subject:"\[systemd\-devel\] \[PATCH v2\] 98integrity\: Use \/etc\/ima as dir for IMA policy and config file"

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

2016-11-30 Thread Stefan Berger


On 11/30/2016 10:52 AM, Harald Hoyer wrote:

On 30.11.2016 16:24, Stefan Berger wrote:

On 11/30/2016 10:16 AM, Harald Hoyer wrote:

On 30.11.2016 16:10, Stefan Berger wrote:

From: Stefan Berger 

To sync with systemd, use the filepath /etc/ima/ima-policy as
the file location for the IMA policy. At the same time we
move the ima config file location to /etc/ima/ima. Adapt the
documentation to the new path.

Signed-off-by: Stefan Berger 

One more thing: Do you want to be backwards compatible and also read the old 
files, if they exist?

I had thought about that and can certainly add it.  Neither Fedora, RHEL, nor 
SUSE are packaging these files so far. So likely
there aren't many users out there. Considering that, what would you suggest?


Hmm, I'll add it to the dracut NEWS file


Let me send a v3 of the patch with backwards compatibility. I'll have it 
look for the new location first, then fall back to the old files.



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

2016-11-30 Thread Harald Hoyer

On 30.11.2016 16:24, Stefan Berger wrote:
> On 11/30/2016 10:16 AM, Harald Hoyer wrote:
>> On 30.11.2016 16:10, Stefan Berger wrote:
>>> From: Stefan Berger 
>>>
>>> To sync with systemd, use the filepath /etc/ima/ima-policy as
>>> the file location for the IMA policy. At the same time we
>>> move the ima config file location to /etc/ima/ima. Adapt the
>>> documentation to the new path.
>>>
>>> Signed-off-by: Stefan Berger 
>>
>> One more thing: Do you want to be backwards compatible and also read the old 
>> files, if they exist?
> 
> I had thought about that and can certainly add it.  Neither Fedora, RHEL, nor 
> SUSE are packaging these files so far. So likely
> there aren't many users out there. Considering that, what would you suggest?
> 

Hmm, I'll add it to the dracut NEWS file
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

2016-11-30 Thread Stefan Berger


On 11/30/2016 10:16 AM, Harald Hoyer wrote:

On 30.11.2016 16:10, Stefan Berger wrote:

From: Stefan Berger 

To sync with systemd, use the filepath /etc/ima/ima-policy as
the file location for the IMA policy. At the same time we
move the ima config file location to /etc/ima/ima. Adapt the
documentation to the new path.

Signed-off-by: Stefan Berger 


One more thing: Do you want to be backwards compatible and also read the old 
files, if they exist?


I had thought about that and can certainly add it.  Neither Fedora, 
RHEL, nor SUSE are packaging these files so far. So likely there aren't 
many users out there. Considering that, what would you suggest?


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

2016-11-30 Thread Stefan Berger

From: Stefan Berger 

To sync with systemd, use the filepath /etc/ima/ima-policy as
the file location for the IMA policy. At the same time we
move the ima config file location to /etc/ima/ima. Adapt the
documentation to the new path.

Signed-off-by: Stefan Berger 
---
 modules.d/98integrity/README | 8 
 modules.d/98integrity/ima-keys-load.sh   | 2 +-
 modules.d/98integrity/ima-policy-load.sh | 9 +++--
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README
index 64de0ae..c8ccee5 100644
--- a/modules.d/98integrity/README
+++ b/modules.d/98integrity/README
@@ -33,10 +33,10 @@ line.
 
 # Save the policy in a file.
 
-# Create the configuration file '/etc/sysconfig/ima' to override the path name 
of
+# Create the configuration file '/etc/ima/ima' to override the path name of
 # the IMA custom policy.
-- '/etc/sysconfig/ima' (with the default value) -
-IMAPOLICY="/etc/sysconfig/ima-policy"
+- '/etc/ima/ima' (with the default value) -
+IMAPOLICY="/etc/ima/ima-policy"
 -
 
 
@@ -64,5 +64,5 @@ IMAPOLICY="/etc/sysconfig/ima-policy"
 
 # 98integrity/ima-keys-load.sh script loads the signed certificates stored 
 # in the $IMAKEYSDIR onto the trusted IMA keyring.  The default $IMAKEYSDIR
-# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima
+# directory is /etc/keys/ima, but can be specified in the /etc/ima/ima
 # policy.
diff --git a/modules.d/98integrity/ima-keys-load.sh 
b/modules.d/98integrity/ima-keys-load.sh
index 659b722..6c6db40 100755
--- a/modules.d/98integrity/ima-keys-load.sh
+++ b/modules.d/98integrity/ima-keys-load.sh
@@ -2,7 +2,7 @@
 
 SECURITYFSDIR="/sys/kernel/security"
 IMASECDIR="${SECURITYFSDIR}/ima"
-IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+IMACONFIG="${NEWROOT}/etc/ima/ima"
 
 load_x509_keys()
 {
diff --git a/modules.d/98integrity/ima-policy-load.sh 
b/modules.d/98integrity/ima-policy-load.sh
index 85cd3b9..4cd6ba3 100755
--- a/modules.d/98integrity/ima-policy-load.sh
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -5,10 +5,15 @@
 # Copyright (C) 2011 Politecnico di Torino, Italy
 #TORSEC group -- http://security.polito.it
 # Roberto Sassu 
+#
+# Copyright (C) 2016 IBM Corporation
+#
+# Stefan Berger 
+#
 
 IMASECDIR="${SECURITYFSDIR}/ima"
-IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
-IMAPOLICY="/etc/sysconfig/ima-policy"
+IMACONFIG="${NEWROOT}/etc/ima/ima"
+IMAPOLICY="/etc/ima/ima-policy"
 
 load_ima_policy()
 {
-- 
2.8.3

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

2016-11-30 Thread Harald Hoyer

On 30.11.2016 16:10, Stefan Berger wrote:
> From: Stefan Berger 
> 
> To sync with systemd, use the filepath /etc/ima/ima-policy as
> the file location for the IMA policy. At the same time we
> move the ima config file location to /etc/ima/ima. Adapt the
> documentation to the new path.
> 
> Signed-off-by: Stefan Berger 


One more thing: Do you want to be backwards compatible and also read the old 
files, if they exist?

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

[systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file

5 matches

Site Navigation

Mail list logo

Footer information