Hi Scott,
On Fri, 2022-10-28 at 16:36 +0800, Guozihua (Scott) wrote:
>
> I managed to re-produce this issue with the help of the following two
> scripts:
>
> read_tmp_measurement.sh:
> > #!/bin/bash
> >
> > while true
> > do
> > cat /root/tmp.txt > /dev/null
> > measurement=`cat /sys/kernel/security/ima/ascii_runtime_measurements | grep "tmp\.txt" | wc -l`
> > if [ "${measurement}" == "1" ]; then
> > echo "measurement found"
> > exit 1
> > fi
> > done
>
> test.sh:
> > #!/bin/bash
> >
> > echo "measure obj_user=system_u obj_role=object_r obj_type=unlabeled_t" > /sys/kernel/security/ima/policy
> >
> > cat /root/tmp2.txt
> > measurement=`cat /sys/kernel/security/ima/ascii_runtime_measurements | grep "tmp2\.txt" | wc -l`
> > [ "$measurement" == "1" ] && echo "measurement for tmp2 found"
> >
> > cat /root/tmp.txt
> > measurement=`cat /sys/kernel/security/ima/ascii_runtime_measurements | grep "tmp\.txt" | wc -l`
> > [ "$measurement" == "1" ] && echo "measurement for tmp found, preparation failed!" && exit 1
> >
> > ./read_tmp_measurement.sh &
> > pid=$!
> >
> > cd /usr/share/selinux/default
> > semodule -i clock.pp.bz2
> > semodule -r clock
> >
> > kill ${pid}
Are you loading/unloading any selinux policy or specifically clock? If
specifically clock, what is special about it?
> I created two files tmp.txt and tmp2.txt, assign them with type
> user_home_t and unlabeled_t respectively and then run test.sh.
> On a multi-core environment, I managed to reproduce this issue pretty
> easily and tested that once the solution is merged, the issue stops
> happening.
As I only see an IMA measurement policy rule being loaded for
"unlabeled_t" and not "user_home_t", should I assume that an IMA
measurement rule already exists for "user_home_t"?
thanks,
Mimi
