On Fri, 2012-02-10 at 19:14 +0100, Lennart Poettering wrote: > On Fri, 10.02.12 16:31, Roberto Sassu (roberto.sassu@xxxxxxxxx) wrote: > > > > > Hi Mimi > > > > i'm CCing the systemd and Fedora SELinux mailing lists. > > > > Unfortunately, the SELinux policy initialization (at least > > in Fedora 16) has been moved to systemd, so, now, loading an > > IMA policy cannot be done in the initial ramdisk. > > > > Further, the SELinux policy loading code is not in a unit file > > but embedded in the main binary, which means that the new code for > > loading IMA policies must be added just after that point. > > > > I already wrote a patch for this. I need some time to test it > > and will post in the systemd mailing list at the beginning of > > the next week. Thanks Roberto! > Hmm, what is this about? You need a place to load additional security > policies into the kernel at early boot? For SELinux that indeed takes > place from within PID 1 now in systemd. I'd expect that other security > technologies like AppArmor should work the same. The IMA measurement/appraisal policy, which is described in Documentation/ABI/testing/ima_policy, can be based on a number of criteria. One of these criteria are LSM subj/obj labels. The IMA measurement/appraisal policy should be loaded as early as possible, but only after the LSM policy has been loaded. Mimi > If you want to hack on this basing your work on selinux-setup.c in the > systemd tree should be fairly easy. > > Lennart -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
