On Mon, 2013-02-18 at 13:21 -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 10:30:15AM -0500, Mimi Zohar wrote:
> > On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
> > > On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > > > Yep, I got that. Default
On Mon, 2013-02-18 at 13:21 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 10:30:15AM -0500, Mimi Zohar wrote:
On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
[..]
Yep, I got that. Default policy gets overruled
On Thu, Feb 14, 2013 at 10:30:15AM -0500, Mimi Zohar wrote:
> On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
> > On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > Yep, I got that. Default policy gets overruled when a new policy is
> > > > loaded.
> > > >
> >
On Thu, Feb 14, 2013 at 10:30:15AM -0500, Mimi Zohar wrote:
On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
[..]
Yep, I got that. Default policy gets overruled when a new policy is
loaded.
In secureboot
On Thu, 2013-02-14 at 15:57 -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote:
> > On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > > I think you're making this more complicated than it needs to be.
> > > > > Allow
> > > > >
On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
>
> [..]
> > > > I think you're making this more complicated than it needs to be. Allow
> > > > the execution unless the file failed signature verification. The
> > > >
On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
[..]
> > > I think you're making this more complicated than it needs to be. Allow
> > > the execution unless the file failed signature verification. The
> > > additional capability is given only if the signature verification
> > >
On Thu, 2013-02-14 at 11:17 -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 10:35:59AM -0500, Mimi Zohar wrote:
> > On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
> > > On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > > > Ok, I will cleanup the code to
On Thu, 2013-02-14 at 09:40 -0500, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 04:45:23PM -0500, Mimi Zohar wrote:
>
[..]
> > > If it would happen that it contains signature, then IMA_DIGSIG flag
> > > would be set,
> > > and process could get needed capability as Vivek wants.
> >
> > With the
On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Yep, I got that. Default policy gets overruled when a new policy is
> > > loaded.
> > >
> > > In secureboot mode, somehow above rule needs to take effect by default.
On Thu, Feb 14, 2013 at 11:17:19AM -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 10:35:59AM -0500, Mimi Zohar wrote:
> > On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
> > > On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > > > Ok, I will cleanup the
On Thu, Feb 14, 2013 at 10:35:59AM -0500, Mimi Zohar wrote:
> On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
> > On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > Ok, I will cleanup the code to do above. Just wanted to clear up one
> > > > point.
> > > >
>
On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
>
> [..]
> > > Ok, I will cleanup the code to do above. Just wanted to clear up one
> > > point.
> > >
> > > Above option will not have any effect on evm behavior? This only
On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
[..]
> > Ok, I will cleanup the code to do above. Just wanted to clear up one
> > point.
> >
> > Above option will not have any effect on evm behavior? This only impacts
> > IMA appraisal behavior. For example, if security.ima is not
On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
[..]
> > Yep, I got that. Default policy gets overruled when a new policy is
> > loaded.
> >
> > In secureboot mode, somehow above rule needs to take effect by default.
> > One option would be that kernel can enforce above rule.
> > (I
On Wed, Feb 13, 2013 at 04:45:23PM -0500, Mimi Zohar wrote:
[..]
> Option 3: appraise_type:= [imasig] | [imahash] | [optional]
>
> Dmitry is recommending this syntax, as IMA_DIGSIG will be set in the
> iint flags.
I like option 3. If there is a use case down the line where definition
of
On Wed, 2013-02-13 at 11:59 -0500, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 08:44:04AM -0500, Mimi Zohar wrote:
>
> [..]
> > > I see it is more logical if it is "appraise_type=optional",
> > > which means that we might have no xattr value, hash or signature.
> > > It if happens to be a
On Wed, 2013-02-13 at 11:59 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 08:44:04AM -0500, Mimi Zohar wrote:
[..]
I see it is more logical if it is appraise_type=optional,
which means that we might have no xattr value, hash or signature.
It if happens to be a signature, then
On Wed, Feb 13, 2013 at 04:45:23PM -0500, Mimi Zohar wrote:
[..]
Option 3: appraise_type:= [imasig] | [imahash] | [optional]
Dmitry is recommending this syntax, as IMA_DIGSIG will be set in the
iint flags.
I like option 3. If there is a use case down the line where definition
of optional
On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
[..]
Yep, I got that. Default policy gets overruled when a new policy is
loaded.
In secureboot mode, somehow above rule needs to take effect by default.
One option would be that kernel can enforce above rule.
(I guess by
On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
[..]
Ok, I will cleanup the code to do above. Just wanted to clear up one
point.
