Re: IMA keyctl problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Great!  And if you replaced the "uid=0" with "fowner=0" the appraisal
> would succeed whether or not you're running as root.

I was looking to appraise any binaries that a single user is running,
not anything any user runs that's owned by root.

> Different files can be signed with different keys, but all keys should
> be loaded onto the same _ima keyring.  (This will change once IMA is
> namespaced.)

Yes. Good copy on that.

My question was about how to ensure the _ima keyring is present in all
user's keyrings, if the IMA module is searching the user executing the
program's keyring. See the terminal output in my last mail.



Once again, the kernel is throwing errors if I try to appraise
binaries that uid 1000 is running unless the _ima keyring is linked to
uid 1000's @u keyring. Is this expected behavior, and if so, where can
I read more about this?




> The policy defines which files should be appraised.  If you want to
> verify files owned by uid 1000, the policy would include an appraise
> rule fowner=1000.

I want to appraise anything run by user 1000, regardless of file
owner. I can only seem to do this if uid 1000's @u has a _ima keyring
under it, and **not** if uid 0's @u has an _ima keyring under it. Is
this expected behavior?

> Normally one starts with something that is known to work, before
> attempting/complaining something different doesn't work.

Cheers, thanks for that.

I'd like to point out that at no point have I complained, even about
things fully deserving of it, such as the lack of documentation or
opaque errors. I've been courteous and tried to provide helpful
information and context proactively. To be honest, I'm a bit
disappointed and frustrated at this side-comment.

I understand you must be frustrated, and I appreciate you replied on a
weekend and it's not your job to provide support, but as a newcomer, I
am just as frustrated with this interaction.

A bit of empathy would be nice.


Cheers,
   Paul


-- 
:wq



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux