On 02/20/2012 08:18 PM, Lennart Poettering wrote:
On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sa...@polito.it) wrote:
We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA
On Mon, 2012-02-20 at 20:18 +0100, Lennart Poettering wrote:
On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sa...@polito.it) wrote:
We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem
On Tue, 2012-02-21 at 11:05 +0100, Roberto Sassu wrote:
Ok. this should be not a problem because all errors (IMA support not
included in the kernel, policy file access denied, ...) are ignored
except for the mmap() failure.
Hi Roberto, IMA should never return an error, only IMA-appraisal
On 02/21/2012 02:01 PM, Mimi Zohar wrote:
On Tue, 2012-02-21 at 11:05 +0100, Roberto Sassu wrote:
Ok. this should be not a problem because all errors (IMA support not
included in the kernel, policy file access denied, ...) are ignored
except for the mmap() failure.
Hi Roberto, IMA should
On Tue, Feb 21, 2012 at 15:07, Colin Guthrie gm...@colin.guthr.ie wrote:
The code for loading IMA custom policies was placed in the initial
ramdisk with the purpose to avoid distribution specific dependencies.
However, since the SELinux initialization has been moved to Systemd
and Systemd
On Tue, 2012-02-21 at 15:32 +0100, Kay Sievers wrote:
On Tue, Feb 21, 2012 at 15:07, Colin Guthrie gm...@colin.guthr.ie wrote:
The code for loading IMA custom policies was placed in the initial
ramdisk with the purpose to avoid distribution specific dependencies.
In a trusted-grub, or
On Tue, 2012-02-21 at 14:58 +0100, Roberto Sassu wrote:
Hi Mimi
do you intend a patch to reintroduce the 'ima=' kernel parameter for
enabling/disabling IMA? If so, i have not actually thought about this
but it should be not difficult to implement. Probably we can support
these modes:
I'm
On 02/21/2012 05:15 PM, Mimi Zohar wrote:
On Tue, 2012-02-21 at 14:58 +0100, Roberto Sassu wrote:
Hi Mimi
do you intend a patch to reintroduce the 'ima=' kernel parameter for
enabling/disabling IMA? If so, i have not actually thought about this
but it should be not difficult to implement.
On Tue, Feb 21, 2012 at 18:32, Roberto Sassu roberto.sa...@polito.it wrote:
I meant we can create a new package called for example 'ima-utils'
that can be used by Systemd to determine, at compile time, whether
the IMA support for loading custom policies should be enabled or not.
That's not
Hi Roberto,
The only package we have at the moment is Dmitry Kasatkin's evm-utils
git://linux-ima.git.sourceforge.net/gitroot/linux-ima/evm-utils used for
labeling the filesystem with security.evm/security.ima digital
signatures.
There's still a lot left to do, but we've started updating the
On 02/21/2012 06:56 PM, Kay Sievers wrote:
On Tue, Feb 21, 2012 at 18:32, Roberto Sassuroberto.sa...@polito.it wrote:
I meant we can create a new package called for example 'ima-utils'
that can be used by Systemd to determine, at compile time, whether
the IMA support for loading custom
On 02/21/2012 05:14 PM, Mimi Zohar wrote:
On Tue, 2012-02-21 at 15:32 +0100, Kay Sievers wrote:
On Tue, Feb 21, 2012 at 15:07, Colin Guthriegm...@colin.guthr.ie wrote:
The code for loading IMA custom policies was placed in the initial
ramdisk with the purpose to avoid distribution specific
On Tue, Feb 21, 2012 at 19:07, Roberto Sassu roberto.sa...@polito.it wrote:
On 02/21/2012 06:56 PM, Kay Sievers wrote:
ok, that was because Systemd also checks for the presence of libselinux
in order to enable the SELinux support.
Yeah, systemd provides a shared lib which we need to link
On Thu, 16.02.12 15:56, Michael Cassaniti (m.cassan...@gmail.com) wrote:
Also, I certainly have no such things in my system and see no point in
calling ima_setup() on it. Or even compiling the source file in such
case.
Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
On Thu, 16.02.12 12:30, Gustavo Sverzut Barbieri (barbi...@profusion.mobi)
wrote:
Since the policy loading can be implemented in different ways depending
on the init system (systemd, upstart, ...), an user must identify the
components to be measured for each case. Instead, if the IMA
On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbi...@profusion.mobi)
wrote:
Then I wonder: why not make an ima-init binary that:
- does ima_setup()
- exec systemd || upstart || ...
this way you only have to audit this very small file and not systemd
itself, it's very early
On Thu, 16.02.12 15:40, Tomasz Torcz (to...@pipebreaker.pl) wrote:
On Thu, Feb 16, 2012 at 12:30:31PM -0200, Gustavo Sverzut Barbieri wrote:
On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu roberto.sa...@polito.it
wrote:
the reason for which the loading of IMA policies has been placed
On 02/20/2012 06:24 PM, Lennart Poettering wrote:
On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbi...@profusion.mobi)
wrote:
Then I wonder: why not make an ima-init binary that:
- does ima_setup()
- exec systemd || upstart || ...
this way you only have to audit this very small
On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sa...@polito.it) wrote:
We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA in the initrd. I believe IMA should be
treated
On 16/02/2012 04:12, Roberto Sassu wrote:
On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassuroberto.sa...@polito.it wrote:
On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
On Wed, Feb 15, 2012 at 11:23 AM, Roberto
On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
On 16/02/2012 04:12, Roberto Sassu wrote:
On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
On Wed, Feb 15, 2012 at 2:26 PM, Roberto
Sassuroberto.sa...@polito.it wrote:
On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
On Wed, Feb
On Thu, 2012-02-16 at 15:56 +1100, Michael Cassaniti wrote:
On 16/02/2012 04:12, Roberto Sassu wrote:
On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassuroberto.sa...@polito.it
wrote:
On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri
On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu roberto.sa...@polito.it wrote:
On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
On 16/02/2012 04:12, Roberto Sassu wrote:
On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
On Wed, Feb 15, 2012 at 2:26 PM, Roberto
On 02/16/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassuroberto.sa...@polito.it wrote:
On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
On 16/02/2012 04:12, Roberto Sassu wrote:
On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
On Wed,
On Thu, Feb 16, 2012 at 12:30:31PM -0200, Gustavo Sverzut Barbieri wrote:
On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu roberto.sa...@polito.it
wrote:
the reason for which the loading of IMA policies has been placed in
the main Systemd executable is that the measurement process performed
On Thu, Feb 16, 2012 at 12:35 PM, Roberto Sassu roberto.sa...@polito.it wrote:
On 02/16/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassuroberto.sa...@polito.it
wrote:
On 02/16/2012 05:56 AM, Michael Cassaniti wrote:
On 16/02/2012 04:12,
26 matches
Mail list logo