Hello. Thank you for trying TOMOYO. > Is this familiar behavior? Am I exceeding a maximum length? Do you have > any advice how to diagnose the problem? The maximum length is 4086 characters. If environment variable string is longer than 4086 characters, only beginning 4086 characters are checked. > allow_env spool/n03/active_jobs/175.1 "allow_env" line prints environment variable's name rather than its value. What you are seeing should be a bug which existed in ccs-patch-1.7.0-20090903.tar.gz and ccs-patch-1.7.0-20090911.tar.gz . Since I was by error using the same buffer for both environment variable's name and value, "allow_env" line was printing environment variable's value. This bug was fixed in ccs-patch-1.7.1-20091220.tar.gz . You can use http://sourceforge.jp/frs/redir.php?f=/tomoyo/43375/ccs-patch-1.7.2-20100412.tar.gz MD5: 1111e0154b330d3de8941edc4737d85b If you want to disable "allow_env" checking due to performance reason (although it is recommended to enable "allow_env" checking in order to protect from dangerous environment variables such as LD_PRELOAD), you can append 0-CONFIG::misc::env={ mode=disabled } 1-CONFIG::misc::env={ mode=disabled } 2-CONFIG::misc::env={ mode=disabled } 3-CONFIG::misc::env={ mode=disabled } to /etc/ccs/profile.conf and reload it by /usr/sbin/ccs-loadpolicy p If you don't need grant logs (for improving performance), you can append 0-CONFIG={ mode=disabled grant_log=no reject_log=yes } 1-CONFIG={ mode=learning grant_log=no reject_log=yes } 2-CONFIG={ mode=permissive grant_log=no reject_log=yes } 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } to /etc/ccs/profile.conf and reload it by /usr/sbin/ccs-loadpolicy p Regards.