diff --git a/ima-policy.service b/ima-policy.service index fb141f2..2a838a5 100644 --- a/ima-policy.service +++ b/ima-policy.service @@ -5,7 +5,7 @@ Description=Load the IMA Policy Type=oneshot RemainAfterExit=yes Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy -Environment=IMA_POLICY=/etc/ima/ima-policy +Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY' TimeoutStartSec=0 diff --git a/rust-keylime.changes b/rust-keylime.changes index 6ffb1bf..b54a50f 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jun 7 09:08:22 UTC 2023 - Alberto Planas Dominguez + +- Make systemd skip the ima-policy load, and use only the service + ------------------------------------------------------------------- Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com diff --git a/rust-keylime.spec b/rust-keylime.spec index 68eeb50..158d6da 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -102,6 +102,8 @@ install -d %{buildroot}%{_libexecdir}/keylime mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy +# TODO: for now we make systemd to not load the policy +mv %{buildroot}%{_sysconfdir}/ima/ima-policy %{buildroot}%{_sysconfdir}/ima/ima-policy.POST-SYSTEMD install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service # %_check @@ -146,7 +148,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service %files -n keylime-ima-policy %dir %attr(0750,root,root) %{_sysconfdir}/ima -%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy.POST-SYSTEMD %{_unitdir}/ima-policy.service %changelog