Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
On Tue, 29.11.16 07:08, Stefan Berger (stef...@linux.vnet.ibm.com) wrote: > > > Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu > > > has it in /etc/default/ima-policy. So we try to read the IMA policy > > > from one location and try it from another location if it couldn't > > > be found. To maintainer backwards compatibility, we also try > > > /etc/ima/ima-policy. > > Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/ > > and /etc/default/ima-policy are supposed to be, but I am pretty sure > > placing IMA policy there is just wrong. Moreover, our goal is to > > remove any distro-specific hooks in systemd in favour of common paths, > > not adding new. > > It's confusing... Dracut for example expects it in > /etc/sysconfig/ima-policy: > > https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10 That sounds like something to fix in dracut. I am sure Harald would be fine with adopting the generic path. Harald? > So following that either one has to change. I chose to change systemd. To me > /etc/default on Debian systems is the equivalent of /etc/sysconfig on RPM > based ones (or at least RedHat based ones), so that's where this is coming > from. And both of them are bad idea. In particular the RH version. I mean /etc is already system configuration, why would you place a directory called "sysconfig" — which I figure is supposed to be short for "system configuration" inside a directory for system configuration? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
On 11/29/2016 06:49 AM, Lennart Poettering wrote: On Mon, 28.11.16 14:17, Stefan Berger (stef...@linux.vnet.ibm.com) wrote: From: Stefan BergerFedora has its policy in /etc/sysconfig/ima-policy while Ubuntu has it in /etc/default/ima-policy. So we try to read the IMA policy from one location and try it from another location if it couldn't be found. To maintainer backwards compatibility, we also try /etc/ima/ima-policy. Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/ and /etc/default/ima-policy are supposed to be, but I am pretty sure placing IMA policy there is just wrong. Moreover, our goal is to remove any distro-specific hooks in systemd in favour of common paths, not adding new. It's confusing... Dracut for example expects it in /etc/sysconfig/ima-policy: https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10 So following that either one has to change. I chose to change systemd. To me /etc/default on Debian systems is the equivalent of /etc/sysconfig on RPM based ones (or at least RedHat based ones), so that's where this is coming from. Hence I am sorry, but I don't think this is right. Please ask the downstream maintainers to agree on /etc/ima/ima-policy (or any oher common path). Let's fix the distros, let's not work around them in systemd. Fine, if that's the common understanding that the proposed directories are not appropriate. Stefan I hope this makes sense, sorry, Lennart ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
On Mon, 28.11.16 14:17, Stefan Berger (stef...@linux.vnet.ibm.com) wrote: > From: Stefan Berger> > Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu > has it in /etc/default/ima-policy. So we try to read the IMA policy > from one location and try it from another location if it couldn't > be found. To maintainer backwards compatibility, we also try > /etc/ima/ima-policy. Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/ and /etc/default/ima-policy are supposed to be, but I am pretty sure placing IMA policy there is just wrong. Moreover, our goal is to remove any distro-specific hooks in systemd in favour of common paths, not adding new. Hence I am sorry, but I don't think this is right. Please ask the downstream maintainers to agree on /etc/ima/ima-policy (or any oher common path). Let's fix the distros, let's not work around them in systemd. I hope this makes sense, sorry, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
On Mon, Nov 28, 2016 at 02:17:19PM -0500, Stefan Berger wrote: > From: Stefan Berger> > Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu > has it in /etc/default/ima-policy. So we try to read the IMA policy > from one location and try it from another location if it couldn't > be found. To maintainer backwards compatibility, we also try > /etc/ima/ima-policy. Shouldn't we work to get rid of those pointless differences, instead of legitimizing them? -- Tomasz TorczOnly gods can safely risk perfection, xmpp: zdzich...@chrome.pl it's a dangerous thing for a man. -- Alia ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel