The following series of patches addresses some issues with signatures on
files. In particular:
- some files marked as config files are also executables and therefore
need to have a signature applied
- the IMA plugin may only run on package install cycle rather than the
remove cycle, which woul
We want to prevent that the IMA plugin applies signatures of the older
version of files. So we have to check whether we are in the install
(TR_ADDED) or remove (TR_REMOVED) cycle of a package. We only apply
signatures in the install cycle.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 3 +++
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 2
Introduce fsm_pre and fsm_post hooks, which are invoked
before and after the package files are installed.
Signed-off-by: Stefan Berger
---
lib/psm.c| 6 +-
lib/rpmplugin.h | 6 ++
lib/rpmplugins.c | 35 +++
lib/rpmplugins.h | 19
Move the IMA plugin to the fsm_post hook. Check whether the given
return code indicates and error, and do nothing in case it does
show an error. There is nothing to clean up, so we can do that.
Signed-off-by: Stefan Berger
---
plugins/ima.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletion
On 09/22/2016 08:30 PM, Stefan Berger wrote:
Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signe