Jamie Nguyen wrote: > Actually, the above commands don't seem to work. The policy is loaded > into kernel memory, but has no effect on the system. TOMOYO prints "Mandatory Access Control activated." message and MAC is activated when /sbin/init is executed. /sbin/ccs-init is executed in order to load policy from /etc/ccs/ directory when "execution of /sbin/init is requested and /sbin/ccs-init exists". If you execute /bin/systemd rather than /sbin/init , /sbin/ccs-init will not be executed and TOMOYO will not be activated. > Reverting back from systemd solves the issue. Please see ccs_load_policy() in security/ccsecurity/load_policy.c . Until TOMOYO 1.8.1, there was CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER kernel config option that specifies which program is used as a trigger for (optionally calling /sbin/ccs-init and) activating TOMOYO. I was considering replacing CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER with CONFIG_CCSECURITY_ACTIVATION_TRIGGER in TOMOYO 1.8.2. But according to your usage, it seems to me that we want a kernel command line option (like CCS_Loader= option) that allows you to specify which program is used as a trigger for activating TOMOYO since it would be difficult for distributors to determine the location of program that is used as /sbin/init at compile time.
TOMOYO
Fork