Above option will not have any effect on evm behavior? This only impacts
IMA appraisal behavior. For example, if security.ima is not present it
On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
[..]
Ok, I will cleanup the code to do above. Just wanted to clear up one
point.
Above option will not have any effect on evm behavior? This only impacts
IMA
On Thu, Feb 14, 2013 at 10:35:59AM -0500, Mimi Zohar wrote:
On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
[..]
Ok, I will cleanup the code to do above. Just wanted to clear up one
point.
Above option will
On Thu, Feb 14, 2013 at 11:17:19AM -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 10:35:59AM -0500, Mimi Zohar wrote:
On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
[..]
Ok, I will cleanup the code to do above.
On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
[..]
Yep, I got that. Default policy gets overruled when a new policy is
loaded.
In secureboot mode, somehow above rule needs to take effect by default.
One option
On Thu, 2013-02-14 at 09:40 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 04:45:23PM -0500, Mimi Zohar wrote:
[..]
If it would happen that it contains signature, then IMA_DIGSIG flag
would be set,
and process could get needed capability as Vivek wants.
With the 'optional'
On Thu, 2013-02-14 at 11:17 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 10:35:59AM -0500, Mimi Zohar wrote:
On Thu, 2013-02-14 at 10:23 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 07:57:16AM -0500, Mimi Zohar wrote:
[..]
Ok, I will cleanup the code to do above. Just
On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
[..]
I think you're making this more complicated than it needs to be. Allow
the execution unless the file failed signature verification. The
additional capability is given only if the signature verification
succeeds.
I
On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
[..]
I think you're making this more complicated than it needs to be. Allow
the execution unless the file failed signature verification. The
additional
On Thu, 2013-02-14 at 15:57 -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote:
On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote:
[..]
I think you're making this more complicated than it needs to be.
Allow
the execution unless
On Wed, 2013-02-13 at 10:30 -0500, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 05:26:27PM +0200, Kasatkin, Dmitry wrote:
> > On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal wrote:
> > > On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> > >> It should not be the only line in the
On Wed, 2013-02-13 at 19:33 +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar wrote:
> > On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
> >> On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar
> >> wrote:
> >> > On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry
On Wed, Feb 13, 2013 at 7:51 PM, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 07:33:13PM +0200, Kasatkin, Dmitry wrote:
>> On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar wrote:
>> > On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
>> >> On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar
>> >>
On Wed, Feb 13, 2013 at 07:33:13PM +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar wrote:
> > On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
> >> On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar
> >> wrote:
> >> > On Wed, 2013-02-13 at 14:31 +0200, Kasatkin,
On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar wrote:
> On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
>> On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar wrote:
>> > On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
>> >> On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal wrote:
>> >
On Wed, Feb 13, 2013 at 05:26:27PM +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal wrote:
> > On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> >> It should not be the only line in the policy.
> >> Can you share full policy?
> >
> > I verified by
On Wed, Feb 13, 2013 at 08:44:04AM -0500, Mimi Zohar wrote:
[..]
> > I see it is more logical if it is "appraise_type=optional",
> > which means that we might have no xattr value, hash or signature.
> > It if happens to be a signature, then IMA_DIGSIG flag will be set.
>
> Right,
On Wed, 2013-02-13 at 09:38 -0500, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> > It should not be the only line in the policy.
> > Can you share full policy?
>
> I verified by putting some printk.
If anyone is interested in posting a patch to display
On Wed, Feb 13, 2013 at 05:29:43PM +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 13, 2013 at 5:26 PM, Kasatkin, Dmitry
> wrote:
> > On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal wrote:
> >> On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> >>> It should not be the only line in
On Wed, Feb 13, 2013 at 5:26 PM, Kasatkin, Dmitry
wrote:
> On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal wrote:
>> On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
>>> It should not be the only line in the policy.
>>> Can you share full policy?
>>
>> I verified by putting some
On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
>> It should not be the only line in the policy.
>> Can you share full policy?
>
> I verified by putting some printk. There is only single rule in
> ima_policy_rules list after
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> It should not be the only line in the policy.
> Can you share full policy?
I verified by putting some printk. There is only single rule in
ima_policy_rules list after I have updated the rules through "policy"
file.
echo
On Wed, 2013-02-13 at 15:36 +0200, Kasatkin, Dmitry wrote:
> It should not be the only line in the policy.
> Can you share full policy?
> On Wed, Feb 13, 2013 at 3:29 PM, Vivek Goyal wrote:
> >
> > appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional
Different use cases require
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
> It should not be the only line in the policy.
So a single rule is not allowed or kernel has imposed more rules
internally.
