On Thu, 16.02.12 12:30, Gustavo Sverzut Barbieri (barbieri@xxxxxxxxxxxxxx) wrote: > > Since the policy loading can be implemented in different ways depending > > on the init system (systemd, upstart, ...), an user must identify the > > components to be measured for each case. Instead, if the IMA policy is > > loaded in the main Systemd executable, only this file must be measured > > by the boot loader. > > Then I wonder: why not make an ima-init binary that: > - does ima_setup() > - exec systemd || upstart || ... > > this way you only have to audit this very small file and not systemd > itself, it's very early and so on. We worked really hard on being able to load the SELinux policy without any unnecessary (re-)execs. I don't think we should reopen that problem by loading IMA from a pre-init tool. Also, the management of such a thing would seriously suck (i.e. you'd probably need something like update-alternatives, and that sucks), especially since we now already taught the initrd to spawn /usr/lib/systemd/systemd directly, instead of /sbin/init. Lennart -- Lennart Poettering - Red Hat, Inc. -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
