On Fri, 2012-09-14 at 13:17 +0800, Jason Chow wrote:The IMA measurement/appraisal policy is limited at the moment to three
> Hi all,
> The selinux extend to the measument list could be written like
> 'measure func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could
> I find document about the selinux extension ? For example, how many
> mask could there be? If I want to measuremnt some files after system
> on even no operations(no read or exec ops ) on these files, how to
> write the policy file ?
hooks, file_check, file_mmap, and bprm_check. The default policy
measures/appraises files opened for read at file_check and defers the
measurement/appraisal of files opened for exec to file_mmap/bprm_check.
A custom policy based on SELinux labels could be used to constrain the
default policy even further (eg. don't measure log files or VMs).
A hook for measuring/appraising kernel modules has been proposed. Other
than these hooks, there is no mechanism for measuring/appraising files.
Previous work defined a mechanism for registering other types of
templates, which was not limited to these hooks. For more information
on LIM/templates, whjch was not upstreamed, refer to