$ eix tomoyo-tools -cI [I] sys-apps/tomoyo-tools (2.3.0_p20110929@2011年10月20日): TOMOYO Linux tools2.4で保存する場所が変わったかもしれない、
2.3にしてからdomain_policy.confを短くした、
などの理由で直ったかもしれないので、
2.4に再度上げて保存した設定ファイルを手動で移動すれば大丈夫かもしれないが試してはいない。
以下はメモです。
カーネルのバージョン。
$ uname -a Linux amdgentoo 3.0.4-hardened-r1 #1 SMP Mon Oct 17 01:47:30 JST 2011 x86_64 AMD Phenom(tm) 9350e Quad-Core Processor AuthenticAMD GNU/Linux
関連するコンフィグ。(make menuconfigで設定)
$ grep -i tomoyo /usr/src/linux/.config CONFIG_SECURITY_TOMOYO=y CONFIG_DEFAULT_SECURITY_TOMOYO=y CONFIG_DEFAULT_SECURITY="tomoyo"
tomoyo-editpolicyが重いので有効なdomain_policy.confのuse_profile 0の辺りを手動で消した。
たぶんセーブの仕方が悪いかもしれない。
<kernel> /etc/init.d/ntpd /lib64/rc/sh/runscript.sh /sbin/start-stop-daemon /usr/sbin/ntpd
use_profile 3
allow_read/write /dev/null
allow_create /var/run/ntpd.pid 0644
allow_write /var/run/ntpd.pid
allow_read /etc/ntp.conf
allow_ioctl socket:[family=2:type=2:protocol=17] 0x8912
allow_read /proc/\$/net/if_inet6
allow_ioctl socket:[family=2:type=2:protocol=17] 0x8913
allow_ioctl socket:[family=2:type=2:protocol=17] 0x891B
allow_ioctl socket:[family=2:type=2:protocol=17] 0x8919
allow_read /etc/nsswitch.conf
allow_read /etc/services
allow_read /var/lib/ntp/ntp.drift
allow_read /etc/resolv.conf
allow_read /etc/host.conf
allow_read /etc/hosts
allow_ioctl socket:[family=2:type=2:protocol=17] 0x541B
allow_read /etc/gai.conf
allow_create /var/lib/ntp/ntp.drift.TEMP 0644
allow_write /var/lib/ntp/ntp.drift.TEMP
allow_truncate /var/lib/ntp/ntp.drift.TEMP
allow_rename /var/lib/ntp/ntp.drift.TEMP /var/lib/ntp/ntp.drift
allow_read /dev/urandom
allow_read /dev/random
allow_create /var/run/ntpd.pid 0666
allow_create /var/lib/ntp/ntp.drift.TEMP 0666
<kernel> /etc/init.d/nginx /lib64/rc/sh/runscript.sh /sbin/start-stop-daemon /usr/sbin/nginx
use_profile 3
allow_read/write /var/run/nginx.pid
allow_unlink /var/run/nginx.pid
allow_write /var/log/nginx/error_log
allow_read /etc/nginx/nginx.conf
allow_read /etc/nsswitch.conf
allow_read /etc/passwd
allow_read /etc/group
allow_read /etc/nginx/mime.types
allow_read /etc/resolv.conf
allow_read /etc/host.conf
allow_read /etc/hosts
allow_write /var/log/nginx/localhost.access_log
allow_write /var/log/nginx/localhost.error_log
allow_ioctl socket:[family=2:type=1:protocol=6] 0x5421
allow_read/write /dev/null
allow_create /var/run/nginx.pid 0644
allow_ioctl socket:[family=1:type=1:protocol=0] 0x5421
allow_ioctl socket:[family=1:type=1:protocol=0] 0x5452
allow_read /proc/sys/kernel/ngroups_max
allow_ioctl anon_inode:[eventfd] 0x5421
allow_read /etc/nginx/conf/htpasswd
allow_read /var/www/\*/htdocs/\*.htm
allow_read /var/www/\*/htdocs/\*.html
allow_read /var/www/\*/htdocs/\*.ico
allow_read /var/www/\*/htdocs/\*.txt
allow_read /var/www/\*/htdocs/\{\*\}/\*.bz2
allow_read /var/www/\*/htdocs/\{\*\}/\*.css
allow_read /var/www/\*/htdocs/\{\*\}/\*.flv
allow_read /var/www/\*/htdocs/\{\*\}/\*.gif
allow_read /var/www/\*/htdocs/\{\*\}/\*.gz
