ccs-queryd

Langue: en

Version: May 2009 (debian - 07/07/09)

Section: 8 (Commandes administrateur)

NAME

ccs-queryd - Handle TOMOYO Linux's delayed enforcing mode

SYNOPSIS

ccs-queryd [--no-update|--ask-update]

DESCRIPTION

This program detects policy violation in enforcing mode and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.

By running this program while updating packages, you can avoid errors due to insufficient permissions.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

If you don't give --no-update option, this program also detects pathname changes of globally readable files. If you give --ask-update option, this program asks you whether or not to append created pathnames which are registered in /etc/ld.so.cache to globally readable files, and asks you whether or not to remove deleted pathnames from globally readable files. If you omit options, this program automatically appends created pathnames which are registered in /etc/ld.so.cache to globally readable files, and automatically removes deleted pathnames from globally readable files.

By running this program without --no-update option, you can avoid errors like "unable to start applications because shared libraries are unreadable" when the pathnames of shared libraries accessed by general programs has changed.

EXAMPLES

# ccs-queryd

Usage is available at http://tomoyo.sourceforge.jp/en/1.6.x/update.html

NOTES


 You need to register either path to this program ( /usr/lib/ccs/ccs-queryd ) or a domain for this program in /proc/ccs/manager before invoking this program.

AUTHORS


 penguin-kernel _at_ I-love.SAKURA.ne.jp

Copyright © 2005-2009 NTT DATA CORPORATION.

This program is free software; you may redistribute it under the terms of the GNU General Public License. This program has absolutely no warranty.