Alberto Planas Dominguez
8b5f0cad45
- Update to version 0.2.1+git.1689167094.67ce0cf: * cargo: Bump serde to version 1.0.166 * build(deps): bump libc from 0.2.142 to 0.2.147 * adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi * hash: add more configurable hash algorithm for public key digest * cargo: Update clap to version 4.3.11 * cargo: Bump tokio crate version to 1.28.2 * Add an example of IMA policy * main: Gracefully shutdown on SIGTERM or SIGINT * cargo: Bump proc-macro2 crate version * revocation: Parse revocation actions flexibly * crypto: Add unit tests for x509 functions * crypto: Make internal functions private * config: Add unit test for the list to files mapping * config: Make trusted_client_ca to accept lists * lib: Implement parser for lists from config file * build(deps): bump openssl from 0.10.48 to 0.10.55 * Add secure mount sanity test to packit testing. * [packit] Do not let COPR project expire OBS-URL: https://build.opensuse.org/request/show/1098388 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=58
# Notes about the IMA policy This IMA policy is provided as an example that can be later adapted to more specific usage. This was generated from a default tcb IMA policy from a 6.1.12 Linux kernel, and extended with SELinux file types to filter out the part of the system that we usually do not want to measure. To use this policy, we need to copy it in "/etc/ima/ima-policy" and systemd will load it after the SELinux policy has been loaded. For this example, we used the initial set of SELinux attributes, that group the file types under categories. From that list we selected some of those attribute to deep more into the types that can be relevant for the IMA policy: seinfo -a The current selection cover full or partially the types under those attributes: base_file_type base_ro_file_type configfile file_type files_unconfined_type init_script_file_type init_sock_file_type lockfile logfile non_auth_file_type non_security_file_type openshift_file_type pidfile pulseaudio_tmpfsfile security_file_type setfiles_domain spoolfile svirt_file_type systemd_unit_file_type tmpfile tmpfsfile Special mention to non_auth_file_type and non_security_file_type (among other liske logfile or tmpfile), that should cover the most relevant types of the dynamic part of the system. The list should also include types from other attributes like virt_image_type and others (see the policy file comments from a complete list). Sometimes is important to see what files are labeled under a specific type, and for that we can use this: semanage fcontext -l | grep $TYPE