On Thu, Oct 27, 2022 at 05:07:29PM +0200, David Sastre wrote:
> Hello and apologies for resurrecting an old thread.
And now I am posting to it again, so likewise appologies.
> I was looking for information regarding IMA in F37 and found it was asked
> but I could not see any replies.
> My question is exactly the same as the OP, I do not see security.ima
> attributes on files after upgrading to F37.
> (https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents)
>
> ```
> $ getfattr --absolute-names -d -m - /usr/bin/cp
> # file: /usr/bin/cp
> security.selinux="system_u:object_r:bin_t:s0"
> ```
>
> This output is after reinstalling coreutils. I have rpm-plugin-ima
> installed.
There turned out to be a weird issue with the rpm on our sign vault
server and it wasn't signing things correctly. This was fixed a while
back (before the most recent mass rebuild), and f38/f39/eln rpms should
all be signed right now.
The change was re-targeted at f38 I think.
> Also, where could one find the publiccert.der certificate to perform manual
> validation?
> It is not published at https://getfedora.org/security/
I've just added f38/f39 ones to fedora-repos:
https://src.fedoraproject.org/rpms/fedora-repos/c/93b2c8add81f2d6f83874ce53b080adbc4fe6826?branch=rawhide
I meant it to be a commit to my fork for a PR, but somehow my fork got
messed up and I ended up pushing it in directly. ;(
I would appreciate feedback from anyone who knows IMA more than I...
are the certs the ones you need? Is the place I put them in fedora-repos
ok/obvious? Lots of IMA docs use /etc/keys but I figured
/etc/pki/rpm-ima made a lot more sense than a generic sounding dir like
/etc/keys.
Hope that helps.
kevin
--
> I do not have any custom policy defined for IMA, but that should not matter:
>
> ```
> $ sudo cat /sys/kernel/security/ima/policy
> measure func=KEXEC_KERNEL_CHECK
> measure func=MODULE_CHECK
> ```
>
> Thanks.
>
>
> On Tue, Sep 13, 2022 at 9:28 PM Frank Ch. Eigler wrote:
>
> >
> > bcotton wrote:
> >
> > > [...]
> > > ## Beta Release Highlights
> > > [...]
> > > # RPM content is now signed with IMA signatures
> >
> > How can one observe this? Even with rpm-plugin-ima installed, steps in:
> >
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents#How_To_Test
> >
> > produce no output for any of the files I tried in a f37-beta install.
> > The appropriate "publiccert.der" file does not seem to be available
> > either.
> >
> > - FChE
> > ___
> > devel mailing list -- devel@lists.fedoraproject.org
> > To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
