56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
# Notes about the IMA policy
|
|
|
|
This IMA policy is provided as an example that can be later adapted to
|
|
more specific usage.
|
|
|
|
This was generated from a default tcb IMA policy from a 6.1.12 Linux
|
|
kernel, and extended with SELinux file types to filter out the part of
|
|
the system that we usually do not want to measure.
|
|
|
|
To use this policy, we need to copy it in "/etc/ima/ima-policy" and
|
|
systemd will load it after the SELinux policy has been loaded.
|
|
|
|
For this example, we used the initial set of SELinux attributes, that
|
|
group the file types under categories. From that list we selected
|
|
some of those attribute to deep more into the types that can be relevant for the IMA policy:
|
|
|
|
seinfo -a
|
|
|
|
The current selection cover full or partially the types under those
|
|
attributes:
|
|
|
|
base_file_type
|
|
base_ro_file_type
|
|
configfile
|
|
file_type
|
|
files_unconfined_type
|
|
init_script_file_type
|
|
init_sock_file_type
|
|
lockfile
|
|
logfile
|
|
non_auth_file_type
|
|
non_security_file_type
|
|
openshift_file_type
|
|
pidfile
|
|
pulseaudio_tmpfsfile
|
|
security_file_type
|
|
setfiles_domain
|
|
spoolfile
|
|
svirt_file_type
|
|
systemd_unit_file_type
|
|
tmpfile
|
|
tmpfsfile
|
|
|
|
Special mention to non_auth_file_type and non_security_file_type
|
|
(among other liske logfile or tmpfile), that should cover the most
|
|
relevant types of the dynamic part of the system.
|
|
|
|
The list should also include types from other attributes like
|
|
virt_image_type and others (see the policy file comments from a
|
|
complete list).
|
|
|
|
Sometimes is important to see what files are labeled under a specific
|
|
type, and for that we can use this:
|
|
|
|
semanage fcontext -l | grep $TYPE
|