> Can you share full policy?
How do I get to full policy. Is there an interface I can read it from?
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar wrote:
> > On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
> >> On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal wrote:
> >
> >> > @@ -158,7 +165,8 @@ int ima_appraise_measurement(int
It should not be the only line in the policy.
Can you share full policy?
Thanks,
Dmitry
On Wed, Feb 13, 2013 at 3:29 PM, Vivek Goyal wrote:
> On Wed, Feb 13, 2013 at 02:14:55PM +0200, Kasatkin, Dmitry wrote:
>> Hello Vivek,
>>
>> Can you please send to us how your IMA policy looks like.
>
> Hi
On Wed, Feb 13, 2013 at 02:14:55PM +0200, Kasatkin, Dmitry wrote:
> Hello Vivek,
>
> Can you please send to us how your IMA policy looks like.
Hi Dmitry,
For testing purposes, I am using following.
appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional
I set this using
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar wrote:
> On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
>> On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal wrote:
>
>> > @@ -158,7 +165,8 @@ int ima_appraise_measurement(int func, struct
>> > integrity_iint_cache *iint,
>> > }
>> >
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
> On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal wrote:
> > @@ -158,7 +165,8 @@ int ima_appraise_measurement(int func, struct
> > integrity_iint_cache *iint,
> > }
> > switch (xattr_value->type) {
> > case
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal wrote:
> appraise_type=imasig_optional will allow appraisal to pass even if no
> signatures are present on the file. If signatures are present, then it
> has to be valid digital signature, otherwise appraisal will fail.
>
> This can allow to
Hello Vivek,
Can you please send to us how your IMA policy looks like.
Thanks,
Dmitry
On Tue, Feb 12, 2013 at 8:57 PM, Vivek Goyal wrote:
> On Tue, Feb 12, 2013 at 01:52:03PM -0500, Vivek Goyal wrote:
>> On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
>>
>> [..]
>> > > > > ---
Hello Vivek,
Can you please send to us how your IMA policy looks like.
Thanks,
Dmitry
On Tue, Feb 12, 2013 at 8:57 PM, Vivek Goyal vgo...@redhat.com wrote:
On Tue, Feb 12, 2013 at 01:52:03PM -0500, Vivek Goyal wrote:
On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
[..]
---
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal vgo...@redhat.com wrote:
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures are present, then it
has to be valid digital signature, otherwise appraisal will fail.
This can allow
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal vgo...@redhat.com wrote:
@@ -158,7 +165,8 @@ int ima_appraise_measurement(int func, struct
integrity_iint_cache *iint,
}
switch (xattr_value-type) {
case
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal vgo...@redhat.com wrote:
@@ -158,7 +165,8 @@ int ima_appraise_measurement(int func, struct
On Wed, Feb 13, 2013 at 02:14:55PM +0200, Kasatkin, Dmitry wrote:
Hello Vivek,
Can you please send to us how your IMA policy looks like.
Hi Dmitry,
For testing purposes, I am using following.
appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional
I set this using
It should not be the only line in the policy.
Can you share full policy?
Thanks,
Dmitry
On Wed, Feb 13, 2013 at 3:29 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 02:14:55PM +0200, Kasatkin, Dmitry wrote:
Hello Vivek,
Can you please send to us how your IMA policy looks
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
On Mon, Feb 11, 2013 at 10:11 PM, Vivek Goyal vgo...@redhat.com wrote:
@@ -158,7 +165,8 @@ int
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
So a single rule is not allowed or kernel has imposed more rules
internally.
Can you share full policy?
How do I get to full policy. Is there an interface I can read it from?
On Wed, 2013-02-13 at 15:36 +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
On Wed, Feb 13, 2013 at 3:29 PM, Vivek Goyal vgo...@redhat.com wrote:
appraise fowner=0 func=BPRM_CHECK appraise_type=imasig_optional
Different use cases
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
I verified by putting some printk. There is only single rule in
ima_policy_rules list after I have updated the rules through policy
file.
echo appraise
On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
I verified by putting some printk. There is only single rule in
ima_policy_rules
On Wed, Feb 13, 2013 at 5:26 PM, Kasatkin, Dmitry
dmitry.kasat...@intel.com wrote:
On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
On Wed, Feb 13, 2013 at 05:29:43PM +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 5:26 PM, Kasatkin, Dmitry
dmitry.kasat...@intel.com wrote:
On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It
On Wed, 2013-02-13 at 09:38 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
I verified by putting some printk.
