On Thu, Oct 27, 2022 at 05:07:29PM +0200, David Sastre wrote: > Hello and apologies for resurrecting an old thread. And now I am posting to it again, so likewise appologies. > I was looking for information regarding IMA in F37 and found it was asked > but I could not see any replies. > My question is exactly the same as the OP, I do not see security.ima > attributes on files after upgrading to F37. > (https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents) > > ``` > $ getfattr --absolute-names -d -m - /usr/bin/cp > # file: /usr/bin/cp > security.selinux="system_u:object_r:bin_t:s0" > ``` > > This output is after reinstalling coreutils. I have rpm-plugin-ima > installed. There turned out to be a weird issue with the rpm on our sign vault server and it wasn't signing things correctly. This was fixed a while back (before the most recent mass rebuild), and f38/f39/eln rpms should all be signed right now. The change was re-targeted at f38 I think. > Also, where could one find the publiccert.der certificate to perform manual > validation? > It is not published at https://getfedora.org/security/ I've just added f38/f39 ones to fedora-repos: https://src.fedoraproject.org/rpms/fedora-repos/c/93b2c8add81f2d6f83874ce53b080adbc4fe6826?branch=rawhide I meant it to be a commit to my fork for a PR, but somehow my fork got messed up and I ended up pushing it in directly. ;( I would appreciate feedback from anyone who knows IMA more than I... are the certs the ones you need? Is the place I put them in fedora-repos ok/obvious? Lots of IMA docs use /etc/keys but I figured /etc/pki/rpm-ima made a lot more sense than a generic sounding dir like /etc/keys. Hope that helps. kevin -- > I do not have any custom policy defined for IMA, but that should not matter: > > ``` > $ sudo cat /sys/kernel/security/ima/policy > measure func=KEXEC_KERNEL_CHECK > measure func=MODULE_CHECK > ``` > > Thanks. > > > On Tue, Sep 13, 2022 at 9:28 PM Frank Ch. Eigler <fche@xxxxxxxxxx> wrote: > > > > > bcotton wrote: > > > > > [...] > > > ## Beta Release Highlights > > > [...] > > > # RPM content is now signed with IMA signatures > > > > How can one observe this? Even with rpm-plugin-ima installed, steps in: > > > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents#How_To_Test > > > > produce no output for any of the files I tried in a f37-beta install. > > The appropriate "publiccert.der" file does not seem to be available > > either. > > > > - FChE > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
