kernel/security/tomoyo/ interface but
the up-to-date policy will not be saved to /etc/tomoyo/ directory unless you run
tomoyo-savepolicy .

Did you execute tomoyo-savepolicy between after changing profile from 1 to 3
and before rebooting your system?

[tomoyo-users-en 484] Tomoyo Kernel Profiles have Disappeared

Cam McK — 2012-05-10T07:20:05

Hello,

I have been trying to find out why my tomoyo installation has broken itself.

It was running locking down just the apache service, I rebooted my server
for some maintenance and it failed to come backup. I logged into the
console and it was waiting at boot for a tomoyo profile, I typed "disable"
if I recall correctly and it booted. I then performed, tomoyo-editpolicy
and apache was back to profile 1, when I tried to adjust it to profile 3,
it just stayed on 1.

A bit of investigation shows that the kernel doesn't know about profiles 2
& 3.

How do I go about resolving this?

Thanks
Cam

INFO:

Linux www.cam.com 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64
GNU/Linux

root< at >www:~# cat /boot/grub/menu.lst
      ===== SNIP =====
kernel          /boot/vmlinuz-2.6.32-5-amd64 root=/dev/xvda1 ro
security=tomoyo
initrd          /boot/initrd.img-2.6.32-5-amd64
      ====== SNIP =====

root< at >www:~# cat /sys/kernel/security/tomoyo/manager
/usr/sbin/tomoyo-loadpolicy
/usr/sbin/tomoyo-editpolicy
/usr/sbi

[tomoyo-users-en 483] Re: kernel panic after installing tomoyo linuxccs tools on ubuntu 12.04 kernel 3.2.0-24-virtual

Pawan Kumar — 2012-05-08T20:19:41

Great answer ... wow, you have exactly pointed me in the right direction.
Thank you Tetsuo.

This is the main reason. Yes, even in ubuntu repository it did mention that
it was for i686 and not for x86_64. I had tested tomoyo linux on fedora
x86_64 environment and it worked beautifully so It was kind of a test on
ubuntu x86_64.

I will test it on i686 and will update any issues that I face.

Thanks for your time and quick reply. Appreciate it.
Pawan




On Tue, May 8, 2012 at 8:00 AM, Tetsuo Handa <
from-tomoyo-users-en-1yMVhJb1mP/7nzcFbJAaVXf5DAMn2ifp< at >public.gmane.org> wrote:

_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 482] Re: kernel panic after installing tomoyolinuxccs tools on ubuntu 12.04 kernel 3.2.0-24-virtual

Tetsuo Handa — 2012-05-08T12:00:51

Hello.

Pawan Kumar wrote:

Thank you for trying TOMOYO.

The binary packages provided by tomoyo.sourceforge.jp repository are for i686.
If you installed x86_64 version of kubuntu, please build x86_64 version (you
can build it by locating ccs-patch-1.8.3-20120505.tar.gz in /root/rpmbuild/SOURCES/
and run specs/build-ubuntu_12.04.sh extracted from the tarball).

In my environment (i686 userland), everything works fine.

# head !$
head /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 15
model name      : Intel(R) Core(TM)2 CPU         T7200  < at > 2.00GHz
stepping        : 6
microcode       : 0xc7
cpu MHz         : 1994.993
cache size      : 4096 KB
physical id     : 0

[    1.936693] Freeing unused kernel memory: 740k freed
[    1.937168] Write protecting the kernel text: 5884k
[    1.937224] Write protecting the kernel read-only data: 2384k
[    1.937233] NX-protecting the kernel data: 4356k
[    1.974655] udevd[102]: starting version 175
[    2.311021] EXT4-

[tomoyo-users-en 481] kernel panic after installing tomoyo linux ccs tools on ubuntu 12.04 kernel 3.2.0-24-virtual

Pawan Kumar — 2012-05-07T23:30:21

Hi guys,

I installed tomoyo linux on kubuntu 12.04* kernel 3.2.0-24-virtua*l (
yesterday, I had same problem on 3.2.0-24 generic kernel too).