allow_read /var/www/\*/htdocs/\{\*\}/\*.htm
allow_read /var/www/\*/htdocs/\{\*\}/\*.html
allow_read /var/www/\*/htdocs/\{\*\}/\*.ico
allow_read /var/www/\*/htdocs/\{\*\}/\*.jpeg
allow_read /var/www/\*/htdocs/\{\*\}/\*.jpg
allow_read /var/www/\*/htdocs/\{\*\}/\*.js
allow_read /var/www/\*/htdocs/\{\*\}/\*.pdf
allow_read /var/www/\*/htdocs/\{\*\}/\*.png
allow_read /var/www/\*/htdocs/\{\*\}/\*.tgz
allow_read /var/www/\*/htdocs/\{\*\}/\*.txt
allow_read /var/www/\*/htdocs/\{\*\}/\*.xml
allow_read /var/www/\*/htdocs/\{\*\}/\*.xz
allow_read /var/www/\*/htdocs/\{\*\}/\*.zip
allow_read /var/www/\*/tmp/\{\*\}/\*.png
<kernel> /usr/sbin/apache2
use_profile 3
allow_read /etc/apache2/httpd.conf
allow_read /etc/apache2/vhosts.d/default_vhost.include
allow_read /etc/nsswitch.conf
allow_read /etc/passwd
allow_read /etc/group
allow_read /etc/resolv.conf
allow_read /etc/host.conf
allow_read /etc/hosts
allow_read /etc/gai.conf
allow_read/write /var/run/apache2.pid
allow_unlink /var/run/apache2.pid
allow_truncate /var/run/apache2.pid
allow_read/write /tmp/session_mm_apache2handler0.sem
allow_unlink /tmp/session_mm_apache2handler0.sem
allow_write /var/log/apache2/error_log
allow_write /var/log/apache2/ssl_error_log
allow_write /var/log/apache2/access_log
allow_write /var/log/apache2/ssl_access_log
allow_write /var/log/apache2/ssl_request_log
allow_read /etc/apache2/magic
allow_read /etc/mime.types
allow_read /dev/urandom
allow_create /var/run/ssl_mutex 0644
allow_write /var/run/ssl_mutex
allow_unlink /var/run/ssl_mutex
allow_read/write /dev/null
allow_read /proc/sys/kernel/ngroups_max
allow_read /etc/php/apache2-php5.3/php.ini
allow_ioctl /etc/php/apache2-php5.3/php.ini 0x5401
allow_create /tmp/session_mm_apache2handler0.sem 0600
allow_read /etc/locales.conf
allow_read /etc/services
allow_read/write /usr/share/snmp/mibs/.index
allow_truncate /usr/share/snmp/mibs/.index
allow_read /etc/protocols
allow_read/write /dev/zero
allow_create /var/run/apache2.pid 0644
allow_read /etc/apache2/modules.d/\+\+_\*.conf
allow_read /etc/apache2/vhosts.d/\+\+_\*.conf
allow_read /etc/php/apache2-php5.3/ext/\*.ini
allow_ioctl /etc/php/apache2-php5.3/ext/\*.ini 0x5401
allow_read /etc/php/ext/\*.ini
allow_ioctl /etc/php/ext/\*.ini 0x5401
allow_read/write /tmp/.xcache.\*.lock
allow_unlink /tmp/.xcache.\*.lock
allow_create /tmp/.xcache.\*.lock 0666
allow_read /usr/share/snmp/mibs/\*.txt
allow_read /usr/lib\*/locale/locale-archive
allow_mksock /var/run/cgisock.\$ 0700
allow_chmod /var/run/cgisock.\$ 0700
allow_chown /var/run/cgisock.\$ 81
allow_unlink /var/run/cgisock.\$
allow_read /etc/ssl/apache2/\+\+\+\+-\+\+-\+\+/\*.pem
allow_read /var/www/\*/htdocs/.htaccess
allow_read /var/www/\*/htdocs/\*.php
allow_read /var/www/\*/htdocs/\{\*\}/.htaccess
allow_read /var/www/\*/htdocs/\{\*\}/\*.php
allow_read /var/www/\*/htdocs/\{\*\}/\*.php\+
allow_read /var/www/\*/htdocs/\*.php\+
allow_read /var/www/\*/htdocs/\{\*\}/\*.png
allow_read /var/www/\*/htdocs/\*.htm
