[PATCH] security/tomoyo: Prevent message flooding if no Tomoyo loader is present

Yafang Shao laoar.shao at gmail.com
Thu Jul 25 12:07:38 UTC 2024


On Thu, Jul 25, 2024 at 2:34 PM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
>
> Hello.
>
> On 2024/07/25 14:42, Yafang Shao wrote:
> > After upgrading our OS to Rocky Linux 9, we've noticed an abundance of
> > Tomoyo-related messages in the dmesg output, specifically indicating that
> > Mandatory Access Control is not being activated due to the absence of
> > /sbin/tomoyo-init. These messages repeatedly appear as systemd periodically
> > checks for Tomoyo, but since the loader does not exist, it triggers the
> > messages, as follows,
>
> TOMOYO requires zero modification of userspace programs (including systemd).
> That is, systemd is not checking for TOMOYO periodically. It is some other
> program that is executing /usr/lib/systemd/systemd (maybe as a container's
> init program), and TOMOYO is checking for /sbin/tomoyo-init when
> /usr/lib/systemd/systemd is executed.
>
> > While disabling Tomoyo is a straightforward solution to prevent the message
> > flooding, it's suboptimal as we're unsure if any system components rely on
> > its functionality.
>
> No userspace programs rely on TOMOYO's functionality (except TOMOYO's management
> tools including /sbin/tomoyo-init ). It is safe to disable TOMOYO.

Thanks for your explanation. I will disable it.

-- 
Regards
Yafang



More information about the Linux-security-module-archive mailing list