On Wed, 2025-09-10 at 09:36 +0800, Coiby Xu wrote: > On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote: > > On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote: > > > Hi Coiby, > > > > > > On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote: > > > > > > > > > > Even without an IMA appraise policy, the security xattrs are written > > > > > out to the > > > > > filesystem, but the IMA_DIGSIG flag is not cached. > > > > > > > > It seems I miss some context for the above sentence. If no IMA policy is > > > > configured, no ima_iint_cache will be created. If you mean non-appraisal > > > > policy, will not caching IMA_DIGSIG flag cause any problem? > > > > > > Sorry. What I was trying to say is that your test program illustrates the > > > problem both with or without any of the boot command line options as you > > > suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing > > > some > > > other security xattr is a generic problem, whether the file is in policy > > > or not, > > > whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should > > > install > > > the IMA signature regardless. > > > > My mistake. An appraise policy indeed needs to be defined for the file > > signature to be replaced with a file hash. > > Thanks for the clarification! rpm-plugin-ima does try to install IMA > signature as shown from the following strace output,
Agreed. I was referring to the SELinux label, which would be installed for new files, but not necessarily re-installed on existing files. The test program simplified testing. Thank you. Mimi
