Menu
▾
▴
Re: [Linux-ima-user] IMA policy with LSM rules not correctly loaded
|
From: Roberto S. <rob...@po...> - 2009-10-13 08:22:32
|
On Tuesday 13 October 2009 01:24:17 Mimi Zohar wrote: > On Mon, 2009-10-12 at 11:15 +0200, Roberto Sassu wrote: > > Hi all > > > > i have tried to write an IMA policy in order to measure all files, in a > > system with SELinux installed, accessed by subjects with security context > > starting as "system_u:system_r" and to skip files with label > > "initrc_var_run_t" (/var/run/utmp) which is the origin of multiple > > violations. > > The policy is: > > > > -------- > > dont_measure obj_type=initrc_var_run_t > > measure subj_user=system_u func=PATH_CHECK mask=MAY_READ > > measure subj_role=system_r func=PATH_CHECK mask=MAY_READ > > -------- > > The policy order, as you realized, is important. The action is based on > the first rule matched. Are you running an SELinux targeted policy? To > see the LSM labels associated with a process execute: ps -aeZ. With a > targeted policy, a number of processes are run as unconfined. Instead of > the above policy rules, please try these: > > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=initrc_var_run_t > measure func=PATH_CHECK mask=MAY_READ uid=0 > > Thanks! > > Mimi > I'm running Fedora 11 with the targeted policy in a virtual machine and i log in with ssh. By enabling some system services i encountered other some violations. One is caused by the service "pcsd" which i disabled for now. I added other few exceptions in the policy you suggested, to clean the others: dont_measure func=PATH_CHECK mask=MAY_READ obj_type=initrc_var_run_t dont_measure func=PATH_CHECK mask=MAY_READ obj_type=sendmail_var_run_t dont_measure func=PATH_CHECK mask=MAY_READ obj_type=hald_var_run_t dont_measure func=PATH_CHECK mask=MAY_READ obj_type=consolekit_log_t measure func=PATH_CHECK mask=MAY_READ uid=0 |
