Hi IMA experts, Do we need to write any rule for selinux to allow access to key in .ima keyring for all processes or I am thinking in wrong direction. "integrity: Request for unknown key 'id:87deb3bf' err -13" is the error with selinux enabled (kernel is 4.14). Without selinux enabled, IMA appraisal works fine. Audit logs: [10012.824868] type=1800 audit(315974764.149:5729): pid=7511 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:testd_cm_t:s0-s15:c0.c1023 op="appraise_data" cause="invalid-signature" comm="sh" name="/sbin/testdaemon" dev="ubifs" ino=18446 res=0 Output of few commands just in case it is useful: # keyctl show -x %:.builtin_trusted_keys Keyring 0x26edf4c7 ---lswrv 0 0 keyring: .builtin_trusted_keys 0x3e65ef00 ---lswrv 0 0 \_ asymmetric: IMA-CA: IMA/EVM certificate signing key: 20c98dcf771b2a945c0ffd245011118299f90bdf # keyctl show -x %:.ima Keyring 0x0e961ca8 ---lswrv 0 0 keyring: .ima 0x2e3011f8 ---lswrv 0 0 \_ asymmetric: ima: signing key: edc4697e8b77ef2713e491616726090c87deb3bf / # cat /proc/keys 02fdee99 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 035ab7c0 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 0439d238 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 04964e3e I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 04da590e I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 054ef37d I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 055154e2 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 06511dd4 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 0761426a I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 0793080e I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 07f495f8 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 082f71d6 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 096dee7c I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 09904799 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 0b87b742 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 0c1b072c I--Q--- 3 perm 3f030000 0 0 keyring _ses: 1 0d02c3ff I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 0db26b5a I--Q--- 8 perm 3f030000 0 0 keyring _ses: 1 0dc6c62e I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 0e961ca8 I------ 1 perm 1f0f0000 0 0 keyring .ima: 1 0ff12212 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1156ac2d I--Q--- 13 perm 3f030000 0 0 keyring _ses: 1 1252fe6f I--Q--- 3 perm 3f030000 0 0 keyring _ses: 1 1285aef6 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1322fc5e I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 13866397 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 14173f44 I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty 14931524 I--Q--- 3 perm 3f030000 0 0 keyring _ses: 1 155502e8 I--Q--- 3 perm 3f030000 0 0 keyring _ses: 1 1604215d I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 16b40b6b I--Q--- 4 perm 3f030000 0 0 keyring _ses: 1 17db30d9 I--Q--- 3 perm 3f030000 0 0 keyring _ses: 1 18ea41e0 I--Q--- 5 perm 3f030000 0 0 keyring _ses: 1 19b92253 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 19eeed3f I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1b89b979 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 1c0a573f I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1cd763d5 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1d3caf71 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1d6a3880 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 1ddffca9 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 1df0c622 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 201c5a37 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2045b3bb I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 20993304 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 2154e4a6 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 22f2253f I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 25e97a49 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2665b7b4 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 26edf4c7 I------ 1 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 1 2798bd15 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 29931371 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2a3853b1 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2cc594f1 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2dc04d98 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 2e0e4f06 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2e3011f8 I------ 1 perm 1f030000 0 0 asymmetri ima: signing key: edc4697e8b77ef2713e491616726090c87deb3bf: X509.rsa 87deb3bf [] 2e769ee9 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2ebb4809 I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 1 2fdc0299 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 307f8910 I--Q--- 1 perm 3f030000 0 0 keyring _ses: 1 3384a46f I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 357dd4d1 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 3be9a95e I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 3c3162f6 I--Q--- 3 perm 3f030000 0 0 keyring _ses: 1 3d47a3ab I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 3e65ef00 I------ 1 perm 1f030000 0 0 asymmetri IMA-CA: IMA/EVM certificate signing key: 20c98dcf771b2a945c0ffd245011118299f90bdf: X509.rsa 99f90bdf [] 3f625ed4 I--Q--- 5 perm 3f030000 0 0 keyring _ses: 1 Regards., Rishi
