[tomoyo-users-en 662] Re: caitsith-editpolicy?

Back to archive index
Tetsuo Handa pengu****@I-lov*****
Sun Oct 23 13:52:56 JST 2016


Darrell wrote:
> Thanks for the response. My question stemmed from what is probably just
> some confusion on my part. I have been attempting to make changes
> directly to /etc/caitsith/policy/current and then load those changes by
> issuing command
> 
> # /usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current
> 
> . What I found is that this seems to append /etc/caitsith/policy/current to
> /sys/kernel/security/caitsith/policy.

Yes, TOMOYO / CaitSith's policy interface deletes a line (and lines which
depend on that line) when that line starts with "delete " keyword, and
appends that line when that line does not start with "delete " keyword.

But there is an exception. The "delete " keyword is ignored for lines which
start with "POLICY_VERSION=" or "stat " or "quota " or "audit ".

Lines which start with "POLICY_VERSION=" or "quota " or "audit " can be
updated by overwriting that line.

# echo 'quota audit[1] allowed=1024' | caitsith-loadpolicy
# echo 'quota memory audit 16777216' | caitsith-loadpolicy
# caitsith-savepolicy -

Lines which start with "quota " will not be printed if its quota value is 0.

# echo 'quota audit[1] allowed=0 denied=0 unmatched=0' | caitsith-loadpolicy
# echo 'quota memory audit 0' | caitsith-loadpolicy
# caitsith-savepolicy -

>                                       If I had made some deletions to
> /etc/caitsith/policy/current,
> 
> # cat /sys/kernel/security/caitsith/policy
> 
> would still show some of the policy I had deleted.

You need to replace /sys/kernel/security/caitsith/policy with
/etc/caitsith/policy/current using commands shown below.

>                                                    I tried the command
> 
> # /usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current
> 
> , but that didn't work. In hindsight, I should have asked if there is
> a way to completely replace /sys/kernel/security/caitsith/policy with
> /etc/caitsith/policy/current without rebooting?

You can use below commands to completely replace in-memory policy configuration
without rebooting.

# caitsith-savepolicy - | awk ' { print "delete " $0 }' | caitsith-loadpolicy
# caitsith-loadpolicy < /etc/caitsith/policy/current

But please be aware that there is a moment where all access requests are
unconditionally granted (and/or domain transition does not occur as expected)
due to lack of in-memory policy configuration.

If you care about such moment, you can edit in-memory policy configuration
using caitsith-loadpolicy and then save in-memory policy configuration using
caitsith-savepolicy .

# edit a_temporary_file_which_contains_changes
# caitsith-loadpolicy < a_temporary_file_which_contains_changes
# caitsith-savepolicy
# rm a_temporary_file_which_contains_changes

Content of a_temporary_file_which_contains_changes would look like below.

Append entries without deletion.
----------
10 acl execute
   10 allow path="/path/to/old_executable"

20 acl read
   audit 0
   10 allow path="/path/to/old_file"
----------

Append entries with some deletion.
----------
10 acl execute
   10 allow path="/path/to/new_executable"
   delete 10 allow path="/path/to/old_executable"

21 acl read
   audit 1
   10 allow path="/path/to/file"

delete 20 acl read
----------

> > Hello.
> >
> > Darrell wrote:
> >> Do you have any plans to create an ncurses caitsith-editpolicy similar
> >> to ccs-editpolicy? I've been contemplating migrating from CCS to
> >> Caitsith and miss the ncurses editor for in-memory policy editing.
> > Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient
> > for editing in-memory policy configuration ( /proc/caitsith/policy or
> > /sys/kernel/security/caitsith/policy ), I don't have a plan to create
> > caitsith-editpolicy .
> >
> > Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy
> > or tomoyo-editpolicy for browsing and editing in-memory policy configuration.
> > But since CaitSith does not, there is little need for browsing and editing
> > in-memory policy configuration using a dedicated tool.
> >
> > You can run caitsith-savepolicy when you modified in-memory policy configuration
> > using caitsith-loadpolicy or caitsith-queryd .




More information about the tomoyo-users-en mailing list
Back to archive index