On Wed, Feb 13, 2013 at 5:26 PM, Kasatkin, Dmitry <dmitry.kasat...@intel.com> wrote: > On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal <vgo...@redhat.com> wrote: >> On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote: >>> It should not be the only line in the policy. >>> Can you share full policy? >> >> I verified by putting some printk. There is only single rule in >> ima_policy_rules list after I have updated the rules through "policy" >> file. >> >> echo "appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional" > >> /sys/kernel/security/policy > > There is a default policy which has several rules. > > And when you do your "echo" you will replace all rules with that single rule. > But ok, you have one rule only and it is fine to have even a single rule... >
What I have not said yet it is that in your case, because you use only BPRM_CHECK hook, you do not need "dont_appraise" and "dont_measure" rules for pseudo filesystems. >> >> Thanks >> Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/