Info: Version 2.2.x is available.
Last modified: $Date: 2009-12-19 12:37:55 +0900 (Sat, 19 Dec 2009) $
This page describes how to install and experience TOMOYO Linux. TOMOYO Linux was submitted to LKML in October 2007.
TOMOYO Linux supports latest vanilla kernels (2.6.23-rc3 and later) available at http://www.kernel.org/ . Download it and extract it.
The procedure below is for people who don't have subversion or quilt packages installed. If you have subversion and quilt packages installed, you don't have to follow the procedure below.
$ wget http://www2.kernel.org/pub/linux/kernel/v2.6/linux-2.6.23.14.tar.bz2 $ tar -jxf linux-2.6.23.14.tar.bz2 $ cd linux-2.6.23.14
The latest TOMOYO Linux patch is available at http://svn.sourceforge.jp/svnroot/tomoyo/tags/lkml/4/patches/ . Download it and extract it at the kernel source directory.
$ wget -O tomoyo.tar.gz 'http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/tags/lkml/4/patches.tar.gz?root=tomoyo&view=tar' $ tar -zxvf tomoyo.tar.gz $ /bin/sh -c 'for i in `cat patches/series`; do patch -p1 < patches/$i; done'
Edit Makefile's EXTRAVERSION= line if you need.
Next, create a kernel config with TOMOYO Linux enabled.
$ make -s menuconfig
Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support" as shown below.
[*] Enable different security models < > Default Linux Capabilities < > Root Plug Support [ ] NSA SELinux Support [*] TOMOYO Linux support
After creating a kernel config, compile the kernel.
$ make -s # make -s modules_install install
Create initrd if you need. Edit /boot/grub/grub.conf or /boot/grub/menu.lst if you need.
You can download TOMOYO Linux tools at http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-1.5.0-20070920.tar.gz . Download it and extract it and compile it. The tools are installed in /usr/lib/ccs .
$ wget -O tomoyo-tools.tar.gz 'http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-1.5.0-20070920.tar.gz' $ tar -zxf tomoyo-tools.tar.gz $ cd ccstools $ make # make install
Run tomoyo_init_policy.sh included in TOMOYO Linux tools to perform initial configuration.
# /usr/lib/ccs/tomoyo_init_policy.sh
You will get initial configuration files in /etc/tomoyo/ directory.
Before starting tutorial, configure TOMOYO Linux to learn whole system behavior.
# echo '<kernel>' > /etc/tomoyo/domain_policy.conf # echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.
TOMOYO Linux: Enter 'disable' within 10 seconds to disable TOMOYO Linux. TOMOYO Linux>
If you press 'Enter' key or wait for 10 seconds, TOMOYO Linux gets enabled and policy is loaded. If you have trouble such as unable to login because of inappropriate TOMOYO Linux configuration, enter "disable" and press 'Enter' key to disable TOMOYO Linux.
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
# /usr/lib/ccs/editpolicy
editpolicy is a CUI tool to view and edit TOMOYO Linux's policy. The initial screen shows list of domains generated from the execution of /sbin/init till execution of /usr/lib/ccs/editpolicy . All domains begin at <kernel> and new domain is created whenever execve() is called.
Each line shows an integer value between the line number and domain names. This integer value is called "profile number" and it represents profile currently assigned to a domain. A profile is a correction of TOMOYO Linux's access control level, and the contents of /etc/tomoyo/profile.conf is loaded into kernel via /sys/kernel/security/tomoyo/profile by /sbin/tomoyo-init .
The following 4 profiles were automatically generated by execution of tomoyo_init_policy.sh . A profile is assigned to domains.
Move the cursor to some domain you like and press 'Enter' key to see ACL given to the domain.
Browse the policy which is the results of learning boot sequence. You can easily know what process accesses what pathnames and/or resources.
Detailed usage of editpolicy is in How to use Policy Editor.
To quit editpolicy, press 'Q' key.
Now, the domain for login shell is already learning mode. Try the following commands.
# head /etc/passwd # bash # tail /etc/mtab # exit
You can operate as if the normal Linux, but the TOMOYO Linux kernel is monitoring accesses and generating policies and storing on the memory in the background.
Now, run editpolicy again. Change profile for the domains for login shell and its children/descendants from "learning mode" to "enforcing mode".
After you marked '&' to domains for login shell and its children/descendants, press 'S' '3' 'Enter' key to change profile for these domains from 1 to 3.
After changing the profile for domain for login shell to 3, press 'Q' key to quit editpolicy and run some commands.
# head /etc/passwd # OK # head /etc/shadow # NG # rm -fr / # NG # tail /etc/mtab # NG # bash # OK # tail /etc/mtab # OK # head /etc/passwd # NG
You can only run the operations you have just executed in learning mode. You ran "tail /etc/mtab" while in "learning mode", but you can't run it at the first stage of shell and you can run it at the second stage of shell. This is because these shells (first stage and second stage) have different "process invocation history" (i.e. these shells are in different domains) and permissions accumulated into these domains differ.
After you tried a series of operations, change profiles for domains for login shell to 1 using editpolicy, and proceed to the next tutorial.
Next, let us learn and tune Apache policy. If Apache is not installed on your system, please install it.
Execute editpolicy (see the first step) and assign profile number 1 to an Apache domain.
Restart Apache and see the Apache domain. You can see the access permissions needed in Apache start sequence like follows:
4 /etc/httpd/conf/httpd.conf allow_create /var/run/httpd.pid allow_unlink /var/run/httpd.pid allow_network TCP bind 192.168.1.135 80 allow_network TCP listen 192.168.1.135 80
These permissions allow Apache to open configuration files for reading and to bind/listen at self IP-address and port number 80. Moreover, request some web contents using web browser.
When you reload Apache policy, you can see the new permissions:
4 /var/www/html/index.html
Some patterns for pathname is supported (See Policy Specifications of TOMOYO Linux) . In network permissions, you can also use range for both IP address and port number.
Using pattern and range, Apache policy can be written like follows:
4 /var/www/\* 4 /var/www/\*/\* 4 /var/www/\*/\*/\* 4 /var/www/\*/\*/\*/\* 4 /var/www/\*/\*/\*/\*/\*
'\*' means "Zero or more repetitions of characters other than '/'". To append an entry using editpolicy, press 'A' key and input content and press 'Enter' key.
You can write above entries directly in the domain, or define path/address groups and write them.
Press 'Tab' key twice, then you can see "Exception Policy Editor" view. Press 'A' key and append the following entries:
path_group WEB_CONTENTS /var/www/\* path_group WEB_CONTENTS /var/www/\*/\* path_group WEB_CONTENTS /var/www/\*/\*/\* path_group WEB_CONTENTS /var/www/\*/\*/\*/\* path_group WEB_CONTENTS /var/www/\*/\*/\*/\*/\* address_group PRIVATE_IP 192.168.0.0-192.168.255.255
After appending them, press 'Tab' and enter Apache domain again. And append the following entries:
4 @WEB_CONTENTS
As you see, by using path_group and address_group, you can write access permissions briefly.