Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.

[Lennart Poettering]

On Tue, 29.11.16 07:08, Stefan Berger (stef...@linux.vnet.ibm.com) wrote:

> > > Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
> > > has it in /etc/default/ima-policy. So we try to read the IMA policy
> > > from one location and try it from another location if it couldn't
> > > be found. To maintainer backwards compatibility, we also try
> > > /etc/ima/ima-policy.
> > Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/
> > and /etc/default/ima-policy are supposed to be, but I am pretty sure
> > placing IMA policy there is just wrong. Moreover, our goal is to
> > remove any distro-specific hooks in systemd in favour of common paths,
> > not adding new.
> 
> It's confusing... Dracut for example expects it in
> /etc/sysconfig/ima-policy:
> 
> https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10

That sounds like something to fix in dracut. I am sure Harald would be
fine with adopting the generic path.

Harald?

> So following that either one has to change. I chose to change systemd. To me
> /etc/default on Debian systems is the equivalent of /etc/sysconfig on RPM
> based ones (or at least RedHat based ones), so that's where this is coming
> from.

And both of them are bad idea. In particular the RH version. I mean
/etc is already system configuration, why would you place a directory
called "sysconfig" — which I figure is supposed to be short for
"system configuration" inside a directory for system configuration?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.

[Stefan Berger]

On 11/29/2016 06:49 AM, Lennart Poettering wrote:

On Mon, 28.11.16 14:17, Stefan Berger (stef...@linux.vnet.ibm.com) wrote:


From: Stefan Berger 

Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
has it in /etc/default/ima-policy. So we try to read the IMA policy
from one location and try it from another location if it couldn't
be found. To maintainer backwards compatibility, we also try
/etc/ima/ima-policy.

Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/
and /etc/default/ima-policy are supposed to be, but I am pretty sure
placing IMA policy there is just wrong. Moreover, our goal is to
remove any distro-specific hooks in systemd in favour of common paths,
not adding new.


It's confusing... Dracut for example expects it in 
/etc/sysconfig/ima-policy:


https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10

So following that either one has to change. I chose to change systemd. 
To me /etc/default on Debian systems is the equivalent of /etc/sysconfig 
on RPM based ones (or at least RedHat based ones), so that's where this 
is coming from.




Hence I am sorry, but I don't think this is right. Please ask the
downstream maintainers to agree on /etc/ima/ima-policy (or any oher
common path). Let's fix the distros, let's not work around them in
systemd.


Fine, if that's the common understanding that the proposed directories 
are not appropriate.


   Stefan



I hope this makes sense,

sorry,

Lennart



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.

[Lennart Poettering]

On Mon, 28.11.16 14:17, Stefan Berger (stef...@linux.vnet.ibm.com) wrote:

> From: Stefan Berger 
> 
> Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
> has it in /etc/default/ima-policy. So we try to read the IMA policy
> from one location and try it from another location if it couldn't
> be found. To maintainer backwards compatibility, we also try
> /etc/ima/ima-policy.

Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/
and /etc/default/ima-policy are supposed to be, but I am pretty sure
placing IMA policy there is just wrong. Moreover, our goal is to
remove any distro-specific hooks in systemd in favour of common paths,
not adding new.

Hence I am sorry, but I don't think this is right. Please ask the
downstream maintainers to agree on /etc/ima/ima-policy (or any oher
common path). Let's fix the distros, let's not work around them in
systemd.

I hope this makes sense,

sorry,

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.

[Tomasz Torcz]

On Mon, Nov 28, 2016 at 02:17:19PM -0500, Stefan Berger wrote:
> From: Stefan Berger 
> 
> Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
> has it in /etc/default/ima-policy. So we try to read the IMA policy
> from one location and try it from another location if it couldn't
> be found. To maintainer backwards compatibility, we also try
> /etc/ima/ima-policy.

  Shouldn't we work to get rid of those pointless differences, instead
of legitimizing them?

-- 
Tomasz TorczOnly gods can safely risk perfection,
xmpp: zdzich...@chrome.pl it's a dangerous thing for a man.  -- Alia

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel