On Thu, Feb 28, 2019 at 1:59 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > On Thu, 2019-02-28 at 13:41 -0800, Matthew Garrett wrote: > > If collect_type=get_hash and the filesystem doesn't support the > > get_hash type, should the behaviour be to fall back to read? > > "get_hash" should be limited to a specific filesystem type and > subtype. Based on the filesystem type and subtype, couldn't a warning > be emitted at policy load time. The policy may be loaded before the filesystem is mounted, so even if we added a capabilities mechanism we wouldn't be able to verify it. There's also potentially cases where a filesystem could support hash retrieval for some files but not others, and in that case we'd probably want to fall back to reading the file.
