> Instead of "appraise func=BPRM_CHECK fowner=0 appraise_type=imasig" > the appraise rule would be "appraise func=BPRM_CHECK > appraise_type=imasig". Spot on, thank you! I didn't have a func=* which was causing this entire mess. I changed the rule from: `appraise appraise_type=imasig uid=1000` to: `appraise appraise_type=imasig func=BPRM_CHECK uid=1000` All behaves exactly as expected. I now have this VM booting and doing so with enforced IMA signatures. Neato, thanks! Weird so much came out as what looked like a keyctl issue. Apologies for focusing on that and not posting the policy file, It's not clear exactly why this policy rule bug surfaced like that, but I think I'm off with a baseline now. Thanks a ton for the help! Paul -- :wq
