В Thu, 19 Oct 2017 11:02:51 +0000 Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxxx> пишет: > BTW. > > Just to refresh my mind. What would be the correct order for setting > this signature from package? On any attr/xattr change, EVM will set > HMAC. from tar's code: - uid/git/mode/data/etc... - all xattrs - caps - selinux - EVM xattr EVM xattr should be restored the last one, when all xattrs/metadata already restored, but... as soon, as first protected xattr will be restored from package, EVM HMAC will be generated. > What is the value of setting signature after that unless there is a > policy to require signature (immutable)? In my original patchset > portable was also immutable and also included policy support to > require EVM signatures. -- Best regards, Mikhail Kurinnoi
