TOMOYO Linux is an extension for the Linux kernel to provide mandatory access control (MAC) functions. It is provided in the form of patches to the Linux vanilla kernel and utilities for policy management.
# Fedora 11/12/13/14
# CentOS 3/4/5/6
# Debian Etch/Lenny/Squeeze
# OpenSUSE 11.0/11.1/11.2/11.3/11.4
# Asianux 2/3
# Ubuntu 6.06/8.04/8.10/9.04/9.10/10.04/10.10/11.04
# Vine Linux 4.2/5.2
# Hardened Gentoo
# Nature's Linux 1.6
What's New in This Release: [ read full changelog ]
· Fix 2011/09/25
· @ Simplify garbage collector.
· It turned out that use of batched processing tends to choke garbage
· collector when certain pattern of entries are queued. Thus, I replaced it
· with sequential processing.
· Fix 2011/09/16
· @ Allow specifying domain transition preference.
· I got an opinion that it is difficult to use exception policy's domain
· transition control directives because they need to match the pathname
· specified to "file execute" directives. For example, if "file execute
· /bin/\*\-ls\-cat" is given, corresponding domain transition control
· directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
· To solve this difficulty, I introduced optional argument that supersedes
· exception policy's domain transition control directives.
· file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv="ls"
· file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv="cat"
· file execute /bin/\*\-ls\-cat child
· file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv="/usr/sbin/httpd"
· This argument allows transition to different domains based on conditions.
· file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv="-c"
· file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0
· file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0