[systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

Roberto Sassu roberto.sassu at polito.it
Wed Feb 15 09:12:03 PST 2012


On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
> On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu<roberto.sassu at polito.it>  wrote:
>>
>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>
>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<roberto.sassu at polito.it>    wrote:
>>>>
>>>> The new function ima_setup() loads an IMA custom policy from a file in the
>>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>>>
>>>
>>> isn't /etc/sysconfig too specific to Fedora?
>>>
>>
>> Hi Gustavo
>>
>> probably yes. I see the code in 'src/locale-setup.c' where the
>> the configuration directory depends on the target distribution.
>> I can implement something like that in my patch.
>
> Can't IMA be changed? Lennart seems to be pushing for distribution
> independent location files. If you can get IMA people to agree on
> something, just use this one instead.
>
> People that use IMA with systemd must use this location. Eventually
> this will happen with every configuration file we support.
>

The location of the policy file is not IMA dependent. I chose that
because it seemed to me the right place where to put this file.
So, i can easily modify the location to be distribution independent
but i don't known which directory would be appropriate.
Any proposal?

Regards

Roberto Sassu


>
>>> Also, I certainly have no such things in my system and see no point in
>>> calling ima_setup() on it. Or even compiling the source file in such
>>> case.
>>>
>>
>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
>> definition to yes. Instead, the code can be enabled for example by
>> adding the parameter '--enable_ima' in the configure script.
>
> okay.
>
> --
> Gustavo Sverzut Barbieri
> http://profusion.mobi embedded systems
> --------------------------------------
> MSN: barbieri at gmail.com
> Skype: gsbarbieri
> Mobile: +55 (19) 9225-2202



More information about the systemd-devel mailing list