Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#34057 - [linux] 3.7.9 - 3.8.x Tomoyo fails to function on Linux

Attached to Project: Arch Linux
Opened by Alexander Diana (Roukoswarf) - Wednesday, 27 February 2013, 21:07 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 15 March 2013, 07:09 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Description:
tomoyo does not load config on boot, and learning mode/policies do not seem to work.
Tested with a non [testing] machine on linux 3.7.9-2 and it worked as expected.

Additional info:
* Linux 3.8.0-2
* tomoyo-tools 2.5.0.20130214-1
* Standard init config


Steps to reproduce:
1. Install tomoyo-tools
2. Run /usr/lib/tomoyo/init_policy
3. Reboot.
4. set <kernel> to learning profile.
5. restart a service, notice no rules are learned.
6. save config, reboot, notice rules are not loaded.
7. manually load configs with tomoyo-init, notice the profile loads.
8. notice the loaded profile is non functional.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Friday, 15 March 2013, 07:09 GMT
Reason for closing:  Fixed
Comment by Jan de Groot (JGC) - Wednesday, 27 February 2013, 21:13 GMT
The tomoyo activation trigger has been changed to /usr/lib/systemd/systemd, so if you're still using sysvinit/initscripts it will not activate without additional kernel options to adjust the trigger.
Comment by Alexander Diana (Roukoswarf) - Wednesday, 27 February 2013, 21:15 GMT
I am using systemd, i will try manually setting that trigger.

EDIT: confirmed no difference in behaviour with changed hook, continues to not load config on boot and rules continue to be ineffective, learning mode continues to not learn.
Comment by Alexander Diana (Roukoswarf) - Wednesday, 27 February 2013, 21:24 GMT
Confirmed affecting another [testing] box.
Comment by Tobias Powalowski (tpowa) - Tuesday, 05 March 2013, 10:38 GMT
Does it help if you change back the path?
Comment by Fernando Cladera (fclad) - Tuesday, 05 March 2013, 12:39 GMT
It is not working for me either. I'm running the stock kernel 3.7.9-2-ARCH and learning is not working. The profiles are not working too.
tomoyo-tools version 2.5.0.20130214-1.
Comment by Abelardo Ricart (aricart) - Tuesday, 12 March 2013, 17:32 GMT
Paraphrasing Tetsuo Handa from the tomoyo mailing lists:

"This is because the pathname specified via CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER (/usr/lib/systemd/systemd) is not yet passed to execve() request after the pathname specified via CONFIG_SECURITY_TOMOYO_POLICY_LOADER (/sbin/tomoyo-init) became visible.

CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER can now safely be changed to /sbin/init (symlink to /usr/lib/systemd/systemd) since our /init tries to pass /sbin/init to the execve() request. After this is done, Tomoyo behaves as expected and creates new domains in the kernel policy."

You can do this on the command line via security=tomoyo TOMOYO_trigger=/sbin/init. After this, domain transitions should be seen in tomoyo-editpolicy.

I've updated the wiki with this information.
Comment by Fernando Cladera (fclad) - Tuesday, 12 March 2013, 20:21 GMT
It is working now for me, thanks!

Loading...