Domain policy syntax
allow_execute
This directive allows execution of the specified pathname.
This example allows the domain to execute /bin/ls:
allow_execute /bin/ls
See also:
allow_read
This directive allows the domain to open the specified pathname for reading.
This example allows the domain to read "/proc/meminfo":
allow_read /proc/meminfo
See also:
allow_write
This directive allows the domain to open the specified pathname for writing.
This example allows the domain to write to "/dev/null":
allow_write /dev/null
See also:
allow_read/write
This directive allows the domain to open the specified pathname for reading and/or writing.
This example allows the domain to read and/or write to "/dev/null":
allow_read/write /dev/null
See also:
allow_create
This directive allows the domain to create the specified file with the specified permissions.
This example allows the domain to create the file "/var/lock/subsys/crond":
allow_create /var/lock/subsys/crond 0644
See also:
allow_unlink
This directive allows the domain to delete the specified pathname.
This example allows the domain to delete the file "/var/lock/subsys/crond":
allow_unlink /var/lock/subsys/crond
See also:
allow_chown
This directive allows the domain to change the user ownership of the specified pathname to the specified UID.
This example allows the domain to change the owner of "/dev/sda" to UID=0:
allow_chown /dev/sda 0
See also:
allow_chgrp
This directive allows the domain to change group ownership of the specified pathname to the specified GID.
This example allows the domain to change the GID of "/dev/audio" to 92:
allow_chgrp /dev/audio 92
See also:
allow_chmod
This directive allows the domain to change permissions of the specified pathname to the specified octal permissions.
This example allows the domain to change the octal permissions of "/dev/mem" to 0644:
allow_chmod /dev/mem 0644
See also:
allow_mkdir
This directive allows the domain to create the specified directory with the specified permissions.
This example allows the domain to create directories that match "/tmp/logwatch.\*/":
allow_mkdir /tmp/logwatch.\*/ 0755
See also:
allow_rmdir
This directive allows the domain to delete the specified directory.
This example allows the domain to delete directories that match "/tmp/logwatch.\*/":
allow_rmdir /tmp/logwatch.\*/
See also:
allow_mkfifo
This directive allows the domain to create the specified FIFO with the specified permissions.
This example allows the domain to create the FIFO "/dev/initctl":
allow_mkfifo /dev/initctl 0644
See also:
allow_mksock
This directive allows the domain to create the specified socket with the specified permissions.
This example allows the domain to create the socket "/dev/log":
allow_mksock /dev/log 0755
See also:
allow_mkblock
This directive allows the domain to create the specified block device with the specified permissions, major number and minor number.
This example allows the domain to create the block device "/dev/loop0":
allow_mkblock /dev/loop0 0600 7 0
See also:
allow_mkchar
This directive allows the domain to create the specified character device with the specified permissions, major number and minor number.
This example allows the domain to create the character device "/dev/console":
allow_mkchar /dev/console 0755 5 1
See also:
allow_truncate
This directive allows the domain to truncate or extend the specified pathname.
This example allows the domain to truncate the contents of "/etc/mtab":
allow_truncate /etc/mtab
See also:
allow_symlink
This directive allows the domain to symlink the specified pathname.
This example allows the domain to symlink "/dev/cdrom":
allow_symlink /dev/cdrom
See also:
allow_link
This directive allows the domain to create hard link between the first and second specified pathnames.
This example allows a hard link to be created between pathnames that match "/etc/mtab~\$" and "/etc/mtab~":
allow_link /etc/mtab~\$ /etc/mtab~
See also:
allow_rename
This directive allows the domain to rename the first specified pathname to the second specified pathname.
This example allows "/etc/mtab.tmp" to be renamed "/etc/mtab":
allow_rename /etc/mtab.tmp /etc/mtab
See also:
allow_rewrite
This directive cancels the effect of deny_rewrite directive.
This example cancels "deny_rewrite /var/log/\*":
allow_rewrite /var/log/\*
See also:
allow_ioctl
This directive allows the domain to make an ioctl request with the specified command number. For information on the ioctl command numbers, refer to manuals provided by each module with ioctl functionality.
This example allows the domain to issue an ioctl request with command number 0x8915 (i.e. SIOCGIFADDR request) on sockets with family = 2, type = 2, protocol = 17 (i.e. UDP/IPv4 sockets):
allow_ioctl socket:[family=2:type=2:protocol=17] 0x8915
This example allows the domain to issue an ioctl request with command numbers between 10000 and 20000 on "/dev/null":
allow_ioctl /dev/null 10000-20000
See also:
allow_mount
This directive allows the domain to mount a filesystem with the specified devices, pathnames and options.
The syntax is: "allow_mount $DEVICE $MOUNTPOINT $FILESYSTEM $OPTIONS". If $FILESYSTEM requires a device file, a block device file's pathname is specified for $DEVICE. The $OPTIONS is a hexadecimal (or octal or decimal) integer expression. The following options can also be specified for $FILESYSTEM:
- --bind
- --move
- --remount
- --make-unbindable
- --make-private
- --make-slave
- --make-shared
This example allows the domain to remount the / directory:
allow_mount any / --remount 0x0
This example allows the domain to mount "/dev/hdc" which was formatted as an ext3 filesystem at "/var/www/" directory:
allow_mount /dev/hdc /var/www/ ext3 0xF
This example allows the domain to mount a tmpfs filesystem at "/dev/shm/" directory:
allow_mount none /dev/shm/ tmpfs 0xE
See also:
allow_unmount
This directive allows the domain to unmount a filesystem from the specified pathname.
This example allows the domain to unmount the filesystem mounted at "/mnt/cdrom/" directory:
allow_unmount /mnt/cdrom/
See also:
allow_chroot
This directive allows the domain to use the specified pathname as a new / directory.
This example allows the domain to use "/var/empty/sshd/" as a new / directory:
allow_chroot /var/empty/sshd/
See also:
allow_pivot_root
This directive allows the domain to use the first specified pathname as a new / directory and bring the old / directory to the second specified pathname.
This functionality is generally used for only once for switching the / directory from initrd/initramfs to the hard drive, which generally occurs before TOMOYO Linux has been activated. It is therefore unlikely that you will need this directive.
This example allows the domain to use "/sys/kernel/security/" as a new / directory and bring the old / directory to "/sys/kernel/security/tomoyo/" directory:
allow_pivot_root /sys/kernel/security/ /sys/kernel/security/tomoyo/
See also:
use_profile
This directive is changes the profile number of the domain.
This example changes the profile number of the domain to 3:
use_profile 3
ignore_global_allow_read
This directive cancels the effect of allow_read directive in the exception policy.
See also:
quota_exceeded
This directive indicates that the domain has failed to append an entry while in "Learning Mode" due to the "max_entry" value being reached.
transition_failed
This directive indicates that a process within this domain was not able to undergo a domain transition following an execute request.
This problem occurs, in order to avoid access denials by TOMOYO unless enforcing mode is used, due to TOMOYO accepting program execution requests unless enforcing mode even if domain transition has failed. The cause of this problem is either the name of the domain being too long, or the kernel being unable to allocate memory. To fix this problem, either suppress domain transitions or increase the memory quota which TOMOYO can use.