[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
Lennart Poettering
lennart at poettering.net
Mon Feb 20 09:24:56 PST 2012
On Thu, 16.02.12 15:40, Tomasz Torcz (tomek at pipebreaker.pl) wrote:
>
> On Thu, Feb 16, 2012 at 12:30:31PM -0200, Gustavo Sverzut Barbieri wrote:
> > On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu <roberto.sassu at polito.it> wrote:
> > > the reason for which the loading of IMA policies has been placed in
> > > the main Systemd executable is that the measurement process performed
> > > by IMA should start as early as possible. Otherwise, in order to build
> > > the 'chain of trust' during the boot process from the BIOS to software
> > > applications, it is required to measure those components loaded before
> > > IMA is initialized with other means (for example from the boot loader).
> >
> > Then I wonder: why not make an ima-init binary that:
> > - does ima_setup()
> > - exec systemd || upstart || ...
> >
> > this way you only have to audit this very small file and not systemd
> > itself, it's very early and so on.
>
> Isn't that a job for initramfs?
We support booting without initramfs in systemd. SELinux/IMA should be
available for those systems, too.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list