If anyone is interested in posting a patch to display the
On Wed, Feb 13, 2013 at 08:44:04AM -0500, Mimi Zohar wrote:
[..]
I see it is more logical if it is appraise_type=optional,
which means that we might have no xattr value, hash or signature.
It if happens to be a signature, then IMA_DIGSIG flag will be set.
Right, 'appraise_type=' could
On Wed, Feb 13, 2013 at 05:26:27PM +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in the policy.
Can you share full policy?
I verified
On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 14:31 +0200, Kasatkin, Dmitry wrote:
On Mon, Feb 11, 2013
On Wed, Feb 13, 2013 at 07:33:13PM +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar zo...@linux.vnet.ibm.com
wrote:
On Wed,
On Wed, Feb 13, 2013 at 7:51 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 07:33:13PM +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013
On Wed, 2013-02-13 at 19:33 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 3:44 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2013-02-13 at 15:13 +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 2:56 PM, Mimi Zohar zo...@linux.vnet.ibm.com
wrote:
On Wed,
On Wed, 2013-02-13 at 10:30 -0500, Vivek Goyal wrote:
On Wed, Feb 13, 2013 at 05:26:27PM +0200, Kasatkin, Dmitry wrote:
On Wed, Feb 13, 2013 at 4:38 PM, Vivek Goyal vgo...@redhat.com wrote:
On Wed, Feb 13, 2013 at 03:36:45PM +0200, Kasatkin, Dmitry wrote:
It should not be the only line in
On Tue, 2013-02-12 at 13:52 -0500, Vivek Goyal wrote:
> On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
>
> [..]
> > > > > --- a/security/integrity/ima/ima_appraise.c
> > > > > +++ b/security/integrity/ima/ima_appraise.c
> > > > > @@ -124,19 +124,26 @@ int ima_appraise_measurement(int
On Tue, Feb 12, 2013 at 01:52:03PM -0500, Vivek Goyal wrote:
> On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
>
> [..]
> > > > > --- a/security/integrity/ima/ima_appraise.c
> > > > > +++ b/security/integrity/ima/ima_appraise.c
> > > > > @@ -124,19 +124,26 @@ int
On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
[..]
> > > > --- a/security/integrity/ima/ima_appraise.c
> > > > +++ b/security/integrity/ima/ima_appraise.c
> > > > @@ -124,19 +124,26 @@ int ima_appraise_measurement(int func, struct
> > > > integrity_iint_cache *iint,
> > > >
On Tue, 2013-02-12 at 09:26 -0500, Vivek Goyal wrote:
> On Mon, Feb 11, 2013 at 05:10:14PM -0500, Mimi Zohar wrote:
> > On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
> > > appraise_type=imasig_optional will allow appraisal to pass even if no
> > > signatures are present on the file. If
On Mon, Feb 11, 2013 at 05:10:14PM -0500, Mimi Zohar wrote:
> On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
> > appraise_type=imasig_optional will allow appraisal to pass even if no
> > signatures are present on the file. If signatures are present, then it
> > has to be valid digital
On Mon, Feb 11, 2013 at 05:10:14PM -0500, Mimi Zohar wrote:
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures are present, then it
has to be valid digital signature,
On Tue, 2013-02-12 at 09:26 -0500, Vivek Goyal wrote:
On Mon, Feb 11, 2013 at 05:10:14PM -0500, Mimi Zohar wrote:
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures
On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
[..]
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -124,19 +124,26 @@ int ima_appraise_measurement(int func, struct
integrity_iint_cache *iint,
enum
On Tue, Feb 12, 2013 at 01:52:03PM -0500, Vivek Goyal wrote:
On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
[..]
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -124,19 +124,26 @@ int ima_appraise_measurement(int func,
On Tue, 2013-02-12 at 13:52 -0500, Vivek Goyal wrote:
On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
[..]
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -124,19 +124,26 @@ int ima_appraise_measurement(int func, struct
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
> appraise_type=imasig_optional will allow appraisal to pass even if no
> signatures are present on the file. If signatures are present, then it
> has to be valid digital signature, otherwise appraisal will fail.
>
> This can allow to
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures are present, then it
has to be valid digital signature, otherwise appraisal will fail.
This can allow to selectively sign executables in the system and based
on appraisal
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures are present, then it
has to be valid digital signature, otherwise appraisal will fail.
This can allow to selectively sign executables in the system and based
on appraisal
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
appraise_type=imasig_optional will allow appraisal to pass even if no
signatures are present on the file. If signatures are present, then it
has to be valid digital signature, otherwise appraisal will fail.
This can allow to selectively
86 matches
Mail list logo
