The following series of patches addresses some issues with signatures on files. In particular:
- some files marked as config files are also executables and therefore need to have a signature applied - the IMA plugin may only run on package install cycle rather than the remove cycle, which would apply the previous versions' signatures on the files - some RPM packages require that the files be signed when the post install scriptlets are run since they may invoke executables that were just installed; so we have to also run the IMA plugin on the scriptlet_pre plugin hook, but have to extend that hook with the rpmte parameter type Regards, Stefan Stefan Berger (3): ima-plugin: Have executable configuration files signed ima-plugin: Only run the IMA plugin on package installation plugins: Pass rpmte to scriptlet_pre and call IMA plugin in this hook lib/rpmplugin.h | 3 ++- lib/rpmplugins.c | 5 +++-- lib/rpmplugins.h | 3 ++- lib/rpmscript.c | 5 +++-- lib/rpmscript.h | 3 ++- lib/transaction.c | 2 +- plugins/ima.c | 38 ++++++++++++++++++++++++++++++-------- 7 files changed, 43 insertions(+), 16 deletions(-) -- 2.5.5 _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint