Chapter 8: Interface permissions
8.1. Register applications
In order for a application or domain to modify policy in the /sys/kernel/security/tomoyo/ interface, it must be listed in /sys/kernel/security/tomoyo/manager. To register an application, you can for example run the following command:
# echo "/usr/sbin/tomoyo-editpolicy" | /usr/sbin/tomoyo-loadpolicy -m
8.2. Managing as non-root user
By default, only processes with UID=0 and EUID=0 (a.k.a. root user) are allowed to modify policy. In order to allow $USER user to modify policy, run this command:
# echo "manage_by_non_root" | /usr/sbin/tomoyo-loadpolicy -m # chown -R $USER /sys/kernel/security/tomoyo/
This can be reversed by running this command:
# echo "delete manage_by_non_root" | /usr/sbin/tomoyo-loadpolicy -m # chown -R root /sys/kernel/security/tomoyo/
If you want to have a separate user that is able to modify policy, the file "/etc/tomoyo/tomoyo-post-init
" can be used. If this file exists, it is executed by /sbin/tomoyo-init
at boot. To allow 'tomoyo' user to modify policy, create "/etc/tomoyo/tomoyo-post-init
" with the following contents:
#! /bin/sh echo manage_by_non_root > /sys/kernel/security/tomoyo/manager chown -R tomoyo /sys/kernel/security/tomoyo/
Then, make this file executable and make policy directory readable/writable by 'tomoyo' user:
# chmod 755 /etc/tomoyo/tomoyo-post-init # chown -R tomoyo /etc/tomoyo/
The exception to all of the above is for domains in "Learning Mode". Any of these domains can append access permissions to the domain the process belongs to until max_learning_entry has been reached.