[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130213153013.GB6750@redhat.com>
Date: Wed, 13 Feb 2013 10:30:14 -0500
From: Vivek Goyal <vgoyal@...hat.com>
To: "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] ima: Support appraise_type=imasig_optional
On Wed, Feb 13, 2013 at 05:26:27PM +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal <vgoyal@...hat.com> wrote:
> > On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> >> It should not be the only line in the policy.
> >> Can you share full policy?
> >
> > I verified by putting some printk. There is only single rule in
> > ima_policy_rules list after I have updated the rules through "policy"
> > file.
> >
> > echo "appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional" >
> > /sys/kernel/security/policy
>
> There is a default policy which has several rules.
>
> And when you do your "echo" you will replace all rules with that single rule.
> But ok, you have one rule only and it is fine to have even a single rule...
Yep, I got that. Default policy gets overruled when a new policy is
loaded.
In secureboot mode, somehow above rule needs to take effect by default.
One option would be that kernel can enforce above rule.
(I guess by adding it to both default_list as well as policy list).
Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists