On Wed, 2013-02-13 at 10:30 -0500, Vivek Goyal wrote: > On Wed, Feb 13, 2013 at 05:26:27PM +0200, Kasatkin, Dmitry wrote: > > On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal <[email protected]> wrote: > > > On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote: > > >> It should not be the only line in the policy. > > >> Can you share full policy? > > > > > > I verified by putting some printk. There is only single rule in > > > ima_policy_rules list after I have updated the rules through "policy" > > > file. > > > > > > echo "appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional" > > > > /sys/kernel/security/policy > > > > There is a default policy which has several rules. > > > > And when you do your "echo" you will replace all rules with that single > > rule. > > But ok, you have one rule only and it is fine to have even a single rule... > > Yep, I got that. Default policy gets overruled when a new policy is > loaded. > > In secureboot mode, somehow above rule needs to take effect by default. > One option would be that kernel can enforce above rule. > (I guess by adding it to both default_list as well as policy list).
The default policy is empty, but can be replaced with boot command line options. The existing options are ima_tcb and/ ima_appraise_tcb. Please feel free to define an additional policy. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
