stank****@xoxy***** wrote: > > Are there messages like > > > > <kernel> /usr/sbin/sshd /usr/bin/bash /usr/sbin/tomoyo-editpolicy ( /usr/sbin/tomoyo-editpolicy ) is not permitted to update policies. > > > > in output of dmesg command? If yes, programs for updating on-memory policies are not listed in > > /sys/kernel/security/tomoyo/manager . Please make sure that you executed /usr/lib/tomoyo/init_policy . > > Yes, I see "<kernel> /usr/bin/agetty /usr/bin/login /usr/bin/bash > /usr/bin/tomoyo-editpolicy ( /usr/bin/tomoyo-editpolicy ) is not > permitted to update policies." I thought I had run > /usr/lib/tomoyo/init_policy , but I may have forgotten this second time. > I had to remove tomoyo and its files and reinstall because something I > did (I don't know what; I wasn't able to edit the policies the first > time, either), caused a kernel panic when starting X with tomoyo running. > > I ran # /usr/lib/tomoyo/init_policy and still am not able to edit the > policies (same output in dmesg). > OK. So, /etc/tomoyo/manager.conf is expected to be loaded into /sys/kernel/security/tomoyo/manager when /sbin/init starts upon boot, but for some reason it is not loaded yet. Well, for Arch Linux, it might be systemd rather than init . Did you reboot the system after you executed /usr/lib/tomoyo/init_policy so that /sbin/tomoyo-init will load /etc/tomoyo/manager.conf into /sys/kernel/security/tomoyo/manager when /sbin/init starts upon boot? After rebooting, is /sys/kernel/security/tomoyo/manager still empty?