htdocs/1.8/learning.html.en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta http-equiv="Content-Style-Type" content="text/css">
<title>TOMOYO Linux Install manual</title>
<link rel="stylesheet" href="http://tomoyo.sourceforge.jp/tomoyo.css" media="all" type="text/css">
</head>
<body>
<p style="text-align:right;"><a href="learning.html.ja">Japanese Page</a></p>
<p style="text-align:right;">Last modified: $Date$</p>
<h1>Phase 3: Learning your system's behavior.</h1>

<p>This page describes how to use TOMOYO Linux's learning mode.</p>

<hr>

<h2>Step 1: Creating domains</h2>

<p>After you rebooted the system with TOMOYO Linux kernels, login as root.</p>

<p>Decide what application to analyze/protect.</p>

<p>Below procedure is a case of Apache in CentOS 5.5 environment.</p>

<p>Start the target application.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# service httpd start
</td></tr>
</table>

<p>Let's start TOMOYO Linux's policy editor. Please note that this time, you don't need to pass /etc/ccs/ to the command line, for we directly edits TOMOYO Linux's policy currently used by the kernel.</p>

<p>In the CentOS 5.5 , Apache's program's location is /usr/sbin/httpd .<br>
Scroll the cursor using arrow-keys and/or Home/End/PageUp/PageDown keys to find the line /usr/sbin/httpd . In this picture, it is line 416.</p>

<p><img src="editpolicy-httpd-profile0.png" width="720" height="400"></p>

<p>If /usr/sbin/httpd is registered with "initialize_domain", a domain named "&lt;kernel&gt; /usr/sbin/httpd" is created by invoking /usr/sbin/httpd . If not registered, a child domain of invoker domain (for example, if you invoked from "&lt;kernel&gt; /usr/sbin/mingetty /bin/login /bin/bash", it is "&lt;kernel&gt; /usr/sbin/mingetty /bin/login /bin/bash /usr/sbin/httpd") is created. This manual assumes that /usr/sbin/httpd is registered with "initialize_domain".</p>

<p>Press 's' key and enter '1' and press 'Enter' key.</p>

<p><img src="editpolicy-httpd-set-profile1.png" width="720" height="400"></p>

<p>Now the profile number of the /usr/sbin/httpd has changed to 1.</p>

<p><img src="editpolicy-httpd-profile1.png" width="720" height="400"></p>

<p>Press '@' key to switch to process list. Verify that /usr/sbin/httpd processes are assigned profile number 1.</p>

<p><img src="editpolicy-httpd-process1.png" width="720" height="400"></p>

<p>Press 'q' key to quit the policy editor.</p>

<hr>

<h2>Step 2: Gathering necessary permissions</h2>

<p>Restart the Apache in order to learn necessary permissions for starting/finishing the Apache.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# service httpd restart
</td></tr>
</table>

<p>Run TOMOYO Linux's policy editor again and go to the /usr/sbin/httpd line. (Line number may be changed because new domains are added by programs executed by you and the system.)</p>

<p>Press 'Enter' key to browse the permissions gathered by now.</p>

<p><img src="editpolicy-httpd-acl1.png" width="720" height="400"></p>

<p>Press 'q' key to quit the policy editor. Do whatever you want to allow Apache.</p>

<p><img src="operation-learning.png" width="688" height="933"></p>

<p>Be sure to sometimes save policy, for necessary permissions are accumulated on only kernel memory. If you reboot the system, all gathered permissions will be lost.</p>

<p>To save the policy currently in the kernel onto the disk, use "ccs-savepolicy" command.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# /usr/sbin/ccs-savepolicy
</td></tr>
</table>

<p>By executing "ccs-savepolicy", two files ("exception_policy.conf", "domain_policy.conf") are created in the /etc/ccs/ directory. To be accurate, they are symbolic links to text files whose filenames contain the creation time.</p>

<p>To load the policy currently on the disk into the kernel, use "ccs-loadpolicy" command.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# /usr/sbin/ccs-loadpolicy af
</td></tr>
</table>

