<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt><font size="2">Harald,<br>
<br>
please do not apply this patch.<br>
<br>
Stefan<br>
</font></tt>
<blockquote
cite="mid:OFAB3B0DDA.C5BDF803-ON0025807B.00603714-8525807B.0060434C@notes.na.collabserv.com"
type="cite"><tt><font size="2"><br>
> <br>
> From: Stefan Berger <a class="moz-txt-link-rfc2396E" href="mailto:stefanb@us.ibm.com"><stefanb@us.ibm.com></a><br>
> <br>
> To sync with systemd, use the filepath
/etc/ima/ima-policy as<br>
> the default file location for the IMA policy. At the same
time we<br>
> move the ima config file location to /etc/ima/ima. Adapt
the<br>
> documentation to the new path. Maintain backwards
compatibility<br>
> by still reading the old files in case the new ones do
not exist.<br>
> <br>
> Signed-off-by: Stefan Berger
<a class="moz-txt-link-rfc2396E" href="mailto:stefanb@linux.vnet.ibm.com"><stefanb@linux.vnet.ibm.com></a><br>
> ---<br>
> modules.d/98integrity/README
| 8 ++++----<br>
> modules.d/98integrity/ima-keys-load.sh | 7 ++++++-<br>
> modules.d/98integrity/ima-policy-load.sh | 20
+++++++++++++++++---<br>
> 3 files changed, 27 insertions(+), 8 deletions(-)<br>
> <br>
> diff --git a/modules.d/98integrity/README
b/modules.d/98integrity/README<br>
> index 64de0ae..c8ccee5 100644<br>
> --- a/modules.d/98integrity/README<br>
> +++ b/modules.d/98integrity/README<br>
> @@ -33,10 +33,10 @@ line.<br>
> <br>
> # Save the policy in a file.<br>
> <br>
> -# Create the configuration file '/etc/sysconfig/ima' to
override
<br>
> the path name of<br>
> +# Create the configuration file '/etc/ima/ima' to
override the path
name of<br>
> # the IMA custom policy.<br>
> -------------- '/etc/sysconfig/ima' (with the default
value) -------------<br>
> -IMAPOLICY="/etc/sysconfig/ima-policy"<br>
> +------------- '/etc/ima/ima' (with the default value)
-------------<br>
> +IMAPOLICY="/etc/ima/ima-policy"<br>
>
-------------------------------------------------------------------------<br>
> <br>
> <br>
> @@ -64,5 +64,5 @@ IMAPOLICY="/etc/sysconfig/ima-policy"<br>
> <br>
> # 98integrity/ima-keys-load.sh script loads the signed
certificates
stored <br>
> # in the $IMAKEYSDIR onto the trusted IMA keyring. The
default $IMAKEYSDIR<br>
> -# directory is /etc/keys/ima, but can be specified in
the /etc/sysconfig/ima<br>
> +# directory is /etc/keys/ima, but can be specified in
the /etc/ima/ima<br>
> # policy.<br>
> diff --git a/modules.d/98integrity/ima-keys-load.sh
b/modules.d/<br>
> 98integrity/ima-keys-load.sh<br>
> index 659b722..922af1e 100755<br>
> --- a/modules.d/98integrity/ima-keys-load.sh<br>
> +++ b/modules.d/98integrity/ima-keys-load.sh<br>
> @@ -2,7 +2,10 @@<br>
> <br>
> SECURITYFSDIR="/sys/kernel/security"<br>
> IMASECDIR="${SECURITYFSDIR}/ima"<br>
> -IMACONFIG="${NEWROOT}/etc/sysconfig/ima"<br>
> +IMACONFIG="${NEWROOT}/etc/ima/ima"<br>
> +<br>
> +# for backwards compatibility<br>
> +IMACONFIG_OLD="${NEWROOT}/etc/sysconfig/ima"<br>
> <br>
> load_x509_keys()<br>
> {<br>
> @@ -11,6 +14,8 @@ load_x509_keys()<br>
> # override the default configuration<br>
> if [ -f "${IMACONFIG}" ]; then<br>
> . ${IMACONFIG}<br>
> + elif [ -f "${IMACONFIG_OLD}" ]; then<br>
> + . ${IMACONFIG_OLD}<br>
> fi<br>
> <br>
> if [ -z "${IMAKEYDIR}" ]; then<br>
> diff --git a/modules.d/98integrity/ima-policy-load.sh
b/modules.d/<br>
> 98integrity/ima-policy-load.sh<br>
> index 85cd3b9..a92b1bb 100755<br>
> --- a/modules.d/98integrity/ima-policy-load.sh<br>
> +++ b/modules.d/98integrity/ima-policy-load.sh<br>
> @@ -5,10 +5,19 @@<br>
> # Copyright (C) 2011 Politecnico di Torino, Italy<br>
> #
TORSEC group -- </font></tt><a moz-do-not-send="true"
href="http://security.polito.it/"><tt><font size="2">http://security.polito.it</font></tt></a><tt><font
size="2"><br>
> # Roberto Sassu <a class="moz-txt-link-rfc2396E" href="mailto:roberto.sassu@polito.it"><roberto.sassu@polito.it></a><br>
> +#<br>
> +# Copyright (C) 2016 IBM Corporation<br>
> +#<br>
> +# Stefan Berger <a class="moz-txt-link-rfc2396E" href="mailto:stefanb@linux.vnet.ibm.com"><stefanb@linux.vnet.ibm.com></a><br>
> +#<br>
> <br>
> IMASECDIR="${SECURITYFSDIR}/ima"<br>
> -IMACONFIG="${NEWROOT}/etc/sysconfig/ima"<br>
> -IMAPOLICY="/etc/sysconfig/ima-policy"<br>
> +IMACONFIG="${NEWROOT}/etc/ima/ima"<br>
> +IMAPOLICY="/etc/ima/ima-policy"<br>
> +<br>
> +# for backwards compatibility<br>
> +IMACONFIG_OLD="${NEWROOT}/etc/sysconfig/ima"<br>
> +IMAPOLICY_OLD="/etc/sysconfig/ima-policy"<br>
> <br>
> load_ima_policy()<br>
> {<br>
> @@ -21,11 +30,16 @@ load_ima_policy()<br>
> fi<br>
> <br>
> # override the default configuration<br>
> - [ -f "${IMACONFIG}" ] && \<br>
> + if [ -f "${IMACONFIG}" ]; then<br>
> . ${IMACONFIG}<br>
> + elif [ -f "${IMACONFIG_OLD}" ]; then<br>
> + . ${IMACONFIG_OLD}<br>
> + fi<br>
> <br>
> # set the IMA policy path name<br>
> IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"<br>
> + [ ! -f "${IMAPOLICYPATH}" ] && \<br>
> + IMAPOLICYPATH="${NEWROOT}${IMAPOLICY_OLD}"<br>
> <br>
> # check the existence of the IMA policy file<br>
> [ -f "${IMAPOLICYPATH}" ] &&
{<br>
> -- <br>
> 2.8.3<br>
> <br>
</font></tt><br>
</blockquote>
<p><br>
</p>
</body>
</html>