On Thu, 16.02.12 15:56, Michael Cassaniti (m.cassan...@gmail.com) wrote: > >>>>Also, I certainly have no such things in my system and see no point in > >>>>calling ima_setup() on it. Or even compiling the source file in such > >>>>case. > >>>> > >>>Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA' > >>>statement, as it happens for SELinux. However an issue is that there is no > >>>a specific package for IMA that can be checked to set the HAVE_IMA > >>>definition to yes. Instead, the code can be enabled for example by > >>>adding the parameter '--enable_ima' in the configure script. > >>okay. > >> > I'm under the impression this function belongs to a userspace tool. > If not then I just don't see a good reason that this patch is > required. I do understand that the IMA policy should be loaded as > early as possible, but I believe that early userspace scripts should > be doing that work. If it is a userspace function, then whatever > makes you happy, other distro's will roll their own.
in systemd, bootup is fully parallelized. I much prefer invoking the IMA policy at the right time, before we spawn off the first processes, instead of having to express that with dependencies towards all units. Lennart -- Lennart Poettering - Red Hat, Inc. -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
