On Thu, 2019-04-04 at 20:19 +0200, Petr Vorel wrote:
> Hi Mimi,
>
> thanks for your comments!
>
> > > + grep -q ima_appraise_tcb /proc/cmdline || \
> > > + tst_brk TCONF "Test requires ima_appraise_tcb kernel parameter"
>
> > Instead of specifying individual policies separately, the newer method
> > of specifying builtin IMA policies on the boot command line is
> > "ima_policy=", with a list of policies. The builtin appraise policy
> > would be specified as "ima_policy=appraise_tcb". Refer to
> > Documentation/admin-guide/kernel-parameters.txt for the list of
> > builtin policies.
> I guess grep for any policy (ima_policy=) or ima_appraise_tcb shold e enough.
> Am I right?
Yes
>
> BTW I guess ima_appraise_tcb should be deprecated in kernel-parameters.txt.
and yes
>
> > > +}
> > > +
> > > +do_test()
> > > +{
> > > + local file="foo.txt"
> > > + local f
> > > +
> > > + tst_mount
> > > + mounted=1
> > > +
> > > + ROD echo lower \> $lower/$file
>
> > For some reason "mntpoint/lower" isn't loopback mounted. With the
> > builtin appraise policy, because it is a tmpfs filesystem,
> > security.ima does not exist. Writing to the merged directory then
> > fails.
>
> > + df -T mntpoint/lower
> > Filesystem Type 1K-blocks Used Available Use% Mounted on
> > tmpfs tmpfs 4020348 262316 3758032 7% /tmp
> My bad, I forged to add TST_NEEDS_DEVICE=1 to ima_overlay.sh (I'll add it into
> v2). That was the missing piece to enable loop device (in the end of ima_setup.sh)
thanks!
>
>
> > + getfattr -m '^security' --dump mntpoint/lower/foo.txt
> > # file: mntpoint/lower/foo.txt
> > security.evm=0sAq8niNi4X7cYntKSAki1Woc+Y5Yq
> > security.selinux="unconfined_u:object_r:user_tmp_t:s0"
>
>
> Kind regards,
> Petr
>
