Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: TOMOYO Linux (Score 1) 77

by toshiharu (#18382073) Attached to: SELinux by Example


If you think SELinux is too much/heavy for you, you might be interested in TOMOYO Linux. I'm so sure that most of you never heard of "TOMOYO Linux", so I'll explain briefly. "TOMOYO Linux is a project started and actively maintained by the Japanese SI company, NTT DATA CORPORATION to provide a Mandatory Access Controls mechanism in Linux."

In short, TOMOYO Linux is quite similar to AppArmor and has been available at under GPL license since Nov. 2005.

TOMOYO Linux Project

The project has a pleny of documentation but most of them are written in Japanese. I have some links.

If you happen to have a chance to attend CELF Embedded Linux Conference 2007 (April 17th-19th , San Jose), you'll be able to see presentation and tutorial.


Linux has been adopted more and more by embedded devices. But its poor access control model raises critical security problems. Unlike PCs, it is difficult to apply security patches to embedded devices. Thus, embedded devices should be designed with due consideration for imperative access control. Linux kernel 2.6 has been equipped with LSM (Linux Security Modules, OS level security framework) to provide MAC (Mandatory Access Control, imperative access control) ability. NSA's SELinux (Security-Enhanced Linux, LSM applicant security server) provides very fine-grained access control, but its requirements for embedded devices seem to be too excessive. LIDS (Linux Intrusion Detection System), on the other hand, is relatively compact and better suits embedded systems. However its access control granularity is rather sparse. There are many limitations which are specific to embedded devices. For example, slow CPU speed, storage capacity for OS and programs, filesystem that doesn't support xattr (extended attributes), hard-links and symbolic links used for busybox (multi-call binary to save space), files dynamically created on volatile filesystem. TOMOYO Linux ( is yet another way to provide a lightweight and manageable MAC ability. It is available under GPL and applicable to and suitable for both PCs and embedded devices. In this session, we will present an overview of TOMOYO Linux and explain why TOMOYO Linux is suitable for embedded devices. We will also show some demonstrations.

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson