Hi Mimi,
thanks for your comments!
> > + grep -q ima_appraise_tcb /proc/cmdline || \
> > + tst_brk TCONF "Test requires ima_appraise_tcb kernel parameter"
> Instead of specifying individual policies separately, the newer method
> of specifying builtin IMA policies on the boot command line is
> "ima_policy=", with a list of policies. The builtin appraise policy
> would be specified as "ima_policy=appraise_tcb". Refer to
> Documentation/admin-guide/kernel-parameters.txt for the list of
> builtin policies.
I guess grep for any policy (ima_policy=) or ima_appraise_tcb shold e enough.
Am I right?
BTW I guess ima_appraise_tcb should be deprecated in kernel-parameters.txt.
> > +}
> > +
> > +do_test()
> > +{
> > + local file="foo.txt"
> > + local f
> > +
> > + tst_mount
> > + mounted=1
> > +
> > + ROD echo lower \> $lower/$file
> For some reason "mntpoint/lower" isn't loopback mounted. With the
> builtin appraise policy, because it is a tmpfs filesystem,
> security.ima does not exist. Writing to the merged directory then
> fails.
> + df -T mntpoint/lower
> Filesystem Type 1K-blocks Used Available Use% Mounted on
> tmpfs tmpfs 4020348 262316 3758032 7% /tmp
My bad, I forged to add TST_NEEDS_DEVICE=1 to ima_overlay.sh (I'll add it into
v2). That was the missing piece to enable loop device (in the end of ima_setup.sh)
> + getfattr -m '^security' --dump mntpoint/lower/foo.txt
> # file: mntpoint/lower/foo.txt
> security.evm=0sAq8niNi4X7cYntKSAki1Woc+Y5Yq
> security.selinux="unconfined_u:object_r:user_tmp_t:s0"
> Mimi
Kind regards,
Petr
