There is also the run-time variant of the previous build-time configuration:
use a macro to define a mask that is applied to rpmfiFFlags() return value
before testing for RPMFILE_CONFIG.
A global per-system (or per-transaction) AND mask (defaulted to 0x)
could be generally useful in RPM
There is a very simple macro
%define %config %{nil}
which -- when added to rpmbuild configuration -- achieves an ima signature on
every file without any fuss whatsoever.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https:
FYI: MaximumRPM was written in 1997 and does not begin to define the necessary
semantics to implement signatures on mutable files in a useful way. There have
been several changes in both %config/%ghost handling since 1997.
Q: What use is it to IMA policies to have a pre-packaged signature on a f
So from the documentation at
http://ftp.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html I take that
the file is neither packaged nor installed. Since it's not packaged, the RPM
also doesn't carry a signature and we cannot write a signature out. If someone
wants to write signatures out
One might well ask: Why sign any "mutable" file?
The (rather inchoate) answer supplied in the original RFE for signing %config
files is (iiuc) was 1) so that IMA policy can be written against %config files
and 2) so that %config files in a package will have an ima signature in an
xattr.
The sa
@n3npq With this patch we would basically allow everything to be signed for
which we have signatures since we previously only filtered out %config files
that were not executable. If a %ghost file has a signature stored in the rpm,
it would at least now have it written out as well. If %ghost fil
If you are going to sign "mutable" %config files, you might as well sign %ghost
files as well (by signing the hash of the null string).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-manageme
Good point. Using .init now. :-)
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364449325___
Rpm-maint mailing
Ok. Just occurred to me that since we're talking about a plugin here, you could
simply read the config value on plugin initialization without having to bother
with the oneshot-stuff. Whether you want to use that instead is up to you
though, I'll probably just merge what's here on Monday unless n
@pmatilai I updated the patch to use `%_ima_sign_config_files`.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364436703___
Patch looks ok to me, but on the macro naming - maybe it'd make sense to have
ima as a prefix of the config macro. Such as %_ima_sign_config_files or so?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm
11 matches
Mail list logo