[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
Roberto Sassu
roberto.sassu at polito.it
Mon Feb 20 11:06:42 PST 2012
On 02/20/2012 06:24 PM, Lennart Poettering wrote:
> On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbieri at profusion.mobi) wrote:
>
>>>> Then I wonder: why not make an ima-init binary that:
>>>> - does ima_setup()
>>>> - exec systemd || upstart || ...
>>>>
>>>> this way you only have to audit this very small file and not systemd
>>>> itself, it's very early and so on.
>>>>
>>>
>>> This does not work because SELinux is initialized inside Systemd and IMA
>>> requires it for parsing LSM rules in the policy.
>>
>> initramfs may do it as well, no? then systemd will inherit it.
>
> We moved SELinux loading out of the initrd into systemd, in order to
> support fully featured initrd-less boots. I don't think we should reopen
> this problem set by having IMA in the initrd. I believe IMA should be
> treated pretty much exactly like SELinux here: the policy should be
> loaded from PID1 and it needs to be a compile time option, and it needs
> a kernel cmdline option to disable it (i.e. like selinux=0).
>
If the SELinux module in dracut is to be considered definitively broken
probably also the IMA module should be removed, because it will not be
possible to load policies with LSM rules. But i don't know how this
feature can be supported by distributions without Systemd installed.
Regarding the kernel option, actually there is no a specific parameter
to disable IMA. However, it can be introduced in the patches proposed
by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
disable IMA or to put it in permissive/enforce mode as it happens for
example in SELinux.
Thanks
Roberto Sassu
> Lennart
>
More information about the systemd-devel
mailing list