OSDN -- オープンソース・ソフトウェアの開発とダウンロード
日本語の翻訳状況 translation status for ja

[tomoyo-users-en 267] Re: new project: tomld (tomoyo learning daemon)

アーカイブの一覧に戻る
Ritesh Raj Sarraf rrs****@resea*****
Tue Mar 22 02:45:14 JST 2011 

On 03/21/2011 12:05 AM, Horvath Andras wrote:
> I'd like to announce my new project that i created recently buuilding
> on Tomoyo module.
>
> The goal is a fully automatic MAC configuration solution.
>
Thanks a ton. This is really going to make tomoyo rock.

Comments:

* No Exception:

    22:21:29 rrs at champaran:~$ sudo ./tomld.py --reset -c
    tomld (tomoyo learning daemon) 0.15
    platform is debian wheezy/sid
    tomoyo kernel mode is active
    * resetting domain configurations on demand
    are you sure? [yes/No] yes
    * exception domains
    /bin/sh /bin/bash /bin/dash /usr/sbin/sshd
    * processes using network
    /usr/sbin/vpnc
    * checking policy and rules
    /usr/sbin/vpnc, no domain, create domain (restart needed), no rule,
    create rule with learning mode on
    * whole running cycle took 0.24s, sleeping 10s between every cycle
    * new processes using network
    /usr/bin/ktorrent
    ..* new processes using network
    /usr/sbin/exim4
    .* new processes using network
    /usr/sbin/dnsmasq
    /usr/bin/host
    ./usr/bin/host, no domain, create domain, no rule, create rule with
    learning mode on
    ..............* new processes using network
    /usr/bin/fdm
    Traceback (most recent call last):
      File "./tomld.py", line 1316, in <module>
        d5 = os.readlink(d4)
    *OSError: [Errno 2] No such file or directory: '/proc/5113/fd/3'

    *

* I changed this to make it work with debian wheezy/sid
*    supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."]*

* There's no need to install the patch package, *linux-patch-tomoyo1.7*.
tomoyo is already enabled in the Debian kernel.

    23:01:11 rrs at champaran:/tmp$ diff tomld.py /home/rrs/tomld.py
    30d29
    < #                          - show statistics about active domains
    and rules on exit
    153c152
    < supp = ["debian 6.", "ubuntu 10.10."]
    ---
    > supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."]
    612,615d610
    <       # stat
    <       d = re.findall("^<kernel>.*$\n+use_profile +[1-3] *$",
    tdomf, re.M)
    <       r = re.findall("^allow_", tdomf, re.M)
    <       color(str(len(d)) + " active domains, " + str(len(r)) + "
    rules")
    1160c1155
    < if not (package_d(tpak1) and package_d(tpak2)):
    ---
    > if not package_d(tpak2):
    1162c1157
    <       color("install packages (" + tpak1 + ", " + tpak2 + ") and
    reboot the system with " \
    ---
    >       color("install packages (" + tpak2 + ") and reboot the
    system with " \
    1172c1167
    <               os.system(comm + " install " + tpak1 + " " + tpak2)
    ---
    >               os.system(comm + " install " + tpak2)


* After running step 2, you ask the user to stop and reboot to boot in
'enforcing mode'. Many things are breaking here. For me: exim4, dnsmasq,
dbus, ktorrent  -  all broke. These are the errors I got (not complete,
there'll be many many more)

