Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes: > On Mon, 2018-02-19 at 20:02 -0600, Eric W. Biederman wrote: >> It would also be nice if I could provide all of this information at >> mount time (when I am the global root) with mount options. So I don't >> need to update all of my tooling to know how to update ima policy when I >> am mounting a filesystem. > > The latest version of this patch relies on a builtin IMA policy to set > a flag. No other changes are required to the IMA policy. This > builtin policy could be used for environments not willing to accept > the default unverifiable signature risk. I still remain puzzled by this. Why is the default to accept the risk? Eric
