On Mon, 2017-12-11 at 09:13 -0500, Paul R. Tagliamonte wrote: > On Mon, Dec 11, 2017 at 8:48 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > The "uid=" is a condition that limits which files to appraise. By > > changing "uid=" to 0, I assume by "worked as expected" means nothing > > verified. > > Not quite, when I say "works as expected" I mean, everything worked > (since I signed all binaries) except for one (which was logged, as I > mentioned, and when I turned it onto enforce, it gave me permission > denied. As root. Great! And if you replaced the "uid=0" with "fowner=0" the appraisal would succeed whether or not you're running as root. > > This all seems to indicate that the keys are not being loaded onto > > root's _ima keyring. See if there is a difference if you "su -", > > before creating the _ima keyring. > > I was running this as uid 0 in the initramfs. It's in a keyring named > _ima and it's linked to @u. That appears to not be sufficient. How do > I create a keyring that spans all user's @u? Different files can be signed with different keys, but all keys should be loaded onto the same _ima keyring. (This will change once IMA is namespaced.) The policy defines which files should be appraised. If you want to verify files owned by uid 1000, the policy would include an appraise rule fowner=1000. > > Even if you don't add any keys during boot, enabling dracut/systemd > > would at least properly create the _ima keyring. > > Do you have a pointer as to what I'm doing on? I attached the script > I'm running in my initramfs. I'd rather figure out what I'm doing > wrong before punting this to another tool for now. Normally one starts with something that is known to work, before attempting/complaining something different doesn't work. Mimi