Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:

On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu<roberto.sassu@xxxxxxxxx>  wrote:


On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:


On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu@xxxxxxxxx>    wrote:


The new function ima_setup() loads an IMA custom policy from a file in the
default location '/etc/sysconfig/ima-policy', if present, and writes it to



isn't /etc/sysconfig too specific to Fedora?



Hi Gustavo

probably yes. I see the code in 'src/locale-setup.c' where the
the configuration directory depends on the target distribution.
I can implement something like that in my patch.


Can't IMA be changed? Lennart seems to be pushing for distribution
independent location files. If you can get IMA people to agree on
something, just use this one instead.

People that use IMA with systemd must use this location. Eventually
this will happen with every configuration file we support.



The location of the policy file is not IMA dependent. I chose that
because it seemed to me the right place where to put this file.
So, i can easily modify the location to be distribution independent
but i don't known which directory would be appropriate.
Any proposal?

Regards

Roberto Sassu





Also, I certainly have no such things in my system and see no point in
calling ima_setup() on it. Or even compiling the source file in such
case.



Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
definition to yes. Instead, the code can be enabled for example by
adding the parameter '--enable_ima' in the configure script.


okay.

--
Gustavo Sverzut Barbieri
http://profusion.mobi embedded systems
--------------------------------------
MSN: barbieri@xxxxxxxxx
Skype: gsbarbieri
Mobile: +55 (19) 9225-2202


--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Home]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Free Online Dating]     [Linux Kernel]     [Linux SCSI]     [XFree86]

Add to Google Powered by Linux