[systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Nov 29 12:08:33 UTC 2016
On 11/29/2016 06:49 AM, Lennart Poettering wrote:
> On Mon, 28.11.16 14:17, Stefan Berger (stefanb at linux.vnet.ibm.com) wrote:
>
>> From: Stefan Berger <stefanb at us.ibm.com>
>>
>> Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
>> has it in /etc/default/ima-policy. So we try to read the IMA policy
>> from one location and try it from another location if it couldn't
>> be found. To maintainer backwards compatibility, we also try
>> /etc/ima/ima-policy.
> Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/
> and /etc/default/ima-policy are supposed to be, but I am pretty sure
> placing IMA policy there is just wrong. Moreover, our goal is to
> remove any distro-specific hooks in systemd in favour of common paths,
> not adding new.
It's confusing... Dracut for example expects it in
/etc/sysconfig/ima-policy:
https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10
So following that either one has to change. I chose to change systemd.
To me /etc/default on Debian systems is the equivalent of /etc/sysconfig
on RPM based ones (or at least RedHat based ones), so that's where this
is coming from.
>
> Hence I am sorry, but I don't think this is right. Please ask the
> downstream maintainers to agree on /etc/ima/ima-policy (or any oher
> common path). Let's fix the distros, let's not work around them in
> systemd.
Fine, if that's the common understanding that the proposed directories
are not appropriate.
Stefan
>
> I hope this makes sense,
>
> sorry,
>
> Lennart
>
More information about the systemd-devel
mailing list