I followed this exactly

Ubuntu 12.04 (generic-pae flavour)

# echo 'deb http://tomoyo.sourceforge.jp/repos-1.8/Ubuntu12.04/ ./' >>
/etc/apt/sources.list
# apt-get update
# apt-get install linux-generic-pae-ccs ccs-tools

From: http://tomoyo.sourceforge.jp/1.8/chapter-3.html.en but  I had no
success and I got kernel panic error. Though I was able to boot into my
previous kenel and things were fine.

I want to use tomoyo linux on kubuntu. Any suggestions would be
appreciated. Am I doing anything wrong here or is there any extra steps
that I should take...? Its a recently installed kubuntu machine.

Thanks for any suggestions
pk
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 480] ccs-patch-1.6.9p4/1.7.3p4/1.8.3p7akari-1.0.27 caitsith-0.1p1 uploaded.

Tetsuo Handa — 2012-05-05T13:50:03

ccs-patch 1.8.3p7 fixes three bugs.

 (1) Regarding 2.6.0-2.6.11 kernels, TOMOYO needs to use
     spin_lock_bh()/spin_unlock_bh() rather than
     spin_lock_irq()/spin_unlock_irq() when a packet was dropped by TOMOYO.

 (2) Regarding RHEL 5.2-5.8 kernels, TOMOYO needs to protect
     skb_kill_datagram() call with lock_sock()/release_sock() when UDP packet
     was dropped by TOMOYO.

 (3) Regarding Ubuntu 12.04 kernel on Live CD, TOMOYO needs to accept manager
     programs which do not start with / because the pathname of
     /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live CD is
     squashfs:/usr/sbin/ccs-editpolicy rather than /usr/sbin/ccs-editpolicy .

Unless you are using one of kernel versions listed above, this update will not
be needed.



ccs-patch-1.7.3p4 and ccs-patch-1.6.9p4 fixes the bugs (1) and (2).



Live CD for Ubuntu 12.04 + TOMOYO 1.8.3p7 is now available.
http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html

This Live CD can be also used as Ubuntu 12.04 + TOMOYO 2.5 by appendin

[tomoyo-users-en 479] ccs-tools-1.8.3p3 andtomoyo-tools-2.2.0p3/2.3.0p4/2.4.0p4/2.5.0p2 uploaded.

Tetsuo Handa — 2012-04-14T16:19:58

Jamie Nguyen has rewritten manpages for ccs-tools and tomoyo-tools packages. I
included them in today's tarballs. Build dependency on help2man has gone.
http://sourceforge.jp/projects/tomoyo/lists/archive/dev-en/2012-February/000338.html



An IP address parsing bug in policy editor's offline mode has been fixed.



/sbin/ccs-init and /sbin/tomoyo-init has been updated to correctly report
memory usage information.



tomoyo-tools-2.2.0p3/2.3.0p4 have been updated to include variables from
Include.make as with tomoyo-tools-2.4.0p4/2.5.0p2 do.



The root of source tree in ccs-tools-1.8.3p3 has changed from ccstools/ to
ccs-tools/ as with tomoyo-tools packages do.



Re: [tomoyo-users-en 465] ccs-patch-1.6.9p2/1.7.3p2/1.8.3p5 and ccs-tools-1.6.9p1/1.7.3p1/1.8.3p2 uploaded.

This enhancement was copied to tomoyo-tools-2.4.0p4/2.5.0p2.



Please let me know if you found any problems.

ccs-tools-1.8.3-20120414.tar.gz     MD5: bbbb78c5a0c6aa22e43ff3bc4f125241
tomoyo-tools-2.2.0-20120414.tar.gz  MD5: 0000c045b8aba2

[tomoyo-users-en 477] fedora 17

shawn — 2012-04-06T23:25:28

the server that hosts fedora 16 packages does not allow directory
listings, [1] so i cant tell if fedora 17 packages are available yet


[1] http://cdn.tomoyolinux.co.uk/pub/fedora/


Shawn Landden

[tomoyo-users-en 476] Re: Next version of TOMOYO

Milton Yates — 2012-04-06T19:22:36

Hi Tetsuo,

Le 31/03/2012 04:52, Tetsuo Handa a écrit :

I think it is probably the best choice too (for what it's worth ^^).


