Go to file
2024-07-22 17:44:37 +02:00
_constraints Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
_service Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
_servicedata Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
.gitattributes Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
cargo_config Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
ima-policy Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
ima-policy.service Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
keylime-agent.conf.diff Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
keylime-user.conf Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
keylime.xml Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
README.suse Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
rust-keylime-0.2.6~0.tar.zst Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
rust-keylime.changes Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
rust-keylime.obsinfo Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
rust-keylime.spec Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00
tmpfiles.keylime Sync from SUSE:SLFO:Main rust-keylime revision 8aca0bb0c1c451cf006127e7f180c370 2024-05-04 00:24:24 +02:00
vendor.tar.xz Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 2024-07-22 17:44:37 +02:00

# Notes about the IMA policy

This IMA policy is provided as an example that can be later adapted to
more specific usage.

This was generated from a default tcb IMA policy from a 6.1.12 Linux
kernel, and extended with SELinux file types to filter out the part of
the system that we usually do not want to measure.

To use this policy, we need to copy it in "/etc/ima/ima-policy" and
systemd will load it after the SELinux policy has been loaded.

For this example, we used the initial set of SELinux attributes, that
group the file types under categories.  From that list we selected
some of those attribute to deep more into the types that can be relevant for the IMA policy:

  seinfo -a

The current selection cover full or partially the types under those
attributes:

  base_file_type
  base_ro_file_type
  configfile
  file_type
  files_unconfined_type
  init_script_file_type
  init_sock_file_type
  lockfile
  logfile
  non_auth_file_type
  non_security_file_type
  openshift_file_type
  pidfile
  pulseaudio_tmpfsfile
  security_file_type
  setfiles_domain
  spoolfile
  svirt_file_type
  systemd_unit_file_type
  tmpfile
  tmpfsfile

Special mention to non_auth_file_type and non_security_file_type
(among other liske logfile or tmpfile), that should cover the most
relevant types of the dynamic part of the system.

The list should also include types from other attributes like
virt_image_type and others (see the policy file comments from a
complete list).

Sometimes is important to see what files are labeled under a specific
type, and for that we can use this:

  semanage fcontext -l | grep $TYPE