Chapter 8: Interface permissions

8.1. Register applications

In order for a application or domain to modify policy in the /proc/ccs/ interface, it must be listed in /proc/ccs/manager. To register an application, you can for example run the following command:

# echo "/usr/sbin/ccs-editpolicy" | /usr/sbin/ccs-loadpolicy -m

8.2. Managing as non-root user

By default, only processes with UID=0 and EUID=0 (a.k.a. root user) are allowed to modify policy. In order to allow $USER user to modify policy, run this command:

# echo "manage_by_non_root" | /usr/sbin/ccs-loadpolicy -m
# chown -R $USER /proc/ccs/

This can be reversed by running this command:

# echo "delete manage_by_non_root" | /usr/sbin/ccs-loadpolicy -m
# chown -R root /proc/ccs/

If you want to have a separate user that is able to modify policy, the file "/etc/ccs/ccs-post-init" can be used. If this file exists, it is executed by /sbin/ccs-init at boot. To allow 'tomoyo' user to modify policy, create "/etc/ccs/ccs-post-init" with the following contents:

#! /bin/sh
echo manage_by_non_root > /proc/ccs/manager
chown -R tomoyo /proc/ccs/

Then, make this file executable and make policy directory readable/writable by 'tomoyo' user:

# chmod 755 /etc/ccs/ccs-post-init
# chown -R tomoyo /etc/ccs/

The exception to all of the above is for domains in "Learning Mode". Any of these domains can append access permissions to the domain the process belongs to until max_learning_entry has been reached.