On 03/21/2011 12:05 AM, Horvath Andras wrote: > I'd like to announce my new project that i created recently buuilding > on Tomoyo module. > > The goal is a fully automatic MAC configuration solution. > Thanks a ton. This is really going to make tomoyo rock. Comments: * No Exception: 22:21:29 rrs at champaran:~$ sudo ./tomld.py --reset -c tomld (tomoyo learning daemon) 0.15 platform is debian wheezy/sid tomoyo kernel mode is active * resetting domain configurations on demand are you sure? [yes/No] yes * exception domains /bin/sh /bin/bash /bin/dash /usr/sbin/sshd * processes using network /usr/sbin/vpnc * checking policy and rules /usr/sbin/vpnc, no domain, create domain (restart needed), no rule, create rule with learning mode on * whole running cycle took 0.24s, sleeping 10s between every cycle * new processes using network /usr/bin/ktorrent ..* new processes using network /usr/sbin/exim4 .* new processes using network /usr/sbin/dnsmasq /usr/bin/host ./usr/bin/host, no domain, create domain, no rule, create rule with learning mode on ..............* new processes using network /usr/bin/fdm Traceback (most recent call last): File "./tomld.py", line 1316, in <module> d5 = os.readlink(d4) *OSError: [Errno 2] No such file or directory: '/proc/5113/fd/3' * * I changed this to make it work with debian wheezy/sid * supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."]* * There's no need to install the patch package, *linux-patch-tomoyo1.7*. tomoyo is already enabled in the Debian kernel. 23:01:11 rrs at champaran:/tmp$ diff tomld.py /home/rrs/tomld.py 30d29 < # - show statistics about active domains and rules on exit 153c152 < supp = ["debian 6.", "ubuntu 10.10."] --- > supp = ["debian 6.", "debian wheezy/sid", "ubuntu 10.10."] 612,615d610 < # stat < d = re.findall("^<kernel>.*$\n+use_profile +[1-3] *$", tdomf, re.M) < r = re.findall("^allow_", tdomf, re.M) < color(str(len(d)) + " active domains, " + str(len(r)) + " rules") 1160c1155 < if not (package_d(tpak1) and package_d(tpak2)): --- > if not package_d(tpak2): 1162c1157 < color("install packages (" + tpak1 + ", " + tpak2 + ") and reboot the system with " \ --- > color("install packages (" + tpak2 + ") and reboot the system with " \ 1172c1167 < os.system(comm + " install " + tpak1 + " " + tpak2) --- > os.system(comm + " install " + tpak2) * After running step 2, you ask the user to stop and reboot to boot in 'enforcing mode'. Many things are breaking here. For me: exim4, dnsmasq, dbus, ktorrent - all broke. These are the errors I got (not complete, there'll be many many more) [ 96.910337] ERROR: Access read/write /var/spool/exim4/input/1Q1i7G-00014r-0m-D denied for /usr/sbin/exim4 [ 121.620620] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 121.620726] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 154.144437] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 154.144477] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 174.277939] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 174.278047] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 186.918465] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 186.918571] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/sbin/dnsmasq [ 201.839392] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 201.839501] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm [ 201.839626] ERROR: Access read /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm [ 201.839992] ERROR: Access read /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm [ 201.840746] ERROR: Access read /etc/hosts denied for /usr/bin/fdm [ 201.840905] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 201.841417] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 201.841747] ERROR: Access read /etc/passwd denied for /usr/bin/fdm [ 201.841854] ERROR: Access read /etc/passwd denied for /usr/bin/fdm [ 207.862719] ERROR: Access ioctl /dev/null 0x5401 denied for /usr/sbin/exim4 [ 207.862800] ERROR: Access read /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4 [ 207.863908] ERROR: Access create /var/log/exim4/paniclog 0640 denied for /usr/sbin/exim4 [ 233.684510] ERROR: Access ioctl /dev/null 0x5401 denied for /usr/sbin/exim4 [ 233.684712] ERROR: Access read /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4 [ 233.688033] ERROR: Access create /var/log/exim4/paniclog 0640 denied for /usr/sbin/exim4 [ 349.302234] ERROR: Access ioctl /dev/null 0x5401 denied for /usr/sbin/exim4 [ 349.302341] ERROR: Access read /var/lib/exim4/config.autogenerated.tmp denied for /usr/sbin/exim4 [ 349.306666] ERROR: Access create /var/log/exim4/paniclog 0640 denied for /usr/sbin/exim4 [ 501.869845] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 501.869954] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm [ 501.870078] ERROR: Access read /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm [ 501.870432] ERROR: Access read /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm [ 501.871082] ERROR: Access read /etc/hosts denied for /usr/bin/fdm [ 501.871236] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 501.871726] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 501.872163] ERROR: Access read /etc/passwd denied for /usr/bin/fdm [ 501.872274] ERROR: Access read /etc/passwd denied for /usr/bin/fdm [ 737.411262] start_kdeinit (5972): /proc/5974/oom_adj is deprecated, please use /proc/5974/oom_score_adj instead. [ 744.237066] EXT4-fs (dm-0): re-mounted. Opts: acl,user_xattr,delalloc,errors=remount-ro,commit=0 [ 760.405858] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/bin/pidgin [ 760.405900] ERROR: Access read /lib/libdbus-1.so.3.5.4 denied for /usr/bin/pidgin [ 774.398148] ERROR: Access read /usr/share/davmail/davmail.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.464194] ERROR: Access read /usr/lib/java/swt-gtk-3.5.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.464842] ERROR: Access read /usr/share/davmail/lib/activation-1.1.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.465038] ERROR: Access read /usr/share/davmail/lib/commons-codec-1.3.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.465235] ERROR: Access read /usr/share/davmail/lib/commons-collections-3.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.465432] ERROR: Access read /usr/share/davmail/lib/commons-httpclient-3.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.465631] ERROR: Access read /usr/share/davmail/lib/commons-logging-1.0.4.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.465824] ERROR: Access read /usr/share/davmail/lib/htmlcleaner-2.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.466019] ERROR: Access read /usr/share/davmail/lib/jackrabbit-webdav-1.4.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.466206] ERROR: Access read /usr/share/davmail/lib/jcharset-1.3.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.466395] ERROR: Access read /usr/share/davmail/lib/jcifs-1.3.14.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.466579] ERROR: Access read /usr/share/davmail/lib/jdom-1.0.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.466773] ERROR: Access read /usr/share/davmail/lib/junit-3.8.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.466965] ERROR: Access read /usr/share/davmail/lib/log4j-1.2.15.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.467151] ERROR: Access read /usr/share/davmail/lib/mail-1.4.3.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.467346] ERROR: Access read /usr/share/davmail/lib/slf4j-api-1.3.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.467553] ERROR: Access read /usr/share/davmail/lib/slf4j-log4j12-1.3.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.467744] ERROR: Access read /usr/share/davmail/lib/stax-api-1.0.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.467935] ERROR: Access read /usr/share/davmail/lib/stax2-api-3.0.3.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.468184] ERROR: Access read /usr/share/davmail/lib/woodstox-core-asl-4.0.9.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 774.468391] ERROR: Access read /usr/share/davmail/lib/xercesImpl-2.8.1.jar denied for /usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/java [ 801.925413] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 801.925526] ERROR: Access read /etc/host.conf denied for /usr/bin/fdm [ 801.925651] ERROR: Access read /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm [ 801.926078] ERROR: Access read /lib/init/rw/resolvconf/resolv.conf denied for /usr/bin/fdm [ 801.926791] ERROR: Access read /etc/hosts denied for /usr/bin/fdm [ 801.926957] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 801.927477] ERROR: Access read /etc/nsswitch.conf denied for /usr/bin/fdm [ 801.927836] ERROR: Access read /etc/passwd denied for /usr/bin/fdm [ 801.927944] ERROR: Access read /etc/passwd denied for /usr/bin/fdm [ 825.935742] ERROR: Access read /usr/lib/libktcore.so.11.0.4 denied for /usr/bin/ktorrent [ 825.935899] ERROR: Access read /usr/lib/libktcore.so.11.0.4 denied for /usr/bin/ktorrent Is there an equivalent of *setenforce* ? We should use something like that to easily switch it to learning mode until the user feels the full and final policy is ready. Another approach could be to run tomld right after init on first setup (during system start) in learning mode. That'll allow it to learn all services and other apps behavior and create the correct policy. * There should also be a '-u' switch which should allow addition of new learnt rules without discarding all the old rules. Or is it already there? That's all for now. Again, thank you for creating this. Please put some git repo so that no history is lost. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention." -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20110321/323f71f9/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20110321/323f71f9/attachment.sig>