Bug#532920: Use security=tomoyo args

Sun, 14 Jun 2009 07:59:38 -0700 

Hi Hito,

On Sunday 14 Jun 2009 19:31:16 h...@kugutsu.org wrote:
> Hi Ritesh,
>
> Did you set security=tomoyo to your kernel boot args?
>
> In 2.6.30s TOMOYO Linux (TOMOYO 2.x, a.k.a LSM version), that is LSM
> implementations.
>

Yes. I did add security=tomoyo in the kernel command line. The same was 
mentioned in the TOMOYO howto on the website.

Here's the dmesg output.

r...@learner:~$ dmesg | grep -i tomo
[    0.000000] Kernel command line: root=/dev/mapper/VolGrpSDA4-ROOT ro 
audit=1 quiet vga=788 splash security=tomoyo
[    0.000999] TOMOYO Linux initialized
[    3.185069] Calling /sbin/tomoyo-init to load policy. Please wait.
[    4.075277] TOMOYO: 2.2.0   2009/04/01

As you can see, tomoyo framework is getting initialized.


The problem is with the ccs-auditd daemon. It fails to start.
While there are some minor problems with the ccs-auditd init script, but for 
now, ccs-auditd itself is problematic. It doesn't start.

Point to note:
* As I said in the previous post to this bug report, I suspect the bug could 
be in here:

[pid  6369] open("/sys/kernel/security/tomoyo/grant_log", O_RDONLY|
O_LARGEFILE) = -1 ENOENT (No such file or directory)
[pid  6369] brk(0)                      = 0x8e69000
[pid  6369] brk(0x8e8a000)              = 0x8e8a000
[pid  6369] time(NULL)                  = 1244990746
[pid  6369] open("/etc/localtime", O_RDONLY) = 0
[pid  6369] fstat64(0, {st_mode=S_IFREG|0644, st_size=265, ...}) = 0

There is no grant_log under sysfs. Now is its unavailability fatal ?

* Secondly, your ccs-auditd is exiting with wrong codes.

r...@learner:~$ sudo ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt
r...@learner:~$ echo $?
0

While you need to confirm my question in the previous point (grant_log being 
fatal or not), ccs-auditd should not return 0 during a failure.

* And if grant_log is not fatal then I don't know why running the editpolicy 
command fails.

r...@learner:~$ sudo ccs-editpolicy
You need to register this program to /sys/kernel/security/tomoyo/manager to 
run this program.
r...@learner:~$ ls /sys/kernel/security/tomoyo/
domain_policy  exception_policy  manager  meminfo  profile  self_domain  
version


Hope this helps. Please let me know if you need any more information.

Ritesh
-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to