Alberto Planas Dominguez
b18b7fcd26
- Update to version 0.2.4+git.1706692574.a744517: * Bump version to 0.2.4 * build(deps): bump uuid from 1.4.1 to 1.7.0 * keylime-agent.conf: Allow setting event logs paths * Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration. * workflows: Update checkout action to version 4 * build(deps): bump serde from 1.0.188 to 1.0.195 * build(deps): bump pest_derive from 2.7.0 to 2.7.6 * build(deps): bump openssl from 0.10.62 to 0.10.63 * build(deps): bump config from 0.13.3 to 0.13.4 * build(deps): bump base64 from 0.21.4 to 0.21.7 * build(deps): bump tempfile from 3.8.0 to 3.9.0 * build(deps): bump pest from 2.7.0 to 2.7.6 * build(deps): bump actix-web from 4.4.0 to 4.4.1 * build(deps): bump reqwest from 0.11.22 to 0.11.23 * build(deps): bump h2 from 0.3.17 to 0.3.24 * build(deps): bump shlex from 1.1.0 to 1.3.0 * cargo: Bump tss-esapi to version 7.4.0 * workflows: Fix keylime-bot token usage * tpm: Add error context for every possible error * tpm: Add AlgorithmError to TpmError * detect idevid template from certificates * build(deps): bump wiremock from 0.5.18 to 0.5.22 * build(deps): bump thiserror from 1.0.48 to 1.0.56 * Make use of workspace dependencies * build(deps): bump openssl from 0.10.57 to 0.10.62 * packit: Bump Fedora version used for code coverage OBS-URL: https://build.opensuse.org/request/show/1142969 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=65
# Notes about the IMA policy This IMA policy is provided as an example that can be later adapted to more specific usage. This was generated from a default tcb IMA policy from a 6.1.12 Linux kernel, and extended with SELinux file types to filter out the part of the system that we usually do not want to measure. To use this policy, we need to copy it in "/etc/ima/ima-policy" and systemd will load it after the SELinux policy has been loaded. For this example, we used the initial set of SELinux attributes, that group the file types under categories. From that list we selected some of those attribute to deep more into the types that can be relevant for the IMA policy: seinfo -a The current selection cover full or partially the types under those attributes: base_file_type base_ro_file_type configfile file_type files_unconfined_type init_script_file_type init_sock_file_type lockfile logfile non_auth_file_type non_security_file_type openshift_file_type pidfile pulseaudio_tmpfsfile security_file_type setfiles_domain spoolfile svirt_file_type systemd_unit_file_type tmpfile tmpfsfile Special mention to non_auth_file_type and non_security_file_type (among other liske logfile or tmpfile), that should cover the most relevant types of the dynamic part of the system. The list should also include types from other attributes like virt_image_type and others (see the policy file comments from a complete list). Sometimes is important to see what files are labeled under a specific type, and for that we can use this: semanage fcontext -l | grep $TYPE