[systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

Gustavo Sverzut Barbieri barbieri at profusion.mobi
Wed Feb 15 08:55:40 PST 2012

On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu <roberto.sassu at polito.it> wrote:
> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu at polito.it>  wrote:
>>> The new function ima_setup() loads an IMA custom policy from a file in the
>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>> isn't /etc/sysconfig too specific to Fedora?
> Hi Gustavo
> probably yes. I see the code in 'src/locale-setup.c' where the
> the configuration directory depends on the target distribution.
> I can implement something like that in my patch.

Can't IMA be changed? Lennart seems to be pushing for distribution
independent location files. If you can get IMA people to agree on
something, just use this one instead.

People that use IMA with systemd must use this location. Eventually
this will happen with every configuration file we support.

>> Also, I certainly have no such things in my system and see no point in
>> calling ima_setup() on it. Or even compiling the source file in such
>> case.
> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
> definition to yes. Instead, the code can be enabled for example by
> adding the parameter '--enable_ima' in the configure script.


Gustavo Sverzut Barbieri
http://profusion.mobi embedded systems
MSN: barbieri at gmail.com
Skype: gsbarbieri
Mobile: +55 (19) 9225-2202

More information about the systemd-devel mailing list