[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

Mimi Zohar zohar at linux.vnet.ibm.com
Tue Feb 21 08:14:11 PST 2012

On Tue, 2012-02-21 at 15:32 +0100, Kay Sievers wrote:
> On Tue, Feb 21, 2012 at 15:07, Colin Guthrie <gmane at colin.guthr.ie> wrote:
> >> The code for loading IMA custom policies was placed in the initial
> >> ramdisk with the purpose to avoid distribution specific dependencies.

In a trusted-grub, or equivalent environment, the kernel, initramfs, and
kernel boot options are measured.  The main reason for loading the IMA
policy in the initramfs was that the policy would be included in the
initramfs measurement.


> >> However, since the SELinux initialization has been moved to Systemd
> >> and Systemd itself will be used by the major distributions, i think
> >> placing the IMA code here is the best solution, even if it is not the
> >> most general.
> >
> > Just for reference, not all distros use the same initrd generator
> > anyway. We're trying to move to dracut, but it's certainly not universal
> > at the moment. I think Suse use something else (maybe they plan to move
> > to dracut too?) and I've no idea about Ubuntu but I doubt they use dracut.
> >
> > So I'd suggest that at the moment, systemd will actually get you wider
> > coverage... although that's just a slightly ill-informed and hand-wave
> > analysis on my part. Either way, I think it's better in systemd :D
> Sounds right. The initramfs is definitely less generic than systemd
> is. Almost every distro has still its own here. The situation today
> with initramfs generators can probably not get more distro-specific;
> it is still almost at its maximum. :)
> So the thinking of moving anything to the initramfs to avoid the Linux
> distro balcanization problem will usually not work out.
> Kay

More information about the systemd-devel mailing list