On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote: > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy > if available. This should be used only if tooling running LTP tests > allows to reboot afterwards (because policy may be writable only once, > e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each > other). Thanks, Petr. Allowing the policy to be updated only if permitted is a good idea. Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy might not be loaded. For example, when secure boot is enabled and the kernel is configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be signed. On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say "TINFO: SELinux enabled in enforcing mode, this may affect test results". We should stop blaming SELinux. :) thanks, Mimi
