akarititle.png

The userspace tools

ccs-auditd

This tool is a logging daemon that can be used to write log files of access requests that have been rejected (and/or granted). It reads from the /proc/ccs/audit interface and can be controlled using a configuration file.

See the man page for more information.

ccs-checkpolicy

This tool can read policy from standard input and check if the syntax is correct.

See the man page for more information.

ccs-diffpolicy

This tool can print a diff of two domain policy files to standard output that can be used to easily change currently loaded domain policy.

See the man page for more information.

ccs-domainmatch

This tool can be used to search domain policy currently loaded in kernel memory for a given pathname. This is similar to using fgrep.

See the man page for more information.

ccs-editpolicy

This tool can be used to edit either policy within "/etc/ccs/" or policy currently loaded in kernel memory.

See the man page for more information.

ccs-editpolicy-agent

This tool is an agent that can be used to edit policy remotely. It is designed for systems in which running ccs-editpolicy is difficult due to resource limitations.

See the man page for more information.

ccs-findtemp

This tool can be used to read domain policy from standard input and prints the non-existent pathnames to standard output. These are likely to be temporary files.

See the man page for more information.

ccs-loadpolicy

This tool can be used to read policy from standard input and load into kernel memory via the /proc/ccs/ interface.

See the man page for more information.

ccs-notifyd

This tool is a notification daemon that can be used to notify administrators of policy violations in enforcing mode. It can be controlled via a configuration file and supports the running of any arbitrary command, such as mail.

See the man page for more information.

ccs-patternize

This tool can be used to manage pathnames/numbers/addresses within domain policy. It can replace pathnames with expressions as defined in a configuration file.

See the man page for more information.

ccs-pstree

This tool can be used to list (like pstree) currently running processes, their PID, the domain name that they belong to, and the profile number of that domain.

See the man page for more information.

ccs-queryd

This tool can be used to manage access requests that violated policy in enforcing mode in real-time, choosing whether to accept or reject any requests that applications make.

See the man page for more information.

ccs-savepolicy

This tool can be used to save the policy currently loaded in kernel memory to "/etc/ccs/".

See the man page for more information.

ccs-selectpolicy

This tool can be used to read domain policy and print the policy of the specified domain(s).

See the man page for more information.

ccs-setlevel

This tool can be used to modify the configuration of profiles.

See the man page for more information.

ccs-setprofile

This tool can be used to set the profile number for the specified domain(s).

See the man page for more information.

ccs-sortpolicy

This tool can be used to sort domain policy by domain name and remove duplicate entries. It is designed for sorting and compressing audit logs saved by ccs-auditd.

See the man page for more information.

init_policy

This tool can be used to initialize policy in preparation for system analysis or restriction.

See the man page for more information.