Re: [Linux-ima-user] IMA policy with LSM rules not correctly loaded

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2009-10-12 at 11:15 +0200, Roberto Sassu wrote:
> Hi all
> 
> i have tried to write an IMA policy in order to measure all files, in a system 
> with SELinux installed, accessed by subjects with security context starting as 
> "system_u:system_r" and to skip files with label "initrc_var_run_t" 
> (/var/run/utmp) which is the origin of multiple violations. 
> The policy is:
> 
> --------
> dont_measure obj_type=initrc_var_run_t
> measure subj_user=system_u func=PATH_CHECK mask=MAY_READ
> measure subj_role=system_r func=PATH_CHECK mask=MAY_READ
> --------

The policy order, as you realized, is important. The action is based on
the first rule matched. Are you running an SELinux targeted policy?  To
see the LSM labels associated with a process execute: ps -aeZ. With a
targeted policy, a number of processes are run as unconfined. Instead of
the above policy rules, please try these:

dont_measure func=PATH_CHECK mask=MAY_READ obj_type=initrc_var_run_t
measure func=PATH_CHECK mask=MAY_READ uid=0

Thanks!

Mimi