Hello, I have encountered this problem in which I cannot do (for example) chown on the /proc filesystem, operation which fails with Operation not permitted and kernel logging: audit type=1801 audit(1596110664.495:49): pid=96959 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0. root@ubuntu:/# chown root:root /proc/net/dev; dmesg | tail -1 chown: changing ownership of '/proc/net/dev': Operation not permitted [10053.911258] audit: type=1801 audit(1596111210.774:52): pid=112577 uid=0 auid=1000 ses=4 subj==unconfined op=appraise_metadata cause=unknown comm="chown" name="dev" dev="proc" ino=4026532012 res=0 My ima setup script is: mount -n -t securityfs securityfs /sys/kernel/security (set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`" evmctl import /etc/keys/x509_ima_1.der $ima_id evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`" evmctl import /etc/keys/x509_ima_1.der $evm_id cat /etc/keys/kmk | keyctl padd user kmk @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u echo "1" > /sys/kernel/security/evm , where policy is: dont_appraise fsmagic=0x9fa0 dont_appraise fsmagic=0x62656572 dont_appraise fsmagic=0x64626720 dont_appraise fsmagic=0x01021994 dont_appraise fsmagic=0x858458f6 dont_appraise fsmagic=0x1cd1 dont_appraise fsmagic=0x42494e4d dont_appraise fsmagic=0x73636673 dont_appraise fsmagic=0xf97cff8c Kernel cmdline is: BOOT_IMAGE=/boot/vmlinuz-5.5.10 root=UUID=40d7131c-1a9b-4d0f-9757-01a5d1819909 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US ima_appraise=fix quiet, into which I only added ima_appraise=fix/log. I'm using Ubuntu on 5.5.10 kernel, but I found this originally on Linux 4.9, on dev environment. I want to mention I don't have a deep understanding on the Linux kernel or usage, in general, and I am not aware on what else might be causing(or interfering with) this behavior. My understanding is that IMA should not appraise anything(as I left out any appraisal rule out of the policy for reproducing this), but explicitly instructed not to appraise those filesystems, whereas EVM does appraise on /proc when it shouldn't. I could speculate and try trace the problem in the IMA module, but I think the sensible thing to do is to ask if this is something common(as in, I'm doing something really dumb) or at least solvable, but I could not find anything related to the /proc filesystem IMA problems. Problem is not there when EVM is not active( or is on fix mode). Thank you, Vlad