forked from pool/rust-keylime
Alberto Planas Dominguez
e4c8388ef3
- Update vendored crates (bsc#1229952, bsc#1230029) * rustix 0.37.25 * rustix 0.38.34 * shlex 1.3.0 - Update to version 0.2.6+13: * Enable test functional/iak-idevid-persisted-and-protected * build(deps): bump uuid from 1.7.0 to 1.10.0 * build(deps): bump openssl from 0.10.64 to 0.10.66 * keylime-agent/src/revocation: Fix comment indentation * keylime/crypto: Fix indentation of documentation comment * build(deps): bump thiserror from 1.0.59 to 1.0.63 * build(deps): bump serde_json from 1.0.116 to 1.0.120 * dependabot: Extend to also monitor workflow actions * ci: Disable Packit CI on CentOS Stream 9 * ci: use CODECOV_TOKEN when submitting coverage data * revocation: Use into() for unfallible transformation * secure_mount: Fix possible infinite loop * error: Rename enum variants to avoid clippy warning OBS-URL: https://build.opensuse.org/request/show/1198288 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=74 |
||
|---|---|---|
| _constraints | ||
| _service | ||
| _servicedata | ||
| .gitattributes | ||
| .gitignore | ||
| cargo_config | ||
| ima-policy | ||
| ima-policy.service | ||
| keylime-agent.conf.diff | ||
| keylime-user.conf | ||
| keylime.xml | ||
| README.suse | ||
| rust-keylime-0.2.6+13.obscpio | ||
| rust-keylime-0.2.6+13.tar.zst | ||
| rust-keylime-0.2.6~0.tar.zst | ||
| rust-keylime.changes | ||
| rust-keylime.obsinfo | ||
| rust-keylime.spec | ||
| tmpfiles.keylime | ||
| vendor.tar.xz | ||
# Notes about the IMA policy This IMA policy is provided as an example that can be later adapted to more specific usage. This was generated from a default tcb IMA policy from a 6.1.12 Linux kernel, and extended with SELinux file types to filter out the part of the system that we usually do not want to measure. To use this policy, we need to copy it in "/etc/ima/ima-policy" and systemd will load it after the SELinux policy has been loaded. For this example, we used the initial set of SELinux attributes, that group the file types under categories. From that list we selected some of those attribute to deep more into the types that can be relevant for the IMA policy: seinfo -a The current selection cover full or partially the types under those attributes: base_file_type base_ro_file_type configfile file_type files_unconfined_type init_script_file_type init_sock_file_type lockfile logfile non_auth_file_type non_security_file_type openshift_file_type pidfile pulseaudio_tmpfsfile security_file_type setfiles_domain spoolfile svirt_file_type systemd_unit_file_type tmpfile tmpfsfile Special mention to non_auth_file_type and non_security_file_type (among other liske logfile or tmpfile), that should cover the most relevant types of the dynamic part of the system. The list should also include types from other attributes like virt_image_type and others (see the policy file comments from a complete list). Sometimes is important to see what files are labeled under a specific type, and for that we can use this: semanage fcontext -l | grep $TYPE