tomoyo howto

First forget the curse tools tomoyo gives to you. They are good but very limited

The begin:
install tomoyo,( configure the kernel for tomoyo if your distribution hasn’t done it, here a guide:
http://tomoyo.sourceforge.jp/2.5/chapter-3.html.en)
run sudo /usr/lib/tomoyo/init-policy to init the config
and append security=tomoyo to the kernel boot line in grub.cfg (better: /etc/default/grub and update bootloader) or whatever
and reboot

Create a rule for a program:
Important rule: name important resources with an speaking name, you can also insert comments with #
Now append:

1. initialize_domain yourprogram from any
2.

use_profile x
use_group 0
to /etc/tomoyo/domain_policy.conf
where x is the number of the ruleset.
an overview gives: http://tomoyo.sourceforge.jp/2.5/chapter-4.html.en
and load it with:
tomoyo-loadpolicy -df </etc/tomoyo/domain_policy.conf

basicly there are now two ways to develope now a ruleset
1. switch to policy 1, run the program, close it, save down the changes
2. use policy 2/3, run tomoyo-auditd and look in /var/log/tomoyo/rejected00 2 or 3.log what permissions the program needs to run.
for using wildmarks have a look in
http://tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en
add the new rules to domain policy and reload the config via:
tomoyo-loadpolicy -df </etc/tomoyo/domain_policy.conf

some links which will explain some aspects more detailed:
http://stolowski.blogspot.de/2010/12/tomoyo-linux-5-tips-to-streamline-your.html

here you have a sample file:
https://wiki.archlinux.org/index.php/Skype

Advertisements

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s