On 02/20/2012 06:24 PM, Lennart Poettering wrote:
On Thu, 16.02.12 19:50, Gustavo Sverzut Barbieri (barbieri@xxxxxxxxxxxxxx) wrote:
Then I wonder: why not make an ima-init binary that:
- does ima_setup()
- exec systemd || upstart || ...
this way you only have to audit this very small file and not systemd
itself, it's very early and so on.
This does not work because SELinux is initialized inside Systemd and IMA
requires it for parsing LSM rules in the policy.
initramfs may do it as well, no? then systemd will inherit it.
We moved SELinux loading out of the initrd into systemd, in order to
support fully featured initrd-less boots. I don't think we should reopen
this problem set by having IMA in the initrd. I believe IMA should be
treated pretty much exactly like SELinux here: the policy should be
loaded from PID1 and it needs to be a compile time option, and it needs
a kernel cmdline option to disable it (i.e. like selinux=0).
If the SELinux module in dracut is to be considered definitively broken
probably also the IMA module should be removed, because it will not be
possible to load policies with LSM rules. But i don't know how this
feature can be supported by distributions without Systemd installed.
Regarding the kernel option, actually there is no a specific parameter
to disable IMA. However, it can be introduced in the patches proposed
by Mimi Zohar about the 'ima-appraisal' feature. This can allow to
disable IMA or to put it in permissive/enforce mode as it happens for
example in SELinux.
Thanks
Roberto Sassu
Lennart
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
