FS#34057 : [linux] 3.7.9 - 3.8.x Tomoyo fails to function on Linux

FS#34057 - [linux] 3.7.9 - 3.8.x Tomoyo fails to function on Linux

Attached to Project: Arch Linux
Opened by Alexander Diana (Roukoswarf) - Wednesday, 27 February 2013, 21:07 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 15 March 2013, 07:09 GMT

Task Type	Bug Report
Category	Packages: Testing
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Thomas Bächler (brain0)
Architecture	x86_64
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	5 Abelardo Ricart (aricart) (2013-03-12) Pablo Lezaeta (Jristz) (2013-03-06) Fernando Cladera (fclad) (2013-03-04) Stefan J. Betz (encbladexp) (2013-02-28) Alexander Diana (Roukoswarf) (2013-02-27)
Private	No

Details

Description:
tomoyo does not load config on boot, and learning mode/policies do not seem to work.
Tested with a non [testing] machine on linux 3.7.9-2 and it worked as expected.

Additional info:
* Linux 3.8.0-2
* tomoyo-tools 2.5.0.20130214-1
* Standard init config

Steps to reproduce:
1. Install tomoyo-tools
2. Run /usr/lib/tomoyo/init_policy
3. Reboot.
4. set <kernel> to learning profile.
5. restart a service, notice no rules are learned.
6. save config, reboot, notice rules are not loaded.
7. manually load configs with tomoyo-init, notice the profile loads.
8. notice the loaded profile is non functional.

This task depends upon

Closed by Tobias Powalowski (tpowa)
Friday, 15 March 2013, 07:09 GMT
Reason for closing: Fixed

Comment by Jan de Groot (JGC) - Wednesday, 27 February 2013, 21:13 GMT

The tomoyo activation trigger has been changed to /usr/lib/systemd/systemd, so if you're still using sysvinit/initscripts it will not activate without additional kernel options to adjust the trigger.

Comment by Alexander Diana (Roukoswarf) - Wednesday, 27 February 2013, 21:15 GMT

I am using systemd, i will try manually setting that trigger.

EDIT: confirmed no difference in behaviour with changed hook, continues to not load config on boot and rules continue to be ineffective, learning mode continues to not learn.

Comment by Alexander Diana (Roukoswarf) - Wednesday, 27 February 2013, 21:24 GMT

Confirmed affecting another [testing] box.

Comment by Tobias Powalowski (tpowa) - Tuesday, 05 March 2013, 10:38 GMT

Does it help if you change back the path?

Comment by Fernando Cladera (fclad) - Tuesday, 05 March 2013, 12:39 GMT

It is not working for me either. I'm running the stock kernel 3.7.9-2-ARCH and learning is not working. The profiles are not working too.
tomoyo-tools version 2.5.0.20130214-1.

Comment by Abelardo Ricart (aricart) - Tuesday, 12 March 2013, 17:32 GMT

Paraphrasing Tetsuo Handa from the tomoyo mailing lists:

"This is because the pathname specified via CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER (/usr/lib/systemd/systemd) is not yet passed to execve() request after the pathname specified via CONFIG_SECURITY_TOMOYO_POLICY_LOADER (/sbin/tomoyo-init) became visible.

CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER can now safely be changed to /sbin/init (symlink to /usr/lib/systemd/systemd) since our /init tries to pass /sbin/init to the execve() request. After this is done, Tomoyo behaves as expected and creates new domains in the kernel policy."

You can do this on the command line via security=tomoyo TOMOYO_trigger=/sbin/init. After this, domain transitions should be seen in tomoyo-editpolicy.

I've updated the wiki with this information.

Comment by Fernando Cladera (fclad) - Tuesday, 12 March 2013, 20:21 GMT

It is working now for me, thanks!

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#34280 - [linux] Tomoyo kernel config options no longer works with system~~

Arch Linux

FS#34057 - [linux] 3.7.9 - 3.8.x Tomoyo fails to function on Linux

Details

Loading...