On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote: > On 15-10-19 14:21:42, Mimi Zohar wrote: > > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote: > > > When in development it is useful to read back the IMA policy. This patch > > > provides the functionality. However, this is a potential security hole so > > > it should not be used in production-grade kernels. > > > > Like the other IMA securityfs files, only root would be able to read it. > > Once we start allowing additional rules to be appended to the policy, > > being able to view the resulting policy is important. Is there a reason > > for limiting this option to development? > > I have not considered allowing non-root users to read the policy - i was > merely > cleaning up the Zbigniew's patch. I guess it might be useful to be able to > read > the policy when in development mode.
I guess I wasn't clear. I don't have a problem with the patch itself, just with the patch description. What is this "security hole" that the option should ONLY be configured for development? Only privileged users can view the policy. I don't see the problem with configuring it in general. Please remove the comment. Since responding, I've enabled this feature. Very nice! Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