    [   96.910337] ERROR: Access read/write
    /var/spool/exim4/input/1Q1i7G-00014r-0m-D denied for /usr/sbin/exim4
    [  121.620620] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  121.620726] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  154.144437] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  154.144477] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  174.277939] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  174.278047] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  186.918465] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  186.918571] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/sbin/dnsmasq
    [  201.839392] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  201.839501] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm
    [  201.839626] ERROR: Access read
    /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
    [  201.839992] ERROR: Access read
    /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
    [  201.840746] ERROR: Access read /etc/hosts denied for /usr/bin/fdm
    [  201.840905] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  201.841417] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  201.841747] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
    [  201.841854] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
    [  207.862719] ERROR: Access ioctl /dev/null 0x5401 denied for
    /usr/sbin/exim4
    [  207.862800] ERROR: Access read
    /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4
    [  207.863908] ERROR: Access create /var/log/exim4/paniclog 0640
    denied for /usr/sbin/exim4
    [  233.684510] ERROR: Access ioctl /dev/null 0x5401 denied for
    /usr/sbin/exim4
    [  233.684712] ERROR: Access read
    /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4
    [  233.688033] ERROR: Access create /var/log/exim4/paniclog 0640
    denied for /usr/sbin/exim4
    [  349.302234] ERROR: Access ioctl /dev/null 0x5401 denied for
    /usr/sbin/exim4
    [  349.302341] ERROR: Access read
    /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4
    [  349.306666] ERROR: Access create /var/log/exim4/paniclog 0640
    denied for /usr/sbin/exim4
    [  501.869845] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  501.869954] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm
    [  501.870078] ERROR: Access read
    /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
    [  501.870432] ERROR: Access read
    /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
    [  501.871082] ERROR: Access read /etc/hosts denied for /usr/bin/fdm
    [  501.871236] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  501.871726] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  501.872163] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
    [  501.872274] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
    [  737.411262] start_kdeinit (5972): /proc/5974/oom_adj is
    deprecated, please use /proc/5974/oom_score_adj instead.
    [  744.237066] EXT4-fs (dm-0): re-mounted. Opts:
    acl,user_xattr,delalloc,errors=remount-ro,commit=0
    [  760.405858] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/bin/pidgin
    [  760.405900] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for
    /usr/bin/pidgin
    [  774.398148] ERROR: Access read /usr/share/davmail/davmail.jar
    denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.464194] ERROR: Access read /usr/lib/java/swt-gtk-3.5.1.jar
    denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.464842] ERROR: Access read
    /usr/share/davmail/lib/activation-1.1.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.465038] ERROR: Access read
    /usr/share/davmail/lib/commons-codec-1.3.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.465235] ERROR: Access read
    /usr/share/davmail/lib/commons-collections-3.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.465432] ERROR: Access read
    /usr/share/davmail/lib/commons-httpclient-3.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.465631] ERROR: Access read
    /usr/share/davmail/lib/commons-logging-1.0.4.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.465824] ERROR: Access read
    /usr/share/davmail/lib/htmlcleaner-2.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.466019] ERROR: Access read
    /usr/share/davmail/lib/jackrabbit-webdav-1.4.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.466206] ERROR: Access read
    /usr/share/davmail/lib/jcharset-1.3.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.466395] ERROR: Access read
    /usr/share/davmail/lib/jcifs-1.3.14.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.466579] ERROR: Access read
    /usr/share/davmail/lib/jdom-1.0.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.466773] ERROR: Access read
    /usr/share/davmail/lib/junit-3.8.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.466965] ERROR: Access read
    /usr/share/davmail/lib/log4j-1.2.15.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.467151] ERROR: Access read
    /usr/share/davmail/lib/mail-1.4.3.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.467346] ERROR: Access read
    /usr/share/davmail/lib/slf4j-api-1.3.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.467553] ERROR: Access read
    /usr/share/davmail/lib/slf4j-log4j12-1.3.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.467744] ERROR: Access read
    /usr/share/davmail/lib/stax-api-1.0.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.467935] ERROR: Access read
    /usr/share/davmail/lib/stax2-api-3.0.3.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.468184] ERROR: Access read
    /usr/share/davmail/lib/woodstox-core-asl-4.0.9.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  774.468391] ERROR: Access read
    /usr/share/davmail/lib/xercesImpl-2.8.1.jar denied for
    /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java
    [  801.925413] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  801.925526] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm
    [  801.925651] ERROR: Access read
    /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
    [  801.926078] ERROR: Access read
    /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm
    [  801.926791] ERROR: Access read /etc/hosts denied for /usr/bin/fdm
    [  801.926957] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  801.927477] ERROR: Access read /etc/nsswitch.conf denied for
    /usr/bin/fdm
    [  801.927836] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
    [  801.927944] ERROR: Access read /etc/passwd denied for /usr/bin/fdm
    [  825.935742] ERROR: Access read /usr/lib/libktcore.so.11.0.4
    denied for /usr/bin/ktorrent
    [  825.935899] ERROR: Access read /usr/lib/libktcore.so.11.0.4
    denied for /usr/bin/ktorrent

Is there an equivalent of *setenforce* ? We should use something like
that to easily switch it to learning mode until the user feels the full
and final policy is ready. Another approach could be to run tomld right
after init on first setup (during system start) in learning mode.
That'll allow it to learn all services and other apps behavior and
create the correct policy.

* There should also be a '-u' switch which should allow addition of new
learnt rules without discarding all the old rules. Or is it already there?

That's all for now. Again, thank you for creating this. Please put some
git repo so that no history is lost.

-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20110321/323f71f9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20110321/323f71f9/attachment.sig>

More information about the tomoyo-users-en mailing list
アーカイブの一覧に戻る