Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sun, 2012-12-30 at 16:01 +0100, Sven Vermeulen wrote:
> Hi all,
> 
> I'm testing out the Linux-IMA/EVM implementation on a virtual guest (Linux
> kernel 3.7 but patched with grSecurity on top of it). When running with
> "ima_appraise=fix ima_appraise_tcb evm=fix ima_tcb" as kernel parameters, I
> notice that the measurements are not always properly stored as extended
> attributes. When running in enforcing, I also notice that something similar
> occurs with newly created files - not always, but it doesn't take long
> before I need to reboot my system back in "fix" mode so that important
> files, such as the SELinux policy file, are re-measured & stored again.

Although the default measurement (ima_tcb) and appraise
(ima_appraise_tcb) policies overlap, they're not the same.

> As an example, in "fix" mode:
> 
> #v+
> ~# getfattr -m . -d zlib-1.2.7.tar.gz
> # file: zlib-1.2.7.tar.gz
> security.selinux="system_u:object_r:portage_ebuild_t"
> 
> ~# head -n 1 zlib-1.2.7.tar.gz
> [... some random cruft ...]
> 
> ~# grep zlib /sys/kernel/security/ima/ascii_runtime_measurements 
> 10 c1673676dd06fbd9a180d3ae1e4aacf858fd493c ima f9b57333bb7243bd6d4f3d9ffa705c1bef5404db /usr/lib64/python2.7/lib-dynload/zlib.so
> 10 0c1cecb9f8ddd173d981d189dff0ebe2d5d9bc8d ima 4aa358a95d1e5774603e6fa149c926a80df43559 /usr/portage/distfiles/zlib-1.2.7.tar.gz

The 'ima_tcb' policy measures files opened by root, which is what you're
seeing here.

> ~# getfattr -m . -d zlib-1.2.7.tar.gz
> # file: zlib-1.2.7.tar.gz
> security.selinux="system_u:object_r:portage_ebuild_t"
> #v-

The 'ima_appraise_tcb' policy appraises files owned by root.  What is
the uid/gid of zlib-1.2.7.tar.gz?

> When I use evmctl ima_hash against the file, it does get the proper
> attribute set. At [1] you can find the custom policy I use (mainly the
> default one but don't measure various log filetypes as provided through
> SELinux types), but since the files do get measured (they come up in the
> ascii_runtime_measurements pseudofile) I don't think that is the problem.

To summarize, basically evmctl labels the filesystem properly, but
opening existing files or creating new ones, in fix mode, doesn't result
in proper labeling of files.  Try experimenting with root owned files.

> Also, is there a way (or is the project working on it) to switch from
> enforcing to fix mode (similar as the permissive/enforcing in SELinux) for
> development purposes? I'd be nice to just be able to so something like:
> 
> #v+
> ~# ima_enforce 0
> ~# evmctl ima_hash /etc/selinux/strict/policy/policy.27
> ~# ima_enforce 1
> #v-
> 
> and then just continue working with it, without having to resort to
> rebooting all over again. Preferably (just like with SELinux) a kernel
> parameter that only allows this for development purposes, not for a
> production system (as that would thwart the advantage of IMA anyhow).
> 
> Wkr,
> 	Sven Vermeulen

Sorry, changing from enforcing to fix mode on a running system is not
currently implemented.

Mimi