check_ima_policy_content() now prints TINFO message when policy is not
readable and it does not return 1 in this case. Therefore
"'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not
be signed" TWARN message in ima_kexec.sh is not printed when policy is
not readable.
This is better because in previous case test always failed due TWARN but
result is actually unknown (e.g. don't expect missing policy, return 1
as failure only when policy is readable and checking with grep failed).
Fixes: 3843e2d6fb ("IMA: Add policy related helpers")
Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
---
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index cf769ac751..e958dd3334 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -94,8 +94,11 @@ check_ima_policy_content()
local pattern="$1"
local grep_params="${2--q}"
- check_policy_readable || return 1
- grep $grep_params "$pattern" $IMA_POLICY
+ if check_policy_readable; then
+ grep $grep_params "$pattern" $IMA_POLICY
+ else
+ tst_res TINFO "WARNING: policy not readable, can't check policy for '$pattern' (possible false positives)"
+ fi
}
require_ima_policy_content()
--
2.47.1
