Bug 30932 (tomoyo-conflict) - TOMOYO conflicts with other security modules (even when disabled)
Summary: TOMOYO conflicts with other security modules (even when disabled)
Status: RESOLVED INVALID
Alias: tomoyo-conflict
Product: Other
Classification: Unclassified
Component: Loadable Security Modules (LSM) (show other bugs)
Hardware: All Linux
: P1 low
Assignee: Other/LSM
URL: https://bugs.archlinux.org/task/23242
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-11 16:14 UTC by Tomas Mudrunka
Modified: 2011-03-12 03:09 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.37
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tomas Mudrunka 2011-03-11 16:14:06 UTC 
See https://bugs.archlinux.org/task/23242  for more info:


Description: I can't use securityfs with other (eg. AppArmor) LSMs. TOMOYO seems to be breaking everything and can't be even disabled. Also it does not provide option to disable/enable it by default bootparam in kernel config.

on 2.6.36 i can see only tomoyo directory in /sys/kernel/security/
and on 2.6.37 i can't see anything at all.

I've tried to disable it using ccsecurity=off (according to old-version docs: http://tomoyo.sourceforge.jp/1.8/phase-1.html.en )
I've tried to disable it using tomoyo=0 (according to how selinux and apparmor are disabled by selinux=0 and apparmor=0)
i've tried to override it using security=apparmor
non of those approaches made apparmor usable


Additional info:
* package version(s)
* config and/or log files etc.

[root@insomnia harvie]# uname -a
Linux insomnia 2.6.37-ARCH #1 SMP PREEMPT Tue Mar 8 08:08:06 UTC 2011 i686 Mobile AMD Sempron(tm) Processor 3000+ AuthenticAMD GNU/Linux
[root@insomnia harvie]# aa-status 
apparmor module is loaded.
apparmor filesystem is not mounted.
[root@insomnia harvie]# mount | grep -i security
none on /sys/kernel/security type securityfs (rw)
[root@insomnia harvie]# ls -a /sys/kernel/security
. ..
[root@insomnia harvie]# cat /proc/cmdline 
BOOT_IMAGE=/vmlinuz26 root=/dev/disk/by-uuid/348c69e0-de31-4589-bf0a-276815c5e17a ro resume=/dev/sda3 ccsecurity=off security=apparmor video=sisfb:mode:1280x800x32,rate:76
[root@insomnia harvie]# zcat /proc/config.gz | grep -i 'TOMOYO|APPARMOR'
[root@insomnia harvie]# zcat /proc/config.gz | grep -Ei 'TOMOYO|APPARMOR'
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set

------------------------------

log from 2.6.36:

[16:35:29] 0 ;) root@molly:~# uname -a
Linux molly 2.6.36-ARCH #1 SMP PREEMPT Fri Dec 10 20:32:37 CET 2010 x86_64 Intel(R) Xeon(R) CPU X3430 @ 2.40GHz GenuineIntel GNU/Linux
[16:35:33] 0 ;) root@molly:~# aa-status 
apparmor module is loaded.
apparmor filesystem is not mounted.
[16:35:44] 3 ;( root@molly:~# mount | grep -i security
none on /sys/kernel/security type securityfs (rw)
[16:35:51] 0 ;) root@molly:~# ls -a /sys/kernel/security
tomoyo/ ./ ../
[16:35:59] 0 ;) root@molly:~# cat /proc/cmdline
root=/dev/mapper/vgrupa-root ro cryptdevice=/dev/md1:cryptsys md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda2,/dev/sdb2 console=ttyS1,115200
[16:36:07] 0 ;) root@molly:~# zcat /proc/config.gz | grep -Ei 'TOMOYO|APPARMOR'
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
Comment 1 Tomas Mudrunka 2011-03-12 03:09:23 UTC 
sorry, i was just bit confused about apparmor, forget about it
Note You need to log in before you can comment on or make changes to this bug.