Info: Version 1.8.x is available.
Last modified: $Date: 2024-03-30 11:25:00 +0000 (Sat, 30 Mar 2024) $
TOMOYO Linux includes a CUI based Policy Editor.
You need to register either "the domainname that this editor belongs to" or "the pathname of this editor (usually /usr/sbin/ccs-editpolicy)" with /proc/ccs/manager before you use this editor.
You can start this editor by typing "/usr/sbin/ccs-editpolicy" at the prompt.
Press "Q" key to quit.
Press "R" key.
Press "Up-Arrow"/"Down-Arrow" keys or "PageUp"/"PageDown" keys.
Press "Left-Arrow"/"Right-Arrow" keys or "Home"/"End" keys.
The policy editor has 6 screens. Press "W" key to show the window list.
Screen for editing exception policy will appear if you press "E" key from the window list screen.
Screen for editing domain transition tree will appear if you press "D" key from the window list screen.
Screen for editing specific domain's policy will appear if you press "A" key from the window list screen.
Screen for editing profiles will appear if you press "P" key from the window list screen.
Screen for editing managers will appear if you press "M" key from the window list screen.
Screen for browsing memory usage will appear if you press "U" key from the window list screen.
To start searching, press "F" and enter strings to search and press "Enter" key.
To continue searching in forward direction, press "N" key.
To continue searching in backward direction, press "P" key.
To add an entry, press "A" and enter strings to add and press "Enter" key. The strings you entered are saved in the history buffer and you can see them by pressing "Insert" key. To load strings in the history buffer, press "Up-Arrow"/"Down-Arrow" keys.
An example operation in domain transition tree
An example operation in exception policy
An example operation in specific domain's policy
Move the cursor to the entry you want to select and then press "Space" key. When an entry is selected, "&" mark will appear at the top of the line.
To unselect an entry, press "Space" key again. When an entry is unselected, "&" mark will disappear.
The selection state (the "&" mark at the top of the line) of the cursor line will be copied to all entries under the cursor line by pressing "C" key.
To select specific range, mark "&" at the first entry of the range and press "C" key, then unmark "&" at the next of the last entry of the range and press "C" key.
Mark "&" for entries you want to delete and press "D" key. Press "Y" key to the confirmation message, and the entries will be deleted.
This screen shows all domains and their transitions in a tree structure with indent. You can see possible domain transitions using this screen.
The "profile number" of the domain is shown on the right side of the "line number". The last "pathname of program" in the domainname is shown on the right side of the "profile number". The "#" "*" "!" marks may be shown between the "profile number" and the last "pathname of program" depending on the attribute of the domain.
Select domains you want to change "profile number" and press "S" key. Enter "profile number" in the prompt and press "Enter" key.
A domain with "!" mark means that the domain in unreachable due to either "initialize_domain" or "keep_domain" directives. The reason is shown on the right side of the last "pathname of program".
A domain with "*" mark means that multiple domains might transit to this domain due to "initialize_domain" directive. A domain without "*" mark transits only from the domain's parent domain.
A domain with "#" mark means that multiple programs might belong to this domain (a domain transition may not occur when a program is invoked) due to "keep_domain" directive.
This is not a real domain. The process transits to a domain with "line number" when the program is invoked from the parent domain since the last "pathname of program" is registered with "initialize_domain" directive.
This is not a real domain. Although the last "pathname of program" is registered with "initialize_domain" directive, the destination domain is not created yet.
This means that this domain doesn't exist due to deletion of domains. This domain appears when the parent domain doesn't exist but descendant domains exist to not to break indent. To create this domain, move the cursor to this domain and press "Insert" -> "A" -> "UpArrow" -> "Enter" keys.
TOMOYO Linux in principle transits domains whenever a program is invoked, and the next domain differs if the previous domain differs even if the two domains are invoking the same program. But it would be convenient that some programs, such as daemons, run in the same domain regardless of the previous domain. In such cases, you can run such programs just under the "<kernel>" domain regardless of the previous domain by using "initialize_domain" and "no_initialize_domain" directives.
For example, the following procedure makes /usr/sbin/sendmail.sendmail always run in the "<kernel> /usr/sbin/sendmail.sendmail" domain.
Before you specify "initialize_domain" directive, the same program is invoked from multiple domains, as shown below.
Switch to the screen for editing exception policy. Press "A" key and enter "initialize_domain /usr/sbin/sendmail.sendmail" and press "Enter" key. This entry means that "transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked".
Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail now marked with "!". Also, the domains with "( -> Not Found )" are appeared because the destination ("<kernel> /usr/sbin/sendmail.sendmail") domain doesn't exist.
To correct "( -> Not Found )" part, press "A" key and enter "<kernel> /usr/sbin/sendmail.sendmail" and press "Enter" key.
And now, "( -> Not Found )" part has changed to "( -> "line number" )".
But regarding /usr/sbin/sendmail.sendmail invoked by /bin/mail, you may wish not to transit to "<kernel> /usr/sbin/sendmail.sendmail" domain because it is not invoked for daemons.
In such case, switch to the screen for editing exception policy. Press "A" key and enter "no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail" and press "Enter" key. This entry means that "don't transit to "<kernel> /usr/sbin/sendmail.sendmail" domain if /usr/sbin/sendmail.sendmail is invoked by a domain whose the last "pathname of program" in the domainname is "/bin/mail".
Return to the screen for editing domain transition tree. The domains for /usr/sbin/sendmail.sendmail invoked by /bin/mail now not marked with "!".
TOMOYO Linux in principle transits domains whenever a program is invoked. But it would be convenient that some programs run in the same domain. In such cases, you can suppress domain transitions by using "keep_domain" and "no_keep_domain" directives.
For example, the following procedure makes console login ( "<kernel> /sbin/mingetty /bin/login /bin/bash" ) domain suppress domain transition.
Before you specify "keep_domain" directive, domain transitions occur, as shown below.
Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash" and press "Enter" key.
Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash" domain is marked with "#" and its descendant domains are marked with "!".
The "man" command is invoked after login. But the "man" command performs some complicated tasks. So, let's run "man" in a different domain.
Switch to the screen for editing exception policy. Press "A" key and enter "no_keep_domain /usr/bin/man from /bin/bash" (or no_keep_domain /usr/bin/man from <kernel> /sbin/mingetty /bin/login /bin/bash") and press "Enter" key.
Return to the screen for editing domain transition tree. Now the "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain and its descendants are not marked with "!".
Some commands are invoked by "/usr/bin/man" command, but it doesn't worth doing domain transitions. So, let's make /usr/bin/man not to transit domains. Switch to the screen for editing exception policy. Press "A" key and enter "keep_domain /usr/bin/man" (or "keep_domain <kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man") and press "Enter" key.
Return to the screen for editing domain transition tree. The "<kernel> /sbin/mingetty /bin/login /bin/bash /usr/bin/man" domain is marked with "#" and its descendant domains are marked with "!".
It is meaningless to keep unreachable domains, let's delete them. Select domains that are marked with "!", and press "D" key and "Y" key.
The following is the screen for editing domain transition tree after deleting unreachable domains.
If you are going to apply access restrictions, be sure to use "learning mode" to add necessary ACLs and assign profile for "enforcing mode" to enforce.
This screen shows all ACL entries given to the selected domain. You can confirm and add/delete ACL entries as needed.
You can toggle sort order (by operand or by keyword) by pressing "@" key.
You can use "O" key to mark "&" to the entries that are implied by the entry at the cursor line, then you can press "D" key to delete redundant ACL entries after confirmation.
(A-1) The next picture is a screenshot which is before adding patterned entry.
(A-2) The next picture is a screenshot which is after adding patterned entry.
(A-3) The next picture is a screenshot which is after pressing "O" key on the line of patterned entry.
(A-4) The next picture is a screenshot which is after pressing "D" key.
(A-5) The next picture is a screenshot which is after pressing "Y" key.
(B-1) Same approach for network ACL entries. The next picture is a screenshot which is before adding patterned entry.
(B-2) The next picture is a screenshot which is after adding patterned entry.
(B-3) The next picture is a screenshot which is after pressing "O" key on the line of patterned entry.
(B-4) The next picture is a screenshot which is after pressing "D" key.
(B-5) The next picture is a screenshot which is after pressing "Y" key.
(C-1) Same approach for path_group entries. The next picture is a screenshot which is after adding path_group entry.
(C-2) The next picture is a screenshot which is before adding path_group entry.
(C-3) The next picture is a screenshot which is after adding path_group entry.
(C-4) The next picture is a screenshot which is after pressing "O" key on the line of path_group entry.
(C-5) The next picture is a screenshot which is after pressing "D" key.
(C-6) The next picture is a screenshot which is after pressing "Y" key.
