Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file
On 11/30/2016 10:52 AM, Harald Hoyer wrote: On 30.11.2016 16:24, Stefan Berger wrote: On 11/30/2016 10:16 AM, Harald Hoyer wrote: On 30.11.2016 16:10, Stefan Berger wrote: From: Stefan Berger To sync with systemd, use the filepath /etc/ima/ima-policy as the file location for the IMA policy. At the same time we move the ima config file location to /etc/ima/ima. Adapt the documentation to the new path. Signed-off-by: Stefan Berger One more thing: Do you want to be backwards compatible and also read the old files, if they exist? I had thought about that and can certainly add it. Neither Fedora, RHEL, nor SUSE are packaging these files so far. So likely there aren't many users out there. Considering that, what would you suggest? Hmm, I'll add it to the dracut NEWS file Let me send a v3 of the patch with backwards compatibility. I'll have it look for the new location first, then fall back to the old files. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file
On 30.11.2016 16:24, Stefan Berger wrote: > On 11/30/2016 10:16 AM, Harald Hoyer wrote: >> On 30.11.2016 16:10, Stefan Berger wrote: >>> From: Stefan Berger >>> >>> To sync with systemd, use the filepath /etc/ima/ima-policy as >>> the file location for the IMA policy. At the same time we >>> move the ima config file location to /etc/ima/ima. Adapt the >>> documentation to the new path. >>> >>> Signed-off-by: Stefan Berger >> >> One more thing: Do you want to be backwards compatible and also read the old >> files, if they exist? > > I had thought about that and can certainly add it. Neither Fedora, RHEL, nor > SUSE are packaging these files so far. So likely > there aren't many users out there. Considering that, what would you suggest? > Hmm, I'll add it to the dracut NEWS file ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file
On 11/30/2016 10:16 AM, Harald Hoyer wrote: On 30.11.2016 16:10, Stefan Berger wrote: From: Stefan Berger To sync with systemd, use the filepath /etc/ima/ima-policy as the file location for the IMA policy. At the same time we move the ima config file location to /etc/ima/ima. Adapt the documentation to the new path. Signed-off-by: Stefan Berger One more thing: Do you want to be backwards compatible and also read the old files, if they exist? I had thought about that and can certainly add it. Neither Fedora, RHEL, nor SUSE are packaging these files so far. So likely there aren't many users out there. Considering that, what would you suggest? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file
From: Stefan Berger To sync with systemd, use the filepath /etc/ima/ima-policy as the file location for the IMA policy. At the same time we move the ima config file location to /etc/ima/ima. Adapt the documentation to the new path. Signed-off-by: Stefan Berger --- modules.d/98integrity/README | 8 modules.d/98integrity/ima-keys-load.sh | 2 +- modules.d/98integrity/ima-policy-load.sh | 9 +++-- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README index 64de0ae..c8ccee5 100644 --- a/modules.d/98integrity/README +++ b/modules.d/98integrity/README @@ -33,10 +33,10 @@ line. # Save the policy in a file. -# Create the configuration file '/etc/sysconfig/ima' to override the path name of +# Create the configuration file '/etc/ima/ima' to override the path name of # the IMA custom policy. -- '/etc/sysconfig/ima' (with the default value) - -IMAPOLICY="/etc/sysconfig/ima-policy" +- '/etc/ima/ima' (with the default value) - +IMAPOLICY="/etc/ima/ima-policy" - @@ -64,5 +64,5 @@ IMAPOLICY="/etc/sysconfig/ima-policy" # 98integrity/ima-keys-load.sh script loads the signed certificates stored # in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR -# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima +# directory is /etc/keys/ima, but can be specified in the /etc/ima/ima # policy. diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh index 659b722..6c6db40 100755 --- a/modules.d/98integrity/ima-keys-load.sh +++ b/modules.d/98integrity/ima-keys-load.sh @@ -2,7 +2,7 @@ SECURITYFSDIR="/sys/kernel/security" IMASECDIR="${SECURITYFSDIR}/ima" -IMACONFIG="${NEWROOT}/etc/sysconfig/ima" +IMACONFIG="${NEWROOT}/etc/ima/ima" load_x509_keys() { diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh index 85cd3b9..4cd6ba3 100755 --- a/modules.d/98integrity/ima-policy-load.sh +++ b/modules.d/98integrity/ima-policy-load.sh @@ -5,10 +5,15 @@ # Copyright (C) 2011 Politecnico di Torino, Italy #TORSEC group -- http://security.polito.it # Roberto Sassu +# +# Copyright (C) 2016 IBM Corporation +# +# Stefan Berger +# IMASECDIR="${SECURITYFSDIR}/ima" -IMACONFIG="${NEWROOT}/etc/sysconfig/ima" -IMAPOLICY="/etc/sysconfig/ima-policy" +IMACONFIG="${NEWROOT}/etc/ima/ima" +IMAPOLICY="/etc/ima/ima-policy" load_ima_policy() { -- 2.8.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] 98integrity: Use /etc/ima as dir for IMA policy and config file
On 30.11.2016 16:10, Stefan Berger wrote: > From: Stefan Berger > > To sync with systemd, use the filepath /etc/ima/ima-policy as > the file location for the IMA policy. At the same time we > move the ima config file location to /etc/ima/ima. Adapt the > documentation to the new path. > > Signed-off-by: Stefan Berger One more thing: Do you want to be backwards compatible and also read the old files, if they exist? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel