Hi Mimi,
Sorry for late reply. Thank you for your suggestion. It's very useful. :-)

2012/9/16 Mimi Zohar <zohar@linux.vnet.ibm.com>
On Fri, 2012-09-14 at 13:17 +0800, Jason Chow wrote:
> Hi all,
> The selinux extend to the measument list could be written like
> 'measure func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could
> I find document about the selinux extension ? For example, how many
> mask could there be?  If I want to measuremnt some files after system
> on even no operations(no read or exec ops ) on these files, how to
> write the policy file ?

The IMA measurement/appraisal policy is limited at the moment to three
hooks, file_check, file_mmap, and bprm_check. The default policy
measures/appraises files opened for read at file_check and defers the
measurement/appraisal of files opened for exec to file_mmap/bprm_check.
A custom policy based on SELinux labels could be used to constrain the
default policy even further (eg. don't measure log files or VMs).

A hook for measuring/appraising kernel modules has been proposed.  Other
than these hooks, there is no mechanism for measuring/appraising files.
Previous work defined a mechanism for registering other types of
templates, which was not limited to these hooks.  For more information
on LIM/templates, whjch was not upstreamed, refer to