[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

Lennart Poettering lennart at poettering.net
Mon Feb 20 09:24:56 PST 2012


On Thu, 16.02.12 15:40, Tomasz Torcz (tomek at pipebreaker.pl) wrote:

> 
> On Thu, Feb 16, 2012 at 12:30:31PM -0200, Gustavo Sverzut Barbieri wrote:
> > On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu <roberto.sassu at polito.it> wrote:
> > > the reason for which the loading of IMA policies has been placed in
> > > the main Systemd executable is that the measurement process performed
> > > by IMA should start as early as possible. Otherwise, in order to build
> > > the 'chain of trust' during the boot process from the BIOS to software
> > > applications, it is required to measure those components loaded before
> > > IMA is initialized with other means (for example from the boot loader).
> > 
> > Then I wonder: why not make an ima-init binary that:
> >   - does ima_setup()
> >   - exec systemd || upstart || ...
> > 
> > this way you only have to audit this very small file and not systemd
> > itself, it's very early and so on.
> 
> Isn't that a job for initramfs?

We support booting without initramfs in systemd. SELinux/IMA should be
available for those systems, too.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list