Re: [systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On 02/20/2012 08:18 PM, Lennart Poettering wrote:
On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sassu@xxxxxxxxx) wrote:

We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA in the initrd. I believe IMA should be
treated pretty much exactly like SELinux here: the policy should be
loaded from PID1 and it needs to be a compile time option, and it needs
a kernel cmdline option to disable it (i.e. like selinux=0).

If the SELinux module in dracut is to be considered definitively broken
probably also the IMA module should be removed, because it will not be
possible to load policies with LSM rules. But i don't know how this
feature can be supported by distributions without Systemd installed.

Well, if the rumours I keep hearing are true Ubuntu might join the
systemd camp too after their LTS release. Maybe the supporting
non-systemd systems issues solves itself by that for you?

The code for loading IMA custom policies was placed in the initial
ramdisk with the purpose to avoid distribution specific dependencies.
However, since the SELinux initialization has been moved to Systemd
and Systemd itself will be used by the major distributions, i think
placing the IMA code here is the best solution, even if it is not the
most general.

Regarding the kernel option, actually there is no a specific parameter
to disable IMA. However, it can be introduced in the patches proposed
by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
disable IMA or to put it in permissive/enforce mode as it happens for
example in SELinux.

Whether there is a kernel option to enable/disable IMA will not stop
these patches from getting into systemd. But I am quite sure they will
stop IMA from getting any wider coverage in the mainstream distributions
(if you care for that).

Actually, IMA doesn't take any action if the policy is not provided
nor it consumes additional system resources. Further, in the current
implementation, even if IMA measures files it does not return any error
to the system call being executed.

Oh, and one more thing: it matters to me that this doesn't break my
build. So it needs to allow me booting when enabled in configure, but
without any IMA policy around.

Ok. this should be not a problem because all errors (IMA support not
included in the kernel, policy file access denied, ...) are ignored
except for the mmap() failure.


Roberto Sassu


To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Home]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Free Online Dating]     [Linux Kernel]     [Linux SCSI]     [XFree86]

Add to Google Powered by Linux