Menu
▾
▴
Re: [Linux-ima-user] IMA and MAC labels integrity check
|
From: Shaz <sha...@gm...> - 2009-10-02 19:32:59
|
On Fri, Oct 2, 2009 at 8:27 PM, Roberto Sassu <rob...@po...>wrote: > Hi all > > i'm trying to protect the integrity of labels used by a Mandatory Access > Control to enforce security policies. > > I see that it's possible to create custom ima policies that permit to find > with > more fine granularity objects of the system to be measured. > > In SELinux i have such transition: > > type_transition initrc_t myapp_exec_t:process myapp_t; > > and such type of executable is the only entrypoint for the domain myapp_t. > > Instead of adding an hmac signature over the executable, i'm thinking of > modify IMA in order to measure and verify the binary against a value > previously collected and to allow/deny the operation requested depending on > the result. > > I can have a rule that filter the execve of myapp by writing such ima > policy: > > obj_type=myapp_exec_t func=BPRM_CHECK > > with the addition: > HASH=<good value> > > In such case, if the calculated hash is different, IMA will deny the > operation. > Does this proposal addresses the issue? > > IMA works as a trusted boot not secure boot so it will load the binary but report it as a bad SHA1 hash. SHA1 is the default but HMAC is also an option. SELinux is trustworthy as long as you can trust the system administrator. So if your policy is correct and labeling rules are correct and intact then your problem will be solved. IMA only reports if the software is the expected one. You can measure file context labeling file to be sure that your application will get the same label that you expect but that is too static for me :) > Thanks for replies. > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > -- Shaz |
