From: Sven V. <sve...@si...> - 2012-12-30 15:01:49
|
Hi all, I'm testing out the Linux-IMA/EVM implementation on a virtual guest (Linux kernel 3.7 but patched with grSecurity on top of it). When running with "ima_appraise=fix ima_appraise_tcb evm=fix ima_tcb" as kernel parameters, I notice that the measurements are not always properly stored as extended attributes. When running in enforcing, I also notice that something similar occurs with newly created files - not always, but it doesn't take long before I need to reboot my system back in "fix" mode so that important files, such as the SELinux policy file, are re-measured & stored again. As an example, in "fix" mode: #v+ ~# getfattr -m . -d zlib-1.2.7.tar.gz # file: zlib-1.2.7.tar.gz security.selinux="system_u:object_r:portage_ebuild_t" ~# head -n 1 zlib-1.2.7.tar.gz [... some random cruft ...] ~# grep zlib /sys/kernel/security/ima/ascii_runtime_measurements 10 c1673676dd06fbd9a180d3ae1e4aacf858fd493c ima f9b57333bb7243bd6d4f3d9ffa705c1bef5404db /usr/lib64/python2.7/lib-dynload/zlib.so 10 0c1cecb9f8ddd173d981d189dff0ebe2d5d9bc8d ima 4aa358a95d1e5774603e6fa149c926a80df43559 /usr/portage/distfiles/zlib-1.2.7.tar.gz ~# getfattr -m . -d zlib-1.2.7.tar.gz # file: zlib-1.2.7.tar.gz security.selinux="system_u:object_r:portage_ebuild_t" #v- When I use evmctl ima_hash against the file, it does get the proper attribute set. At [1] you can find the custom policy I use (mainly the default one but don't measure various log filetypes as provided through SELinux types), but since the files do get measured (they come up in the ascii_runtime_measurements pseudofile) I don't think that is the problem. Also, is there a way (or is the project working on it) to switch from enforcing to fix mode (similar as the permissive/enforcing in SELinux) for development purposes? I'd be nice to just be able to so something like: #v+ ~# ima_enforce 0 ~# evmctl ima_hash /etc/selinux/strict/policy/policy.27 ~# ima_enforce 1 #v- and then just continue working with it, without having to resort to rebooting all over again. Preferably (just like with SELinux) a kernel parameter that only allows this for development purposes, not for a production system (as that would thwart the advantage of IMA anyhow). Wkr, Sven Vermeulen [1] http://www.gentoo.org/proj/en/hardened/integrity/docs/ima-guide.xml#doc_chap4_pre4 |