Re: [Linux-ima-user] LSM Audit Rule matching patch

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 2009-06-27 at 17:01 +0600, Shaz wrote:
> 
> 
> On Sat, Jun 27, 2009 at 1:05 PM, Shaz <sha...@gm...> wrote:
>         Dear Mimi,
>         
>         You mentioned on the site about this patch and also emailed me
>         earlier to use this patch. Can you please specify the behavior
>         of this patch? I am already going through the code but your
>         description can help. As far as I have figured out from the
>         available docs, it uses LSM attributes so which attributes are
>         they? Extended attributes?
> 
> As far as I have figured out it is the security contexts and the four
> functions (mentioned in
> linux-2.6/Documentation/ABI/testing/ima_policy) that can be specified
> to be "measure" or "dont_measure". Is there anything else apart from
> this? I will appreciate some explaination or references to the magic
> related to the filesystem points w.r.t ima_policy.

The LSM specific audit rules as described in
Documentation/ABI/testing/ima_policy are:

lsm:    [[subj_user=] [subj_role=] [subj_type=]
        [obj_user=] [obj_role=] [obj_type=]]

I'm sure there are better ways of viewing SELinux attributes.  Here is
one method:

[zohar@dyn9002018117 ltp-full-20090531]$ su -c 'getfattr -m ^security
-d /etc/* | more'
Password: 
getfattr: Removing leading '/' from absolute path names
# file: etc/acpi
security.selinux="system_u:object_r:etc_t:s0\000"

# file: etc/adjtime
security.selinux="system_u:object_r:adjtime_t:s0\000"

<snip>

>         
>         
>         If you need any assistance for linux-ima website then do let
>         me know because its lacking clarity and amount of
>         documentation for rookies like myself.
>         
>         Thank you.

I realize the web pages need quite a bit of work.  I've just taken over
the website and have started working on it.  Suggestions are definitely
welcome!

> My team is also troubleshooting some LTP problems. It seems that we
> are having problems due to a change in the distro. I do not like this
> explaination but we have done the mounting with iversion and the
> problem persists. I am giving it a run myself at the moment and will
> update that specific thread if I succeed.

Could you run "ltp-full-20090531/runltp -f ima" and post the results
here?

Thanks!

Mimi