The following series of patches addresses some issues with signatures on
files. In particular:
- some files marked as config files are also executables and therefore
need to have a signature applied
- the IMA plugin may only run on package install cycle rather than the
remove cycle, which would apply the previous versions' signatures on
the files
- some RPM packages require that the files be signed when the post
install scriptlets are run since they may invoke executables that
were just installed; so we have to also run the IMA plugin on the
scriptlet_pre plugin hook, but have to extend that hook with the rpmte
parameter type
Regards,
Stefan
Stefan Berger (3):
ima-plugin: Have executable configuration files signed
ima-plugin: Only run the IMA plugin on package installation
plugins: Pass rpmte to scriptlet_pre and call IMA plugin in this hook
lib/rpmplugin.h | 3 ++-
lib/rpmplugins.c | 5 +++--
lib/rpmplugins.h | 3 ++-
lib/rpmscript.c | 5 +++--
lib/rpmscript.h | 3 ++-
lib/transaction.c | 2 +-
plugins/ima.c | 38 ++++++++++++++++++++++++++++++--------
7 files changed, 43 insertions(+), 16 deletions(-)
--
2.5.5
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
