On Sun, Jan 28, 2018 at 06:04:52PM -0500, Mimi Zohar wrote: > > Sigh, there seems to be some confusion. Initially, when the Integrity > Measurement Architecture (IMA) was first upstreamed, it only extended > the trusted boot concept of measuring files before use up to the OS, > but that was a long time ago. Since then, IMA-appraisal was > upstreamed, which extends the secure boot concept of verifying > signatures up to the running OS. Part of the problem is the documentation doesn't make any of this at all clear. Indeed, I'll note that Documentation/ABI/testing/ima_policy still talks about using file system magic numbers to determine whether or not files should be measured, and I've been given to understand you're using a per-filesytsem flag now. The documentation seems to strongly imply that in order to be secure, you can't use IMA by itself, you have to use EVM as well. Exactly which components can be used independently is not clear, and apparently I made the wrong guesses when trying to read through the Linux-IMA wiki pages as well as the Gentoo pages on IMA and EVM. Maybe it's just the documentation is badly written, but it leaves the impression of *extreme* complexity. I did try to play with it, but ima-evm-utils aren't packaged for Debian, and when I tried building from source, they apparently don't even build on Debian Testing. (Sorry, I don't use RHEL for my development systems.) And I'll note the Gentoo pages warn, "don't use on production systems". All of which do not make for a good first look for IMA. > Enabling IMA doesn't automatically require SELinux or any other LSM > labels. The rule granularity is up to you. Yes, but if I only want to have a dozen or so files to be data integrity protect, it appears that it's not simple to do, *without* using SELinux. And anytime SELinux and "simple" go in the same sentence, I weep a little. Every few years I try configuring SELinux on Debian development laptop. And I conclude that I'm too stupid for to configure SELinux. - Ted
