[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

[Lennart Poettering]

On Thu, 16.02.12 12:30, Gustavo Sverzut Barbieri (barbieri at profusion.mobi) wrote:

> > Since the policy loading can be implemented in different ways depending
> > on the init system (systemd, upstart, ...), an user must identify the
> > components to be measured for each case. Instead, if the IMA policy is
> > loaded in the main Systemd executable, only this file must be measured
> > by the boot loader.
> 
> Then I wonder: why not make an ima-init binary that:
>   - does ima_setup()
>   - exec systemd || upstart || ...
> 
> this way you only have to audit this very small file and not systemd
> itself, it's very early and so on.

We worked really hard on being able to load the SELinux policy without
any unnecessary (re-)execs. I don't think we should reopen that problem
by loading IMA from a pre-init tool. Also, the management of such a
thing would seriously suck (i.e. you'd probably need something like
update-alternatives, and that sucks), especially since we now already
taught the initrd to spawn /usr/lib/systemd/systemd directly, instead of
/sbin/init.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.