TOMOYO Linux 1.8.x : The Official Guide

Welcome to the official documentation of TOMOYO Linux 1.8.x branch. Get started now!

Core Topics

Chapter 1: Introduction

• 1.1. Introduction to this guide
• 1.2. Typography

Chapter 2: Why do I need TOMOYO Linux?

• 2.1. What is TOMOYO Linux?
• 2.2. What is Mandatory Access Control?
• 2.3. How can TOMOYO Linux help me?

Chapter 3: How do I install TOMOYO Linux?

• 3.1. Are binary packages available for my distribution?
• 3.2. Installing binary packages
• 3.3. Installing from source
  
  • 3.3.1. Install dependencies
  • 3.3.2. Download and patch the kernel
  • 3.3.3. Configure the kernel
  • 3.3.4. Compile and install the kernel
  • 3.3.5. Install the userspace tools
• 3.4. Initializing configuration
• 3.5. Configure bootloader
• 3.6. Rebooting your system
• 3.7. How do I disable/uninstall TOMOYO Linux?

Chapter 4: How does TOMOYO Linux work?

• 4.1. Understanding domains
• 4.2. View domains with the policy editor
• 4.3. Understanding profiles
• 4.4. Understanding domain policy
• 4.5. Understanding exception policy
• 4.6. Saving audit logs (optional)

Chapter 5: How do I manage domains?

• 5.1. Domain creation
• 5.2. Management of domain transitions
  
  • 5.2.1. initialize_domain
  • 5.2.2. no_initialize_domain
  • 5.2.3. keep_domain
  • 5.2.4. no_keep_domain
• 5.3. Switching to learning mode
• 5.4. Gathering necessary permissions
• 5.5. Saving permissions to disk
• 5.6. Managing memory usage

Chapter 6: How do I develop policy?

• 6.1. Patterning temporary files
• 6.2. Patterning file access permissions
• 6.3. Patterning numeric permissions
• 6.4. Patterning network access permissions
• 6.5. Reviewing gathered permissions
• 6.6. Using audit logs to develop policy (optional)

Chapter 7: How do I enforce policy?

• 7.1. Enabling enforcing mode
• 7.2. Notification daemon
• 7.3. Handling policy violations in real-time
  
  • 7.3.1. Example usage of "ccs-queryd"
  • 7.3.2. Example output from "ccs-queryd"
• 7.4. Enabling enforcing mode for all domains
• 7.5. Beyond the core topics

Advanced Topics

Chapter 8: Interface permissions

• 8.1. Register applications
• 8.2. Managing as non-root user

Chapter 9: Advanced profile management

• 9.1. Profile initialization
• 9.2. Profile syntax
  
  • 9.2.1. Fields
  • 9.2.2. The CONFIG field
  • 9.2.3. The PREFERENCE field

Chapter 10: Using conditional parameters in policy

• 10.1. Conditional parameters
• 10.2. Tests
• 10.3. Values
• 10.4. Types of task
• 10.5. Types of file
• 10.6. Types of permission
• 10.7. Example usage

Chapter 11: Using ACL groups

• 11.1. The acl_group and use_group directives
• 11.2. Splitting access permissions

Chapter 12: Reinforced authentication

• 12.1. Illegal SSH logins
• 12.2. Splitting root permissions
• 12.3. Example authentication programs

Chapter 13: Judging execute requests outside of the kernel

• 13.1. task denied_execute_handler
• 13.2. task auto_execute_handler

Chapter 14: Securing Apache with the mod_ccs module

• 14.1. The mod_ccs module
• 14.2. Installing the module
  
  • 14.2.1. Installing dependencies
  • 14.2.2. Downloading the module
  • 14.2.3. Compiling and installing the module
• 14.3. Configuration

Chapter 15: How do I manage policy namespace?

• 15.1. About policy namespace
• 15.2. How to specify namespaces?
• 15.3. How to specify domain transition across namespaces?
• 15.4. How to use namespace from policy editor?
• 15.5. Pitfalls when using namespaces

Appendix

Appendix A: The userspace tools

Appendix B: Policy specification

Appendix C: How to use the policy editor

Appendix D: TOMOYO Linux on Android

Appendix E: TOMOYO Linux on MeeGo 1.1

Appendix F: TOMOYO Linux on CAT760

Appendix G: Restricting administrative operations in SSH

Appendix H: Protecting SSH against brute force attacks

Appendix I: Protecting SFTP service

Appendix J: Recording command-line for SSH sessions