Comments on: Tomoyo GUI http://dodonov.net/blog/2009/07/06/tomoyo-gui/ My view on technology, open-source, Linux and other cool things. Thu, 17 May 2012 13:22:04 +0000 hourly 1 http://wordpress.org/?v= By: Pawel Stolowski http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-17245 Pawel Stolowski Sun, 07 Mar 2010 17:44:40 +0000 http://dodonov.net/blog/?p=473#comment-17245 <p>You don't need to check all the possible execution paths leading to specific daemon/executable - you just need an 'initialize_domain' rule in exception_policy.conf. Just say 'initialize_domain /sbin/httpd' and then all the rules applied to /sbin/httpd/ domain will take effect no matter how httpd was executed.</p> You don’t need to check all the possible execution paths leading to specific daemon/executable – you just need an ‘initialize_domain’ rule in exception_policy.conf. Just say ‘initialize_domain /sbin/httpd’ and then all the rules applied to /sbin/httpd/ domain will take effect no matter how httpd was executed.

]]> By: Mandriva 2010.0 - http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-17089 Mandriva 2010.0 - Thu, 05 Nov 2009 10:46:49 +0000 http://dodonov.net/blog/?p=473#comment-17089 <p>[...] [...]</p> [...] [...]

]]> By: Mandriva 2010.0 - Настрой сервер сам http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-17084 Mandriva 2010.0 - Настрой сервер сам Tue, 03 Nov 2009 09:57:54 +0000 http://dodonov.net/blog/?p=473#comment-17084 <p>[...] Security Framework вместе с собственной разработкой tomoyo-gui в качестве альтернативы [...]</p> [...] Security Framework вместе с собственной разработкой tomoyo-gui в качестве альтернативы [...]

]]> By: News Wave » Релиз Mandriva 2010.0 http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-17082 News Wave » Релиз Mandriva 2010.0 Tue, 03 Nov 2009 07:16:45 +0000 http://dodonov.net/blog/?p=473#comment-17082 <p>[...] Security Framework вкупе с собственной разработкой tomoyo-gui в качестве замены [...]</p> [...] Security Framework вкупе с собственной разработкой tomoyo-gui в качестве замены [...]

]]> By: eugeni http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-16910 eugeni Tue, 07 Jul 2009 15:42:42 +0000 http://dodonov.net/blog/?p=473#comment-16910 <p>That's the idea :) .</p> That’s the idea :) .

]]> By: aapgorilla http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-16909 aapgorilla Tue, 07 Jul 2009 15:27:11 +0000 http://dodonov.net/blog/?p=473#comment-16909 <p>Wouldn't it be a good idea to integrate tomoyo_gui into msec_gui? To have one gui for all security related settings...</p> Wouldn’t it be a good idea to integrate tomoyo_gui into msec_gui? To have one gui for all security related settings…

]]> By: eugeni http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-16907 eugeni Tue, 07 Jul 2009 12:39:22 +0000 http://dodonov.net/blog/?p=473#comment-16907 <p>The problem with tomoyo is that the policies do not contain the executable path, but the sequences of execution from kernel until the current executable.</p> <p>I thought on using a tree view for all policies, but it leads to confusion. For example, <kernel> /sbin/init could lead to a lot of daemons, each daemon leading to a multitude of applications, and so on. So if we use the treeview, it will require to go about 13 levels deeper to get the application you want. And it also makes harder to find the application you want.</p> <p>The ccs-editpolicy simplifies it by trimming the initial path, so it is easier to see. Maybe I'll follow the same idea.</p> <p>Another problem is that the entire policy is contained in the same big policy file. So we cannot, for example, provide specific policy for an RPM inside the package, we'll have to merge it with the system policy. For example, we cannot set policy for /sbin/httpd - we have to check all the possible execution paths leading to /sbin/httpd (like <kernel> /sbin/init, <kernel> /sbin/init /etc/rc ..., and so on). I was already thinking on it, but nothing is done about this yet.</p> The problem with tomoyo is that the policies do not contain the executable path, but the sequences of execution from kernel until the current executable.

I thought on using a tree view for all policies, but it leads to confusion. For example, /sbin/init could lead to a lot of daemons, each daemon leading to a multitude of applications, and so on. So if we use the treeview, it will require to go about 13 levels deeper to get the application you want. And it also makes harder to find the application you want.

The ccs-editpolicy simplifies it by trimming the initial path, so it is easier to see. Maybe I’ll follow the same idea.

Another problem is that the entire policy is contained in the same big policy file. So we cannot, for example, provide specific policy for an RPM inside the package, we’ll have to merge it with the system policy. For example, we cannot set policy for /sbin/httpd – we have to check all the possible execution paths leading to /sbin/httpd (like /sbin/init, /sbin/init /etc/rc …, and so on). I was already thinking on it, but nothing is done about this yet.

]]> By: FACORAT Fabrice http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-16905 FACORAT Fabrice Tue, 07 Jul 2009 07:12:24 +0000 http://dodonov.net/blog/?p=473#comment-16905 <p>I have some difficulties understanding the UI. If I understand correctly : 1st column : . What is it ? When lokking at some policies samples, it seems to be always . Should we show it then ?</p> <p>2nd : this is always the same thing. So I guess this is the executable on which we want to apply some policies ?</p> <p>3rd column : what is it ? The list of function calls by the 2nd column ? If yes, then we should use a hierarchical tree. Something like this : | + -- /etc/rc.d/init.d/asusoled | |- /bin/rm |- /bin/sed</p> <p>cf also : http://tomoyo.sourceforge.jp/en/1.6.x/tool-editpolicy.html</p> <p>Another interesting things which could be interesting : - ability to save or load a policy for a domain/executable. Some polices sample here : http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=policy-sample - ability to manage policies by rpm packages: list installed packages on the system, select a package, start learning mode. As we have the list of files in the packages, only the entries ( and their children ) for the files contained in the package will be shown.</p> I have some difficulties understanding the UI. If I understand correctly : 1st column : . What is it ? When lokking at some policies samples, it seems to be always . Should we show it then ?

2nd : this is always the same thing. So I guess this is the executable on which we want to apply some policies ?

3rd column : what is it ? The list of function calls by the 2nd column ? If yes, then we should use a hierarchical tree. Something like this : | + — /etc/rc.d/init.d/asusoled | |- /bin/rm |- /bin/sed

cf also : http://tomoyo.sourceforge.jp/en/1.6.x/tool-editpolicy.html

Another interesting things which could be interesting : - ability to save or load a policy for a domain/executable. Some polices sample here : http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=policy-sample - ability to manage policies by rpm packages: list installed packages on the system, select a package, start learning mode. As we have the list of files in the packages, only the entries ( and their children ) for the files contained in the package will be shown.

]]> By: bedi http://dodonov.net/blog/2009/07/06/tomoyo-gui/comment-page-1/#comment-16900 bedi Mon, 06 Jul 2009 16:49:01 +0000 http://dodonov.net/blog/?p=473#comment-16900 <p>hehehehe :D</p> <p>Good job doc.!</p> hehehehe :D

Good job doc.!

]]>