tomoyo howto

First forget the curse tools tomoyo gives to you. They are good but very limited

The begin:
install tomoyo,( configure the kernel for tomoyo if your distribution hasn’t done it, here a guide:
run sudo /usr/lib/tomoyo/init-policy to init the config
and append security=tomoyo to the kernel boot line in grub.cfg (better: /etc/default/grub and update bootloader) or whatever
and reboot

Create a rule for a program:
Important rule: name important resources with an speaking name, you can also insert comments with #
Now append:

1. initialize_domain yourprogram from any

use_profile x
use_group 0
to /etc/tomoyo/domain_policy.conf
where x is the number of the ruleset.
an overview gives:
and load it with:
tomoyo-loadpolicy -df </etc/tomoyo/domain_policy.conf

basicly there are now two ways to develope now a ruleset
1. switch to policy 1, run the program, close it, save down the changes
2. use policy 2/3, run tomoyo-auditd and look in /var/log/tomoyo/rejected00 2 or 3.log what permissions the program needs to run.
for using wildmarks have a look in
add the new rules to domain policy and reload the config via:
tomoyo-loadpolicy -df </etc/tomoyo/domain_policy.conf

some links which will explain some aspects more detailed:

here you have a sample file:



Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s