<p>The "a" option means load two files ("exception_policy.conf", "domain_policy.conf"). The "f" option means erase the policy currently in the kernel before loading the policy currently on the disk. If "f" is not given, the policy currently on the disk will be added to the policy currently in the kernel.</p>

<hr>

<h2>Step 3: Reviewing gathered permissions</h2>

<p>After you came to think you have done roughly everything you want to allow Apache to do, run the policy editor and change the profile number to 2. Note that Apache may have executed some external programs (e.g. /bin/sh , /usr/bin/perl , /usr/lib/sendmail) and thus has descendant domains. Be sure to change the profile number for descendant domains if any as well as the /usr/sbin/httpd domain.</p>

<p>Choose target domains and press 's' key and enter '2' and press 'Enter' key.</p>

<p><img src="editpolicy-httpd-set-profile2.png" width="720" height="400"></p>

<p>Now the profile number of the /usr/sbin/httpd and descendant has changed to 2.</p>

<p><img src="editpolicy-httpd-profile2.png" width="720" height="400"></p>

<p>Press 'q' key to quit the policy editor. Redo whatever you want to allow Apache to do.</p>

<p>If the profile is configured as "PREFERENCE::permissive={ verbose=yes }" (this is default), the "WARNING:" messages will be printed to the console when policy violation occurs.</p>

<p><img src="operation-permissive.png" width="688" height="622"></p>

<p><img src="permissive-warning.png" width="720" height="400"></p>

<p>If you have configured audit logs at <a href="initialize.html.en#configure_audit_daemon">Phase 2: Initializing TOMOYO Linux.</a>, you can pick up necessary permissions from audit logs using "grep".</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=3039) task={ pid=3039 ppid=3034 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler }<br>
&lt;kernel&gt; /usr/sbin/httpd<br>
network inet stream accept 0:0:0:0:0:ffff:c0a8:801 1507<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh<br>
file execute /usr/bin/id<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env TERM<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env PATH<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env PWD<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env LANG<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env SHLVL<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env LANGUAGE<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
misc env _<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=328251 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327965 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /etc/selinux/config<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=12 major=0 minor=15 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=463 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /selinux/mls<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=4026531844 major=0 minor=3 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=1 perm=0555 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /proc/filesystems<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=605586 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=589842 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /usr/lib/locale/locale-archive<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=329303 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /etc/nsswitch.conf<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=330197 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /etc/passwd<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=330196 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /etc/group<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=330196 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
file read /etc/group
</td></tr>
</table>

<p>You can compress these logs using "ccs-sortpolicy" command.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf | /usr/sbin/ccs-sortpolicy<br>
&lt;kernel&gt; /usr/sbin/httpd<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
network inet stream accept 0:0:0:0:0:ffff:c0a8:801 1507<br>
<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
file execute /usr/bin/id<br>
<br>
&lt;kernel&gt; /usr/sbin/httpd /bin/sh /usr/bin/id<br>
<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=12 major=0 minor=15 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=463 perm=0755 }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=328251 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327965 perm=0755 }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=329303 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=330196 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=330197 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=327681 perm=0755 }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=4026531844 major=0 minor=3 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=1 perm=0555 }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=603159 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=589834 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }<br>
#2010-01-12 16:11:32# profile=2 mode=permissive (global-pid=4641) task={ pid=4641 ppid=4637 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=605586 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=589842 perm=0755 }<br>
misc env LANG<br>
misc env LANGUAGE<br>
misc env PATH<br>
misc env PWD<br>
misc env SHLVL<br>
misc env TERM<br>
misc env _<br>
file read /etc/group<br>
file read /etc/nsswitch.conf<br>
file read /etc/passwd<br>
file read /etc/selinux/config<br>
file read /proc/filesystems<br>
file read /selinux/mls<br>
file read /usr/lib/locale/locale-archive
</td></tr>
</table>

