[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
Lennart Poettering
lennart at poettering.net
Mon Feb 20 09:24:18 PST 2012
On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbieri at profusion.mobi) wrote:
> >> Then I wonder: why not make an ima-init binary that:
> >> - does ima_setup()
> >> - exec systemd || upstart || ...
> >>
> >> this way you only have to audit this very small file and not systemd
> >> itself, it's very early and so on.
> >>
> >
> > This does not work because SELinux is initialized inside Systemd and IMA
> > requires it for parsing LSM rules in the policy.
>
> initramfs may do it as well, no? then systemd will inherit it.
We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA in the initrd. I believe IMA should be
treated pretty much exactly like SELinux here: the policy should be
loaded from PID1 and it needs to be a compile time option, and it needs
a kernel cmdline option to disable it (i.e. like selinux=0).
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list