112 |
|
|
113 |
<p>If the profile is configured as "TOMOYO-VERBOSE=enabled" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs.</p> |
<p>If the profile is configured as "TOMOYO-VERBOSE=enabled" (this is default), the "TOMOYO-WARNING:" messages will be printed to the console when policy violation occurs.</p> |
114 |
|
|
115 |
<p>If the "TOMOYO-WARNING:" messages are no longer printed when you have likely done everything you want Apache to allow, proceed to the next step.</p> |
<p><img src="permissive-warning.png" width="720" height="400"></p> |
116 |
|
|
117 |
|
<p>If you have configured audit logs at <a href="initialize.html">Phase 2: Initializing TOMOYO Linux.</a>, you can pick up neccesary permissions from autit logs using "grep".</p> |
118 |
|
|
119 |
|
<table border="1"> |
120 |
|
<tr><td> |
121 |
|
# grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf<br> |
122 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
123 |
|
<kernel> /usr/sbin/httpd<br> |
124 |
|
allow_read /usr/share/horde/admin/sqlshell.php<br> |
125 |
|
<br> |
126 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
127 |
|
<kernel> /usr/sbin/httpd<br> |
128 |
|
allow_read /usr/share/pear/DB.php<br> |
129 |
|
<br> |
130 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
131 |
|
<kernel> /usr/sbin/httpd<br> |
132 |
|
allow_read /usr/lib/gconv/EUC-JP.so<br> |
133 |
|
<br> |
134 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
135 |
|
<kernel> /usr/sbin/httpd<br> |
136 |
|
allow_read /usr/lib/gconv/libJIS.so<br> |
137 |
|
<br> |
138 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
139 |
|
<kernel> /usr/sbin/httpd<br> |
140 |
|
allow_read /usr/share/horde/lib/Horde/CLI.php<br> |
141 |
|
<br> |
142 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7132 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
143 |
|
<kernel> /usr/sbin/httpd<br> |
144 |
|
allow_read /usr/share/horde/js/stripe.js |
145 |
|
</td></tr> |
146 |
|
</table> |
147 |
|
|
148 |
|
<p>You can compress these logs using "ccs-sortpolicy" command.</p> |
149 |
|
|
150 |
|
<table border="1"> |
151 |
|
<tr><td> |
152 |
|
# grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf | /usr/sbin/ccs-sortpolicy<br> |
153 |
|
<kernel> /usr/sbin/httpd<br> |
154 |
|
<br> |
155 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7131 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
156 |
|
#2009-07-13 16:40:22# profile=2 mode=permissive pid=7132 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 state[0]=0 state[1]=0 state[2]=0<br> |
157 |
|
allow_read /usr/lib/gconv/EUC-JP.so<br> |
158 |
|
allow_read /usr/lib/gconv/libJIS.so<br> |
159 |
|
allow_read /usr/share/horde/admin/sqlshell.php<br> |
160 |
|
allow_read /usr/share/horde/js/stripe.js<br> |
161 |
|
allow_read /usr/share/horde/lib/Horde/CLI.php<br> |
162 |
|
allow_read /usr/share/pear/DB.php |
163 |
|
</td></tr> |
164 |
|
</table> |
165 |
|
|
166 |
|
<p>You can save the compressed logs into a temporary file. Then, you can edit as you need and append to currently used policy in the kernel using "ccs-loadpolicy". ccs-editpolicy's "-" option means read from stdin, "d" option means domain_policy.conf .</p> |
167 |
|
|
168 |
|
<table border="1"> |
169 |
|
<tr><td> |
170 |
|
# grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf | /usr/sbin/ccs-sortpolicy > ~/rejected.log<br> |
171 |
|
# emacs ~/rejected.log<br> |
172 |
|
# ccs-loadpolicy -d < ~/rejected.log |
173 |
|
</td></tr> |
174 |
|
</table> |
175 |
|
|
176 |
|
<p>If the "TOMOYO-WARNING:" messages are no longer printed after you have likely done everything you want Apache to allow, proceed to the next step.</p> |
177 |
|
|
178 |
<p>If your purpose of using TOMOYO Linux is for just analysis, this point is the goal of this proceedure.</p> |
<p>If your purpose of using TOMOYO Linux is for just analysis, this point is the goal of this proceedure.</p> |
179 |
|
|