On Tue, 13 Apr 2010, Tetsuo Handa wrote: > > Hello. > > Thank you for trying TOMOYO. Hello, thank you for supporting it! >> Is this familiar behavior? Am I exceeding a maximum length? Do you have >> any advice how to diagnose the problem? > > The maximum length is 4086 characters. If environment variable string is longer > than 4086 characters, only beginning 4086 characters are checked. Sorry, is that the maximum length for each name-value pair, or for the entire list of pairs? The individual name-values pairs in my example are not that long. >> allow_env spool/n03/active_jobs/175.1 > > "allow_env" line prints environment variable's name rather than its value. I understand. The actual name-value pair is "SGE_JOB_SPOOL_DIR=/usr/local/sge/default/spool/n03/active_jobs/175.1". It is as if the list of name-value pairs is being cut in the middle, and the later part of this value is treated as if it were a name. When the values are different, the cut happens in a different place. I'll try to collect more information and see if I can isolate the problem. Thank you for your help. > What you are seeing should be a bug which existed in > ccs-patch-1.7.0-20090903.tar.gz and ccs-patch-1.7.0-20090911.tar.gz . > Since I was by error using the same buffer for both environment variable's name > and value, "allow_env" line was printing environment variable's value. > > This bug was fixed in ccs-patch-1.7.1-20091220.tar.gz . You can use > > http://sourceforge.jp/frs/redir.php?f=/tomoyo/43375/ccs-patch-1.7.2-20100412.tar.gz > MD5: 1111e0154b330d3de8941edc4737d85b > > If you want to disable "allow_env" checking due to performance reason (although > it is recommended to enable "allow_env" checking in order to protect from > dangerous environment variables such as LD_PRELOAD), you can append > > 0-CONFIG::misc::env={ mode=disabled } > 1-CONFIG::misc::env={ mode=disabled } > 2-CONFIG::misc::env={ mode=disabled } > 3-CONFIG::misc::env={ mode=disabled } > > to /etc/ccs/profile.conf and reload it by > > /usr/sbin/ccs-loadpolicy p > > If you don't need grant logs (for improving performance), you can append > > 0-CONFIG={ mode=disabled grant_log=no reject_log=yes } > 1-CONFIG={ mode=learning grant_log=no reject_log=yes } > 2-CONFIG={ mode=permissive grant_log=no reject_log=yes } > 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } > > to /etc/ccs/profile.conf and reload it by > > /usr/sbin/ccs-loadpolicy p > > Regards. > > _______________________________________________ > tomoyo-users-en mailing list > tomoy****@lists***** > http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en >