This page is for TOMOYO 2.2 (for Linux 2.6.30 - 2.6.35 kernels). Please jump to this page for TOMOYO 2.3 (for Linux 2.6.36 and later kernels).
Last modified: $Date: 2024-03-30 11:25:00 +0000 (Sat, 30 Mar 2024) $
Edits the current policy in /sys/kernel/security/tomoyo/ directory.
You may give one of 'e' 'd' 'p' 'm' 'u' to the commandline to choose the initial screen. If not given, screen for domain listing is shown.
<Scroll>
| Up-arrow | Scroll 1 line up. |
| Down-arrow | Scroll 1 line down. |
| PageUp | Scroll 1 page up. |
| PageDown | Scroll 1 page down. |
| Right-arrow | Scroll 1 column right. |
| Left-arrow | Scroll 1 column left. |
| Home | Move to the top of line. |
| End | Move to the bottom of line. |
<Search>
| f/F | Find First |
| n/N | Find Next |
| p/P | Find Previous |
<Edit>
| a/A | Add an entry. |
| Enter | Edit ACLs of a domain at the cursor position. (Valid only for screen for domain listing.) |
| Space | Invert selection state of an entry at the cursor position. |
| c/C | Copy selection state of an entry at the cursor position to all entries below the cursor position. |
| d/D | Delete selected entries. |
| s/S | Set profile number of selected entries. (Valid only for screen for domain listing.) |
| Insert | Copy an entry at the cursor position to history buffer. |
<Misc>
| q/Q | Quit |
| r/R | Refresh |
| w/W | Switch to window list. |
A tutorial is available at How to use Policy Editor.
Reloads the on-disk policy onto memory.
There are the following commandline parameters.
Changes the current control level (i.e. writing to /sys/kernel/security/tomoyo/profile ) and displays the new control level.
You can give the new control level from commandline parameter.
Assigns a profile to domains.
You can give the new profile number and domainnames from the commandline parameter. The list of domainnames that the profile number assigned to has changed is printed.
Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.
This program shows the profile number, the name of process, PID, the domainname like "pstree" command.
Saves the on-memory policy onto disk.
There are the following commandline parameters.
Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.
The nonexistent pathnames are likely used as temporary pathnames. So find the naming rules from similar nonexistent pathnames and append the pattern to /etc/tomoyo/exception_policy.conf and /sys/kernel/security/tomoyo/exception_policy .
You can pass the content of /etc/tomoyo/domain_policy.conf or /sys/kernel/security/tomoyo/domain_policy using redirection or pipes to the standard input of this program.
Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed.
By running this program while updating packages, you can avoid errors "unable to start applications because shared libraries are unreadable" when the pathnames of shared libraries accessed by general programs has changed.
Reads policy files from standard input and checks syntaxes.
Prints errors with line numbers if any.
Loads policy files from /etc/tomoyo/ directory.
Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
This is a "fgrep" for /sys/kernel/security/tomoyo/domain_policy .
Reads domain policy from standard input and replaces pathnames with patterns if the pathname matches to patterns given at commandline and writes to standard output. Pathnames that contains execute permission and domainnames won't be patterned.
Generates templates for policy. You need to review the output because automatically generated policy may contain redundant or dangerous entries.