On Thu, May 31, 2018 at 08:42:31PM +0300, Mike Rapoport wrote:
> Hi,
>
> On a system that has IMA appraisal enabled it is impossible to create
> security.ima extended attribute files that contain IMA hash.
>
> For instance, consider the following use case:
>
> 1) extract application files to a staging area as non root user
> 2) verify that installation is correct
> 3) create IMA extended attributes for the installed files
> 4) move the files to their destination
> 5) change the files ownership to root
>
> With the longterm kernels 4.4.x and 4.9.x step 3 will fail.
>
> The issues is fixed in upstream kernels by the commit
> f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b ("Revert "ima: limit file hash
> setting by user to fix and log modes"), with the patch also quoted below.
Now queued up, thanks.
greg k-h
