On Mon, 20.02.12 20:06, Roberto Sassu (roberto.sassu@xxxxxxxxx) wrote: > >We moved SELinux loading out of the initrd into systemd, in order to > >support fully featured initrd-less boots. I don't think we should reopen > >this problem set by having IMA in the initrd. I believe IMA should be > >treated pretty much exactly like SELinux here: the policy should be > >loaded from PID1 and it needs to be a compile time option, and it needs > >a kernel cmdline option to disable it (i.e. like selinux=0). > > > > If the SELinux module in dracut is to be considered definitively broken > probably also the IMA module should be removed, because it will not be > possible to load policies with LSM rules. But i don't know how this > feature can be supported by distributions without Systemd installed. Well, if the rumours I keep hearing are true Ubuntu might join the systemd camp too after their LTS release. Maybe the supporting non-systemd systems issues solves itself by that for you? > Regarding the kernel option, actually there is no a specific parameter > to disable IMA. However, it can be introduced in the patches proposed > by Mimi Zohar about the 'ima-appraisal' feature. This can allow to > disable IMA or to put it in permissive/enforce mode as it happens for > example in SELinux. Whether there is a kernel option to enable/disable IMA will not stop these patches from getting into systemd. But I am quite sure they will stop IMA from getting any wider coverage in the mainstream distributions (if you care for that). Oh, and one more thing: it matters to me that this doesn't break my build. So it needs to allow me booting when enabled in configure, but without any IMA policy around. Lennart -- Lennart Poettering - Red Hat, Inc. -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
