Posted by: Anonymous
[ip: 122.29.101.179]
on February 14, 2008 11:20 AM
TOMOYO Linux is designed to be able to restrict behaviors of users in login session, especially system administrative tasks after SSH login.
It can restrict programs that the user can execute and files that the user can read/write for per-a-pathname basis (whereas SELinux restricts then for per-a-label basis).
No worry for "sudo less", for TOMOYO Linux can permit execution of "/usr/bin/less", but can forbid execution of "/bin/sh" from "/usr/bin/less".
No worry for command injection bugs, for TOMOYO Linux can perform access control with "what programs can the user execute from that process" and "what files can the process open" (e.g. TOMOYO Linux can permit /usr/bin/md5sum but forbid /bin/cat , whereas SELinux can't do so by default because /bin/cat and /usr/bin/md5sum have the same label).
TOMOYO Linux is friendly with /usr/bin/sudo since TOMOYO Linux is pathname based like /usr/bin/sudo .
Learn about Linux
Download Linux
Get Linux help
Why not use TOMOYO Linux?
Posted by: Anonymous [ip: 122.29.101.179] on February 14, 2008 11:20 AMIt can restrict programs that the user can execute and files that the user can read/write for per-a-pathname basis (whereas SELinux restricts then for per-a-label basis).
No worry for "sudo less", for TOMOYO Linux can permit execution of "/usr/bin/less", but can forbid execution of "/bin/sh" from "/usr/bin/less".
No worry for command injection bugs, for TOMOYO Linux can perform access control with "what programs can the user execute from that process" and "what files can the process open" (e.g. TOMOYO Linux can permit /usr/bin/md5sum but forbid /bin/cat , whereas SELinux can't do so by default because /bin/cat and /usr/bin/md5sum have the same label).
TOMOYO Linux is friendly with /usr/bin/sudo since TOMOYO Linux is pathname based like /usr/bin/sudo .
#