06.11.2020 18:50, rishi gupta пишет: > On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov > <m.novosyolov@xxxxxxxxxxxx> wrote: >> 06.11.2020 15:22, rishi gupta пишет: >>> I am getting below error as selinux is denying access to the .ima >>> keyring. Looking for guidance for asymmetric public key selinux >>> policy. >>> >>> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13 >> I am getting the same error without selinux. > If I make selinux permissive, it works for me. So I know in my case > the problem is selinux. >>> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825 >>> uid=1021 auid=4294967295 ses=4294967295 >>> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data" >>> cause="invalid-signature" comm="mydaemon" >>> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0 >> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded. > Basically when we access a file, driver checks if selinux allow access > to it or not. In my case this function is returning -EACCES > https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88 >>> (a) Do I need to set the selinux context of file >>> /etc/keys/x509_ima.der. If yes what it should be. >>> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I >>> tried a lot but could not find any resource. >> Usually IMA policy is loaded before SELinux policy I think > I am using the policy defined in ima_policy driver as of now. My kernel is 4.14. What is "ima_policy driver"? How does selinux and IMA policies get loaded on your system? >>> Regards, >>> Rishi
