On Tue, 2017-10-17 at 19:02 -0700, Matthew Garrett wrote: > Is this accurate? If there's no IMA policy that covers the file in > question (eg, appraise is limited to a specific security context or > owner), will IMA_NEW ever be set? It looks like that codepath will > only be entered if there's a rule that matches. The EVM xattr > protections appear to be called regardless, which means that there's > then no way to write out attributes on them at runtime. Updating/writing security.evm is triggered by writing or updating ANY file metadata included in the HMAC calculation. There is no requirement for security.ima to exist. Mimi
