Darrell wrote: > Thanks for the response. My question stemmed from what is probably just > some confusion on my part. I have been attempting to make changes > directly to /etc/caitsith/policy/current and then load those changes by > issuing command > > # /usr/sbin/caitsith-loadpolicy < /etc/caitsith/policy/current > > . What I found is that this seems to append /etc/caitsith/policy/current to > /sys/kernel/security/caitsith/policy. Yes, TOMOYO / CaitSith's policy interface deletes a line (and lines which depend on that line) when that line starts with "delete " keyword, and appends that line when that line does not start with "delete " keyword. But there is an exception. The "delete " keyword is ignored for lines which start with "POLICY_VERSION=" or "stat " or "quota " or "audit ". Lines which start with "POLICY_VERSION=" or "quota " or "audit " can be updated by overwriting that line. # echo 'quota audit[1] allowed=1024' | caitsith-loadpolicy # echo 'quota memory audit 16777216' | caitsith-loadpolicy # caitsith-savepolicy - Lines which start with "quota " will not be printed if its quota value is 0. # echo 'quota audit[1] allowed=0 denied=0 unmatched=0' | caitsith-loadpolicy # echo 'quota memory audit 0' | caitsith-loadpolicy # caitsith-savepolicy - > If I had made some deletions to > /etc/caitsith/policy/current, > > # cat /sys/kernel/security/caitsith/policy > > would still show some of the policy I had deleted. You need to replace /sys/kernel/security/caitsith/policy with /etc/caitsith/policy/current using commands shown below. > I tried the command > > # /usr/sbin/caitsith-loadpolicy << /etc/caitsith/policy/current > > , but that didn't work. In hindsight, I should have asked if there is > a way to completely replace /sys/kernel/security/caitsith/policy with > /etc/caitsith/policy/current without rebooting? You can use below commands to completely replace in-memory policy configuration without rebooting. # caitsith-savepolicy - | awk ' { print "delete " $0 }' | caitsith-loadpolicy # caitsith-loadpolicy < /etc/caitsith/policy/current But please be aware that there is a moment where all access requests are unconditionally granted (and/or domain transition does not occur as expected) due to lack of in-memory policy configuration. If you care about such moment, you can edit in-memory policy configuration using caitsith-loadpolicy and then save in-memory policy configuration using caitsith-savepolicy . # edit a_temporary_file_which_contains_changes # caitsith-loadpolicy < a_temporary_file_which_contains_changes # caitsith-savepolicy # rm a_temporary_file_which_contains_changes Content of a_temporary_file_which_contains_changes would look like below. Append entries without deletion. ---------- 10 acl execute 10 allow path="/path/to/old_executable" 20 acl read audit 0 10 allow path="/path/to/old_file" ---------- Append entries with some deletion. ---------- 10 acl execute 10 allow path="/path/to/new_executable" delete 10 allow path="/path/to/old_executable" 21 acl read audit 1 10 allow path="/path/to/file" delete 20 acl read ---------- > > Hello. > > > > Darrell wrote: > >> Do you have any plans to create an ncurses caitsith-editpolicy similar > >> to ccs-editpolicy? I've been contemplating migrating from CCS to > >> Caitsith and miss the ncurses editor for in-memory policy editing. > > Since I think that caitsith-loadpolicy and caitsith-queryd are sufficient > > for editing in-memory policy configuration ( /proc/caitsith/policy or > > /sys/kernel/security/caitsith/policy ), I don't have a plan to create > > caitsith-editpolicy . > > > > Since TOMOYO modifies in-memory policy configuration, we use ccs-editpolicy > > or tomoyo-editpolicy for browsing and editing in-memory policy configuration. > > But since CaitSith does not, there is little need for browsing and editing > > in-memory policy configuration using a dedicated tool. > > > > You can run caitsith-savepolicy when you modified in-memory policy configuration > > using caitsith-loadpolicy or caitsith-queryd .