On Wed, Feb 13, 2013 at 05:29:43PM +0200, Kasatkin, Dmitry wrote: > On Wed, Feb 13, 2013 at 5:26 PM, Kasatkin, Dmitry > <dmitry.kasat...@intel.com> wrote: > > On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal <vgo...@redhat.com> wrote: > >> On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote: > >>> It should not be the only line in the policy. > >>> Can you share full policy? > >> > >> I verified by putting some printk. There is only single rule in > >> ima_policy_rules list after I have updated the rules through "policy" > >> file. > >> > >> echo "appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional" > > >> /sys/kernel/security/policy > > > > There is a default policy which has several rules. > > > > And when you do your "echo" you will replace all rules with that single > > rule. > > But ok, you have one rule only and it is fine to have even a single rule... > > > > What I have not said yet it is that in your case, because you use only > BPRM_CHECK hook, > you do not need "dont_appraise" and "dont_measure" rules for pseudo > filesystems.
Agreed. Thanks Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/