Re: [Linux-ima-user] IMA appraisal does not allow changing mode of files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2013-02-19 at 15:40 +0100, Sven Vermeulen wrote:
> Hi all,
> 
> When I try to change the mode on a file in /run, I get a nice error:
> 
> #v+
> chmod: changing permissions of 'utmp': Operation not permitted
> #v-
> 
> When running with ima_appraise=fix evm=fix, the problem doesn't show up.
> Now, I can *read* the files just fine: the files are on a tmpfs, which in
> the policy is said to be not measured and not appraised:
> 
> #v+
> # TMPFS_MAGIC = 0x01021994
> dont_measure fsmagic=0x01021994
> dont_appraise fsmagic=0x01021994
> #v-

These are IMA policy rules, not EVM.  evm_config_xattrnames contains the
list of EVM protected extended attributes.

> The file only holds an EVM hash:
> 
> #v+
> test run # getfattr -m . -d utmp
> # file: utmp
> security.evm=0sAt2bx0ccn9rglgC6yz4RtbkQ0czJ
> security.selinux="system_u:object_r:initrc_var_run_t"
> #v-
> 
> It is just that changing the mode (chmod 0644 utmp) or even SELinux context
> fails:
> 
> #v+
> test run # chcon -t var_run_t utmp
> chcon: failed to change context of 'utmp' to 'system_u:object_r:var_run_t':
> Operation not permitted
> #v-
> 
> I do not get anything in dmesg, audit.log or kern.log. Someone any idea?

Before modifying an EVM protected extended attribute or anything
included in the HMAC calculation, the existing 'security.evm' is
verified.  Commit 74de668 "evm: add file system uuid to EVM hmac"
changed the HMAC calculation method to include the UUID.  If your system
is already 'security.evm' labeled, for backwards compatibility set
CONFIG_EVM_HMAC_VERSION to 1.

Sorry, this sort of problem should definitely be audited.

thanks,

Mimi