Re: IMA testing, Re: Fedora Linux 37 Beta Released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 27, 2022 at 05:07:29PM +0200, David Sastre wrote:
> Hello and apologies for resurrecting an old thread.

And now I am posting to it again, so likewise appologies. 

> I was looking for information regarding IMA in F37 and found it was asked
> but I could not see any replies.
> My question is exactly the same as the OP, I do not see security.ima
> attributes on files after upgrading to F37.
> (https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents)
> 
> ```
> $ getfattr --absolute-names -d -m - /usr/bin/cp
> # file: /usr/bin/cp
> security.selinux="system_u:object_r:bin_t:s0"
> ```
> 
> This output is after reinstalling coreutils. I have rpm-plugin-ima
> installed.

There turned out to be a weird issue with the rpm on our sign vault
server and it wasn't signing things correctly. This was fixed a while
back (before the most recent mass rebuild), and f38/f39/eln rpms should
all be signed right now. 

The change was re-targeted at f38 I think.

> Also, where could one find the publiccert.der certificate to perform manual
> validation?
> It is not published at https://getfedora.org/security/

I've just added f38/f39 ones to fedora-repos:

https://src.fedoraproject.org/rpms/fedora-repos/c/93b2c8add81f2d6f83874ce53b080adbc4fe6826?branch=rawhide

I meant it to be a commit to my fork for a PR, but somehow my fork got
messed up and I ended up pushing it in directly. ;( 

I would appreciate feedback from anyone who knows IMA more than I... 
are the certs the ones you need? Is the place I put them in fedora-repos
ok/obvious? Lots of IMA docs use /etc/keys but I figured
/etc/pki/rpm-ima made a lot more sense than a generic sounding dir like
/etc/keys.

Hope that helps.

kevin
--
> I do not have any custom policy defined for IMA, but that should not matter:
> 
> ```
> $ sudo cat /sys/kernel/security/ima/policy
> measure func=KEXEC_KERNEL_CHECK
> measure func=MODULE_CHECK
> ```
> 
> Thanks.
> 
> 
> On Tue, Sep 13, 2022 at 9:28 PM Frank Ch. Eigler <fche@xxxxxxxxxx> wrote:
> 
> >
> > bcotton wrote:
> >
> > > [...]
> > > ## Beta Release Highlights
> > > [...]
> > > # RPM content is now signed with IMA signatures
> >
> > How can one observe this?  Even with rpm-plugin-ima installed, steps in:
> >
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents#How_To_Test
> >
> > produce no output for any of the files I tried in a f37-beta install.
> > The appropriate "publiccert.der" file does not seem to be available
> > either.
> >
> > - FChE
> > _______________________________________________
> > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >

> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux