Alberto Planas Dominguez
9c0fe162de
* shlex 1.3.0 - Rebase keylime-agent.conf.diff for current configuration - Drop Cargo_lock.patch patch, already present in Cargo.lock - Update to version 0.2.7+141: * service: Use WantedBy=multi-user.target * rpm: Add subpackage for push-attestation agent * push-model: implement continuous attestation with configurable intervals * Retry registration forever in the state machine * Add Verifier URL to configuration * Align exp.backoff to current configuration format * Increase coverage of state machine (using Context) * Increase coverage of struct_filler.rs * Groom code (remove dead code) * Fix exponential backoff (10secs, 4xx accepted) * test: Add documentation test to tests/run.sh * tpm: Avoid running code example during documentation tests * state_machine: Always start the agent from the Unregistered state * Add fixes for the URL construction * Refactor evidences collection in push attestation agent * push-model: refactor attestation logic into a state machine * Fix body sending by allowing serializing strings (#1057) * Log ResilientClient errors/response status codes (#1055) * Add AK signing scheme and hash algorithm to negotiation * tpm: Add method to extract signing scheme and hash algorithm from AK * Allow custom content-type/accept headers * Integrate exponential backoff to registration (#1052) * keylime/structures: Rename ShaValues to PcrBanks * Add resilient_client for exponential backoff (#1048) OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=84
# Notes about the IMA policy This IMA policy is provided as an example that can be later adapted to more specific usage. This was generated from a default tcb IMA policy from a 6.1.12 Linux kernel, and extended with SELinux file types to filter out the part of the system that we usually do not want to measure. To use this policy, we need to copy it in "/etc/ima/ima-policy" and systemd will load it after the SELinux policy has been loaded. For this example, we used the initial set of SELinux attributes, that group the file types under categories. From that list we selected some of those attribute to deep more into the types that can be relevant for the IMA policy: seinfo -a The current selection cover full or partially the types under those attributes: base_file_type base_ro_file_type configfile file_type files_unconfined_type init_script_file_type init_sock_file_type lockfile logfile non_auth_file_type non_security_file_type openshift_file_type pidfile pulseaudio_tmpfsfile security_file_type setfiles_domain spoolfile svirt_file_type systemd_unit_file_type tmpfile tmpfsfile Special mention to non_auth_file_type and non_security_file_type (among other liske logfile or tmpfile), that should cover the most relevant types of the dynamic part of the system. The list should also include types from other attributes like virt_image_type and others (see the policy file comments from a complete list). Sometimes is important to see what files are labeled under a specific type, and for that we can use this: semanage fcontext -l | grep $TYPE