オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/tags/htdocs/1.8/learning.html.en

Diff of /tags/htdocs/1.8/learning.html.en

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 2757 by kumaneko, Mon Jul 13 07:05:32 2009 UTC revision 2758 by kumaneko, Mon Jul 13 08:06:53 2009 UTC
# Line 112  service httpd restart Line 112  service httpd restart
112    
113  <p>If the profile is configured as "TOMOYO-VERBOSE=enabled" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs.</p>  <p>If the profile is configured as "TOMOYO-VERBOSE=enabled" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs.</p>
114    
115  <p>If the "TOMOYO-WARNING:" messages are no longer printed when you have likely done everything you want Apache to allow, proceed to the next step.</p>  <p><img src="permissive-warning.png" width="720" height="400"></p>
116    
117    <p>If you have configured audit logs at <a href="initialize.html">Phase 2: Initializing TOMOYO Linux.</a>, you can pick up neccesary permissions from autit logs using "grep".</p>
118    
119    <table border="1">
120    <tr><td>
121    # grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf<br>
122    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
123    &lt;kernel&gt; /usr/sbin/httpd<br>
124    allow_read /usr/share/horde/admin/sqlshell.php<br>
125    <br>
126    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
127    &lt;kernel&gt; /usr/sbin/httpd<br>
128    allow_read /usr/share/pear/DB.php<br>
129    <br>
130    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
131    &lt;kernel&gt; /usr/sbin/httpd<br>
132    allow_read /usr/lib/gconv/EUC-JP.so<br>
133    <br>
134    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
135    &lt;kernel&gt; /usr/sbin/httpd<br>
136    allow_read /usr/lib/gconv/libJIS.so<br>
137    <br>
138    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
139    &lt;kernel&gt; /usr/sbin/httpd<br>
140    allow_read /usr/share/horde/lib/Horde/CLI.php<br>
141    <br>
142    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7132 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
143    &lt;kernel&gt; /usr/sbin/httpd<br>
144    allow_read /usr/share/horde/js/stripe.js
145    </td></tr>
146    </table>
147    
148    <p>You can compress these logs using "ccs-sortpolicy" command.</p>
149    
150    <table border="1">
151    <tr><td>
152    # grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf | /usr/sbin/ccs-sortpolicy<br>
153    &lt;kernel&gt; /usr/sbin/httpd<br>
154    <br>
155    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
156    #2009-07-13 16:40:22# profile=2 mode=permissive pid=7132 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br>
157    allow_read /usr/lib/gconv/EUC-JP.so<br>
158    allow_read /usr/lib/gconv/libJIS.so<br>
159    allow_read /usr/share/horde/admin/sqlshell.php<br>
160    allow_read /usr/share/horde/js/stripe.js<br>
161    allow_read /usr/share/horde/lib/Horde/CLI.php<br>
162    allow_read /usr/share/pear/DB.php
163    </td></tr>
164    </table>
165    
166    <p>You can save the compressed logs into a temporary file. Then, you can edit as you need and append to currently used policy in the kernel using "ccs-loadpolicy". ccs-editpolicy's "-" option means read from stdin, "d" option means domain_policy.conf .</p>
167    
168    <table border="1">
169    <tr><td>
170    # grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf | /usr/sbin/ccs-sortpolicy &gt; ~/rejected.log<br>
171    # emacs ~/rejected.log<br>
172    # ccs-loadpolicy -d &lt; ~/rejected.log
173    </td></tr>
174    </table>
175    
176    <p>If the "TOMOYO-WARNING:" messages are no longer printed after you have likely done everything you want Apache to allow, proceed to the next step.</p>
177    
178  <p>If your purpose of using TOMOYO Linux is for just analysis, this point is the goal of this proceedure.</p>  <p>If your purpose of using TOMOYO Linux is for just analysis, this point is the goal of this proceedure.</p>
179    
Legend:
Removed from v.2757  
changed lines
  Added in v.2758
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