Chapter 8: Interface permissions
# echo "/usr/sbin/ccs-editpolicy" | /usr/sbin/ccs-loadpolicy -m
By default, only processes with UID=0 and EUID=0 (a.k.a. root user) are allowed to modify policy. In order to allow $USER user to modify policy, run this command:
# echo "manage_by_non_root" | /usr/sbin/ccs-loadpolicy -m # chown -R $USER /proc/ccs/
This can be reversed by running this command:
# echo "delete manage_by_non_root" | /usr/sbin/ccs-loadpolicy -m # chown -R root /proc/ccs/
If you want to have a separate user that is able to modify policy, the file "
/etc/ccs/ccs-post-init" can be used. If this file exists, it is executed by
/sbin/ccs-init at boot. To allow 'tomoyo' user to modify policy, create "
/etc/ccs/ccs-post-init" with the following contents:
#! /bin/sh echo manage_by_non_root > /proc/ccs/manager chown -R tomoyo /proc/ccs/
Then, make this file executable and make policy directory readable/writable by 'tomoyo' user:
# chmod 755 /etc/ccs/ccs-post-init # chown -R tomoyo /etc/ccs/