On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbieri@xxxxxxxxxxxxxx) wrote:
> >> Then I wonder: why not make an ima-init binary that:
> >> - does ima_setup()
> >> - exec systemd || upstart || ...
> >>
> >> this way you only have to audit this very small file and not systemd
> >> itself, it's very early and so on.
> >>
> >
> > This does not work because SELinux is initialized inside Systemd and IMA
> > requires it for parsing LSM rules in the policy.
>
> initramfs may do it as well, no? then systemd will inherit it.
We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA in the initrd. I believe IMA should be
treated pretty much exactly like SELinux here: the policy should be
loaded from PID1 and it needs to be a compile time option, and it needs
a kernel cmdline option to disable it (i.e. like selinux=0).
Lennart
--
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Home]
[Linux USB Devel]
[Video for Linux]
[Linux Audio Users]
[Photo]
[Yosemite News]
[Yosemite Photos]
[Free Online Dating]
[Linux Kernel]
[Linux SCSI]
[XFree86]
