> Great! And if you replaced the "uid=0" with "fowner=0" the appraisal > would succeed whether or not you're running as root. I was looking to appraise any binaries that a single user is running, not anything any user runs that's owned by root. > Different files can be signed with different keys, but all keys should > be loaded onto the same _ima keyring. (This will change once IMA is > namespaced.) Yes. Good copy on that. My question was about how to ensure the _ima keyring is present in all user's keyrings, if the IMA module is searching the user executing the program's keyring. See the terminal output in my last mail. Once again, the kernel is throwing errors if I try to appraise binaries that uid 1000 is running unless the _ima keyring is linked to uid 1000's @u keyring. Is this expected behavior, and if so, where can I read more about this? > The policy defines which files should be appraised. If you want to > verify files owned by uid 1000, the policy would include an appraise > rule fowner=1000. I want to appraise anything run by user 1000, regardless of file owner. I can only seem to do this if uid 1000's @u has a _ima keyring under it, and **not** if uid 0's @u has an _ima keyring under it. Is this expected behavior? > Normally one starts with something that is known to work, before > attempting/complaining something different doesn't work. Cheers, thanks for that. I'd like to point out that at no point have I complained, even about things fully deserving of it, such as the lack of documentation or opaque errors. I've been courteous and tried to provide helpful information and context proactively. To be honest, I'm a bit disappointed and frustrated at this side-comment. I understand you must be frustrated, and I appreciate you replied on a weekend and it's not your job to provide support, but as a newcomer, I am just as frustrated with this interaction. A bit of empathy would be nice. Cheers, Paul -- :wq
