Re: Binding a group (acl_group) to a profile ? (2019-07-18 00:45 by kumaneko #83256)
Hello.
Changing "use_group" upon changing "use_profile" is unlikely what people want to do.
Since both "use_profile" and "use_group" will be copied to newly created domains,
I wonder why you want such feature... What is the problem?
Re: Binding a group (acl_group) to a profile ? (2019-07-18 01:52 by intika #83257)
Reply To Message #83256
> I wonder why you want such feature... What is the problem?
It's not really a problem just wanted to make things easier... i know that "use_profile" and "use_group" are inherited for new child process/domain...
I am using different profiles to control domain access (profile1=allow, profile2=deny) and i just change the domain profile when needed...
Regarding some managed control access like file::ioctl that monitor a lot of different function call (path/pipe/socket/devpts/anon_inode/proc) i need to fine-grain the level of control let say for instance i want to just control file::ioctl::proc and allow the other calls of ioctl. We can not add such rule to the a profile, so i am using acl_group/use_group to accomplish that ... i don't have a problem it's working fine, i was just wondering if would bind the use_group to use_profile and thus be able to create a fine-grained profile. (currently with the used solution when i change a domain profile i have to change its use_group too...)
Or may be add a feature that would add an additional level to the profile like 2-CONFIG::file::ioctl::proc (right now we are limited to 2-CONFIG::file::ioctl)...
Any way every thing is working i was just wondering how to make it better :)
Re: Binding a group (acl_group) to a profile ? (2019-07-18 06:52 by kumaneko #83258)
> Or may be add a feature that would add an additional level to the profile like
> 2-CONFIG::file::ioctl::proc (right now we are limited to 2-CONFIG::file::ioctl)...
OK. You want to control only specific actions on specific targets, don't you?
Then, I think that CaitSith ( https://caitsith.osdn.jp/ ) fits better.
Like described at "Things I struggled" in http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf ,
I've considered implementing "profiles on a per filename" basis, but I didn't implement it
in TOMOYO. Instead of doing like 2-CONFIG::file::ioctl::proc , I implemented CaitSith.
Wow yaaay an other cool tool... i read the presentation and the documentation it's a great different way of viewing things compared to tomoyo but to be honest i am in love with tomoyo since i met that peace of software 6 years ago or something... plus i kind a get an expertise using it... i might add caitsith on top of tomoyo later on, or use it on a specific environment.
kumaneko. thank you a lot for you devotion, for what you are bringing to the linux community and for you accessibility it's amazing to be able to communicate with you that easily.
i may help for dev. later on when i finish some ongoing project. ;)