Great :)


Thanks a lot for explaining the rationale behind this new software, it
is a very interesting read and I'm looking forward to testing Caitsith
too now (especially as I loved FF7 ^^).



Exactly, that is why some new directive would be needed to define the
grouping of acls.

Based on:
$acl_priority acl $operation $conditions_to_filter
    audit $audit_index
    $cond_priority $decision $conditions_to_allow_or_deny


If you have 3 ACLs with the same $decision &
$conditions_to_allow_or_deny, like these:

"
1 acl read path="/usr/share/\{\*\}/\*"
    audit 1
    1 allow $condition_to_allow_or_deny1
    2 deny

2 acl read path="/usr/lib/lib\*.so\*"
    audit 1
    1 allow $conditions_to_allow_or_deny1
    2 deny

3 acl read path="/etc/example"
    audit 1
    1 allow $conditions_to_allow_or_deny1
    2 deny
"

We could have instead:

"
1 aclgroup NAMEOFGROUP
    audit 1
    1 a

[tomoyo-users-en 475] Re: Fwd: Looking for patch to add "Audit"Featurein Tomoyo 2.3

Tetsuo Handa — 2012-04-04T12:27:29

You can use TOMOYO 2.5 on linux-3.0.2. Please see
http://tomoyo.sourceforge.jp/2.5/chapter-3.html for instruction and
http://tomoyo.sourceforge.jp/2.5/patches/tomoyo-2.5-backport-for-3.0.patch for
patch to backport.

I'm currently refreshing patches in http://tomoyo.sourceforge.jp/2.5/patches/
using linux-3.4-rc1 which contains several bugfixes.

Regards.

[tomoyo-users-en 474] Fwd: Looking for patch to add "Audit" Featurein Tomoyo 2.3

NITIN JHANWAR — 2012-04-04T12:11:02

Hello,

I am a newbie in Tomoyo and looking for assistance. 
I am running linux-3.0.2 on my arm board which is having tomoyo 2.3 version. 
now my requirement is to run "audit" (Generate access granted logs/rejected logs) feature of tomoyo which is available in tomoyo 2.5 version (available with linux-3.2.2). 

I am looking for any direct patch available for this. 
If patch is available,please share that patch link to me. 

Thanks
Nitin

[tomoyo-users-en 473] Looking for patch to add "Audit" Feature inTomoyo 2.3

NITIN JHANWAR — 2012-04-04T12:08:44

Hello,

I am a newbie in Tomoyo and looking for assistance. 
I am running linux-3.0.2 on my arm board which is having tomoyo 2.3 version. 
now my requirement is to run "audit" (Generate access granted logs/rejected logs) feature of tomoyo which is available in tomoyo 2.5 version (available with linux-3.2.2). 

I am looking for any direct patch available for this. 
If patch is available,please share that patch link to me. 

Thanks
Nitin

[tomoyo-users-en 472] CaitSith 0.1 released.

Tetsuo Handa — 2012-04-01T14:07:17

CaitSith is an access restriction module for Linux 2.6.27 and later kernels.
This module gives you ability to restrict access (e.g. opening files, executing
programs) at the kernel level. This module is designed for ease of use.

This module was derived from TOMOYO Linux 1.8.3, but usage of this module would
be too different to imagine that this module was derived from TOMOYO Linux.

Documentation http://caitsith.sourceforge.jp/ is under construction, sorry.



Also, I uploaded other tarballs. ccs-patch-1.8.3-20120401.tar.gz and
akari-1.0.26-20120401.tar.gz now support Linux 3.4-rc1 and Ubuntu 12.04.

MD5:                              Filename:
000003289b6f9213b0e8c7c51607136e  ccs-patch-1.6.9-20120401.tar.gz
77779ee24436324fdb45e232ca938063  ccs-patch-1.7.3-20120401.tar.gz
aaaaca0e7b06e4e37cfa5a879cfb4736  ccs-patch-1.8.3-20120401.tar.gz
222233ff6cfb39d5c2258d91646c88a7  akari-1.0.26-20120401.tar.gz
8888e7faede611f1d951d616636d4e27  caitsith-patch-0.1-20120401.tar.gz
eeeebbe3ff39cd369caf00807ee1d335  caitsi