[Linux-ima-user] Interpreter instead of script in IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Folks

I've found something which does not make much sense to me. 

Linux kernel 3.3.0

In /sys/kernel/security/ima/ascii_runtime_measurements i have lots of
entries, nearly all as expected. However, i also have:

10 c6e74a02c40124914c1dc367f7b140b1ccadb017 ima c8df4bc0118711ae391df58e9a4381a0f64a458d /etc/init.d/rcS
10 29de86918f2697f1c8b83a5cde7105f415835a7b ima 968c2722e58d7851e8cd1d346131aebc36ef8774 /etc/init.d/rcS

and

10 6df04e744253accd8243b5efa7eb1c7cadc8a038 ima 35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da /sbin/dhclient-script
10 e0eb67d8d2ca1e7ef7e86e47330863cb41336123 ima 5515a54302e5eecc6338ef7ff1300d2e94d204c3 /sbin/dhclient-script

The first of each pair is O.K:

sha1sum /etc/init.d/rcS /sbin/dhclient-script 
c8df4bc0118711ae391df58e9a4381a0f64a458d  /etc/init.d/rcS
35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da  /sbin/dhclient-script

But the second entry for each pair causes lots of confusion. However,
what i found is:

968c2722e58d7851e8cd1d346131aebc36ef8774  /bin/dash
5515a54302e5eecc6338ef7ff1300d2e94d204c3  /bin/bash

So the second entry for each is the interpreter of the script, not the
script itself as suggested by the filename hint.

Is this expected behavior?

Thanks
	Andrew