allow_read /var/www/\*/htdocs/\*.html
allow_read /var/www/\*/htdocs/\*.ico
allow_read /var/www/\*/htdocs/\*.txt
allow_read /var/www/\*/htdocs/\{\*\}/\*.bz2
allow_read /var/www/\*/htdocs/\{\*\}/\*.css
allow_read /var/www/\*/htdocs/\{\*\}/\*.flv
allow_read /var/www/\*/htdocs/\{\*\}/\*.gif
allow_read /var/www/\*/htdocs/\{\*\}/\*.gz
allow_read /var/www/\*/htdocs/\{\*\}/\*.htm
allow_read /var/www/\*/htdocs/\{\*\}/\*.html
allow_read /var/www/\*/htdocs/\{\*\}/\*.ico
allow_read /var/www/\*/htdocs/\{\*\}/\*.jpeg
allow_read /var/www/\*/htdocs/\{\*\}/\*.jpg
allow_read /var/www/\*/htdocs/\{\*\}/\*.js
allow_read /var/www/\*/htdocs/\{\*\}/\*.pdf
allow_read /var/www/\*/htdocs/\{\*\}/\*.tgz
allow_read /var/www/\*/htdocs/\{\*\}/\*.txt
allow_read /var/www/\*/htdocs/\{\*\}/\*.xml
allow_read /var/www/\*/htdocs/\{\*\}/\*.xz
allow_read /var/www/\*/htdocs/\{\*\}/\*.zip
allow_read/write /mnt/share/svn/repos/\{\*\}/\*
allow_unlink /mnt/share/svn/repos/\{\*\}/\*
allow_truncate /mnt/share/svn/repos/\{\*\}/\*
allow_create /mnt/share/svn/repos/\{\*\}/\* 0600
allow_create /tmp/apr-tmp.\* 0600
allow_read/write /tmp/apr-tmp.\*
allow_unlink /tmp/apr-tmp.\*
allow_chmod /mnt/share/svn/repos/\{\*\}/\* 0644
allow_read/write /tmp/svn-tempfile.\*tmp
allow_unlink /tmp/svn-tempfile.\*tmp
allow_create /tmp/svn-tempfile.\*tmp 0666
allow_create /mnt/share/svn/repos/\{\*\}/\* 0664
allow_chmod /mnt/share/svn/repos/\{\*\}/\* 0664
allow_rename /mnt/share/svn/repos/\{\*\}/\* /mnt/share/svn/repos/\{\*\}/\*
allow_mkdir /mnt/share/svn/repos/\{\*\}/ 0777
allow_create /mnt/share/svn/repos/\{\*\}/\* 0666
allow_rmdir /mnt/share/svn/repos/\{\*\}/
<kernel> /etc/init.d/named /lib64/rc/sh/runscript.sh /sbin/start-stop-daemon /usr/sbin/named
use_profile 3
allow_write /var/run/named/session.key
allow_unlink /var/run/named/session.key
allow_write /var/run/named/named.pid
allow_unlink /var/run/named/named.pid
allow_read /etc/nsswitch.conf
allow_read /etc/passwd
allow_read /proc/sys/kernel/ngroups_max
allow_read /etc/group
allow_read/write /dev/null
allow_read /etc/ssl/openssl.cnf
allow_read /etc/bind/named.conf
allow_read /etc/bind/rndc.key
allow_read /etc/bind/bind.keys
allow_read /proc/\$/net/if_inet6
allow_create /var/run/named/named.pid 0644
allow_create /var/run/named/session.key 0600
allow_read /dev/random
allow_write /var/log/named/named.log
allow_read /var/bind/managed-keys.bind
allow_read /var/bind/pri/\*.zone
allow_read /var/bind/sec/\*.zone
allow_read /dev/urandomexception_policy.confの手動で追加したと思われる部分。
initialize_domain /etc/init.d/named
allow_read /proc/self/\*
allow_read /proc/self/\{\*\}/\*
allow_read /proc/meminfo
allow_read /lib\$/\*.so
allow_read /usr/lib\$/\*.so
allow_read /usr/lib\$/\{\*\}/\*.so
allow_read /lib\$/\{\*\}/\*.so
allow_read /lib\$/\*.so.\+\*
allow_read /lib\$/\{\*\}/\*.so.\+\*
allow_read /usr/lib\$/\{\*\}/\*.so.\+\*
allow_read /usr/lib\$/\*.so.\+\*
allow_read /usr/lib64/gconv/gconv-modules.cache
0 件のコメント:
コメントを投稿