forked from pool/rust-keylime
Alberto Planas Dominguez
e4c8388ef3
- Update vendored crates (bsc#1229952, bsc#1230029) * rustix 0.37.25 * rustix 0.38.34 * shlex 1.3.0 - Update to version 0.2.6+13: * Enable test functional/iak-idevid-persisted-and-protected * build(deps): bump uuid from 1.7.0 to 1.10.0 * build(deps): bump openssl from 0.10.64 to 0.10.66 * keylime-agent/src/revocation: Fix comment indentation * keylime/crypto: Fix indentation of documentation comment * build(deps): bump thiserror from 1.0.59 to 1.0.63 * build(deps): bump serde_json from 1.0.116 to 1.0.120 * dependabot: Extend to also monitor workflow actions * ci: Disable Packit CI on CentOS Stream 9 * ci: use CODECOV_TOKEN when submitting coverage data * revocation: Use into() for unfallible transformation * secure_mount: Fix possible infinite loop * error: Rename enum variants to avoid clippy warning OBS-URL: https://build.opensuse.org/request/show/1198288 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=74
56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
# Notes about the IMA policy
|
|
|
|
This IMA policy is provided as an example that can be later adapted to
|
|
more specific usage.
|
|
|
|
This was generated from a default tcb IMA policy from a 6.1.12 Linux
|
|
kernel, and extended with SELinux file types to filter out the part of
|
|
the system that we usually do not want to measure.
|
|
|
|
To use this policy, we need to copy it in "/etc/ima/ima-policy" and
|
|
systemd will load it after the SELinux policy has been loaded.
|
|
|
|
For this example, we used the initial set of SELinux attributes, that
|
|
group the file types under categories. From that list we selected
|
|
some of those attribute to deep more into the types that can be relevant for the IMA policy:
|
|
|
|
seinfo -a
|
|
|
|
The current selection cover full or partially the types under those
|
|
attributes:
|
|
|
|
base_file_type
|
|
base_ro_file_type
|
|
configfile
|
|
file_type
|
|
files_unconfined_type
|
|
init_script_file_type
|
|
init_sock_file_type
|
|
lockfile
|
|
logfile
|
|
non_auth_file_type
|
|
non_security_file_type
|
|
openshift_file_type
|
|
pidfile
|
|
pulseaudio_tmpfsfile
|
|
security_file_type
|
|
setfiles_domain
|
|
spoolfile
|
|
svirt_file_type
|
|
systemd_unit_file_type
|
|
tmpfile
|
|
tmpfsfile
|
|
|
|
Special mention to non_auth_file_type and non_security_file_type
|
|
(among other liske logfile or tmpfile), that should cover the most
|
|
relevant types of the dynamic part of the system.
|
|
|
|
The list should also include types from other attributes like
|
|
virt_image_type and others (see the policy file comments from a
|
|
complete list).
|
|
|
|
Sometimes is important to see what files are labeled under a specific
|
|
type, and for that we can use this:
|
|
|
|
semanage fcontext -l | grep $TYPE
|