[systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
Lennart Poettering
lennart at poettering.net
Tue Nov 29 16:06:04 UTC 2016
On Tue, 29.11.16 07:08, Stefan Berger (stefanb at linux.vnet.ibm.com) wrote:
> > > Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
> > > has it in /etc/default/ima-policy. So we try to read the IMA policy
> > > from one location and try it from another location if it couldn't
> > > be found. To maintainer backwards compatibility, we also try
> > > /etc/ima/ima-policy.
> > Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/
> > and /etc/default/ima-policy are supposed to be, but I am pretty sure
> > placing IMA policy there is just wrong. Moreover, our goal is to
> > remove any distro-specific hooks in systemd in favour of common paths,
> > not adding new.
>
> It's confusing... Dracut for example expects it in
> /etc/sysconfig/ima-policy:
>
> https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10
That sounds like something to fix in dracut. I am sure Harald would be
fine with adopting the generic path.
Harald?
> So following that either one has to change. I chose to change systemd. To me
> /etc/default on Debian systems is the equivalent of /etc/sysconfig on RPM
> based ones (or at least RedHat based ones), so that's where this is coming
> from.
And both of them are bad idea. In particular the RH version. I mean
/etc is already system configuration, why would you place a directory
called "sysconfig" — which I figure is supposed to be short for
"system configuration" inside a directory for system configuration?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list