<p>You can save the compressed logs into a temporary file. Then, you can edit as you need and append to currently used policy in the kernel using "ccs-loadpolicy". ccs-loadpolicy's "-" option means read from stdin, "d" option means domain_policy.conf .</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# grep -A 3 -F 'profile=2 mode=permissive' /var/log/tomoyo/reject_log.conf | /usr/sbin/ccs-sortpolicy &gt; ~/rejected.log<br>
[root@tomoyo ~]# emacs ~/rejected.log<br>
[root@tomoyo ~]# /usr/sbin/ccs-loadpolicy -d &lt; ~/rejected.log
</td></tr>
</table>

<hr>

<h2>Step 4: Handling temporary files</h2>

<p>You can not handle temporary files by simply using "learning mode" and "permissive mode". You need to interactively handle temporary files according to <a href="tool-editpolicy.html.en#acl_editor">To remove redundant ACL entries</a>.<br>
But if you want to convert temporary files into patterns non-interactively, you can do it as shown below.</p>

<p>List up pathnames that can be temporary files.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# /usr/sbin/ccs-findtemp &lt; /proc/ccs/domain_policy<br>
/etc/mtab.tmp<br>
/etc/mtab~<br>
/etc/mtab~2302<br>
/etc/mtab~2328<br>
/etc/mtab~2329<br>
/etc/mtab~2330<br>
/etc/mtab~2331<br>
/etc/mtab~2332<br>
/etc/mtab~2339<br>
/etc/mtab~2383<br>
/halt<br>
/selinux/disable<br>
/selinux/enforce<br>
/selinux/policyvers<br>
/tmp/sh-thd-1163110572<br>
/tmp/sh-thd-1163113704<br>
/var/cache/samba/browse.dat.<br>
/var/lib/nfs/etab.tmp<br>
/var/lib/nfs/xtab.tmp<br>
/var/lock/mrtg/mrtg_l<br>
</td></tr>
</table>

<p>We can consider that "/etc/mtab~numeric" and "/tmp/sh-thd-numeric" are temporary files, thus we make patterns for these pathnames. First, we need to consider what patterns to use. In these examples, numeric seems decimal digits. Thus, we use \$ pattern which matches one or more repetitions of decimal digits.</p>

<p>Append patterns to the exception policy.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# echo 'file_pattern /etc/mtab~\$' | /usr/sbin/ccs-loadpolicy -e<br>
[root@tomoyo ~]# echo 'file_pattern /tmp/sh-thd-\$' | /usr/sbin/ccs-loadpolicy -e
</td></tr>
</table>

<p>Replace "/etc/mtab~numeric" and "/tmp/sh-thd-numeric" in the domain policy with '/etc/mtab~\$' and '/tmp/sh-thd-\$'</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# /usr/sbin/savepolicy -d | /usr/sbin/ccs-patternize '/etc/mtab~\$' '/tmp/sh-thd-\$' | /usr/sbin/loadpolicy -d
</td></tr>
</table>

<p>Since you are editing policy currently loaded into the kernel, changes will be lost if you shutdown the system without saving. Save exception_policy.conf and domain_poilicy.conf using "ccs-savepolicy" command.</p>

<table border="1">
<tr><td>
[root@tomoyo ~]# /usr/sbin/savepolicy a
</td></tr>
</table>

<p>If the "WARNING:" messages are no longer printed after you have likely done everything you want Apache to allow, proceed to the next step. (You can ignore "Access TCP accept" warnings against /usr/sbin/httpd , for you will make the address and port number patterns at next phase.)</p>

<p>If your purpose of using TOMOYO Linux is for just analysis, this point is the goal of this procedure.</p>

<p>If your purpose of using TOMOYO Linux is for protection, proceed to next phase.</p>

<hr>

<p><a href="index.html.en">Return to index page.</a></p>
<p><a href="http://sourceforge.jp/"><img src="http://sourceforge.jp/sflogo.php?group_id=1973" width="96" height="31" alt="SourceForge.jp"></a></p>
</body>
</html>