On Mon, Jun 15, 2020 at 12:45 PM Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> wrote: > > On 6/15/20 4:57 AM, Stephen Smalley wrote: > > I think I mentioned this on a previous version of these patches, but I > > would recommend including more than just the enabled and enforcing > > states in your measurement. Other low-hanging fruit would be the > > other selinux_state booleans (checkreqprot, initialized, > > policycap[0..__POLICYDB_CAPABILITY_MAX]). Going a bit further one > > could take a hash of the loaded policy by using security_read_policy() > > and then computing a hash using whatever hash ima prefers over the > > returned data,len pair. You likely also need to think about how to > > allow future extensibility of the state in a backward-compatible > > manner, so that future additions do not immediately break systems > > relying on older measurements. > > > > Sure - I will address this one in the next update. Please add selinux list to the cc for future versions too.
