On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbieri@xxxxxxxxxxxxxx) wrote: > >> Then I wonder: why not make an ima-init binary that: > >> - does ima_setup() > >> - exec systemd || upstart || ... > >> > >> this way you only have to audit this very small file and not systemd > >> itself, it's very early and so on. > >> > > > > This does not work because SELinux is initialized inside Systemd and IMA > > requires it for parsing LSM rules in the policy. > > initramfs may do it as well, no? then systemd will inherit it. We moved SELinux loading out of the initrd into systemd, in order to support fully featured initrd-less boots. I don't think we should reopen this problem set by having IMA in the initrd. I believe IMA should be treated pretty much exactly like SELinux here: the policy should be loaded from PID1 and it needs to be a compile time option, and it needs a kernel cmdline option to disable it (i.e. like selinux=0). Lennart -- Lennart Poettering - Red Hat, Inc. -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
