On 02/21/2012 05:14 PM, Mimi Zohar wrote:
On Tue, 2012-02-21 at 15:32 +0100, Kay Sievers wrote:
On Tue, Feb 21, 2012 at 15:07, Colin Guthrie<[email protected]> wrote:
The code for loading IMA custom policies was placed in the initial
ramdisk with the purpose to avoid distribution specific dependencies.
In a trusted-grub, or equivalent environment, the kernel, initramfs, and
kernel boot options are measured. The main reason for loading the IMA
policy in the initramfs was that the policy would be included in the
initramfs measurement.
Unfortunately not, the policy file is placed in the root filesystem.
However, since trusted-grub supports the measurement of an user-defined
list of files, it is possible to preserve the chain of trust by
measuring the policy file and the Systemd main executable.
Roberto Sassu
Mimi
However, since the SELinux initialization has been moved to Systemd
and Systemd itself will be used by the major distributions, i think
placing the IMA code here is the best solution, even if it is not the
most general.
Just for reference, not all distros use the same initrd generator
anyway. We're trying to move to dracut, but it's certainly not universal
at the moment. I think Suse use something else (maybe they plan to move
to dracut too?) and I've no idea about Ubuntu but I doubt they use dracut.
So I'd suggest that at the moment, systemd will actually get you wider
coverage... although that's just a slightly ill-informed and hand-wave
analysis on my part. Either way, I think it's better in systemd :D
Sounds right. The initramfs is definitely less generic than systemd
is. Almost every distro has still its own here. The situation today
with initramfs generators can probably not get more distro-specific;
it is still almost at its maximum. :)
So the thinking of moving anything to the initramfs to avoid the Linux
distro balcanization problem will usually not work out.
Kay
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
