Tetsuo Handa
from-****@I-lov*****
Fri Jun 17 16:51:52 JST 2011
TOMOYO
ForkJamie Nguyen wrote:
> If a service has "Type=forking", then $MAINPID can either be
> determined from a PID file provided by the program, or systemd does
> some kind of magic to guess what $MAINPID is. The default is to guess.
> I'm running revision 5131 and it is working fine.
OK.
> I have restarted the service several times and it appears that systemd
> is able to guess $MAINPID correctly every time.
I used SIGHUP as a trigger for reloading the configuration file rather than
re-executing the program. It does not cause fork() nor execve(). So, systemd
will not fail to guess.
> On an unrelated note, I think I've spotted a bug. Creating a second
> namespace works fine, but creating a third namespace seems to cause
> some issue with profiles. The policy within "/etc/ccs/policy/"
> directory is correct, but "/etc/ccs/profile.conf" is not updated to
> reflect the third namespace.
/etc/ccs/{domain_policy,exception_policy,profile,manager}.conf are symlinks to
policy/current/{domain_policy,exception_policy,profile,manager}.conf .
I think ccs-editpolicy nor ccs-savepolicy touches /etc/ccs/profile.conf .
/etc/ccs/profile.conf has changed from a symlink to a regular file by some
reason?
Tetsuo Handa wrote:
> > 2) The profile editor screen doesn't work as expected when doing
> > "ccs-editpolicy /etc/ccs". Pressing "s" to edit for example the
> > "3-PREFERENCE" line to have "enforcing_penalty=5" results in two lines
> > that start with "3-PREFERENCE", instead of replacing the line that is
> > being edited.
>
> That is due to lazy implementation in order to absorb differences in the parser
> used by the TOMOYO 1.8.x kernels. Keywords may be added within TOMOYO 1.8.x but
> the userspace tools should not ignore the line even if it does not know how to
> parse the line. Thus, offline mode is almost doing only "echo $line >> $file"
> for addition and "grep -vF $line $file" for deletion because invalid lines will
> be ignored and old values will be overwritten when parsed by the kernel.
>
> But in order to save lines when embedding policy into the kernel, offline mode
> should start using parsers which the kernel uses.
Done in revision 5135.