Re: [Linux-ima-user] IMA appraisal does not allow changing mode of files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, Feb 19, 2013 at 04:36:47PM -0500, Mimi Zohar wrote:
> > It is just that changing the mode (chmod 0644 utmp) or even SELinux context
> > fails:
> > 
> > #v+
> > test run # chcon -t var_run_t utmp
> > chcon: failed to change context of 'utmp' to 'system_u:object_r:var_run_t':
> > Operation not permitted
> > #v-
> > 
> > I do not get anything in dmesg, audit.log or kern.log. Someone any idea?
> 
> Before modifying an EVM protected extended attribute or anything
> included in the HMAC calculation, the existing 'security.evm' is
> verified.  Commit 74de668 "evm: add file system uuid to EVM hmac"
> changed the HMAC calculation method to include the UUID.  If your system
> is already 'security.evm' labeled, for backwards compatibility set
> CONFIG_EVM_HMAC_VERSION to 1.

The problem is also there with a new file (so there is no security.evm xattr
available yet):

#v+
test test # id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=root:sysadm_r:sysadm_t

test test # pwd
/run/test

test test # ls -la
total 0
drwxr-xr-x. 2 root root  40 Feb 21 19:47 .
drwxr-xr-x. 7 root root 160 Feb 21 19:47 ..

test test # touch foo

test test # getfattr -m . -d foo
# file: foo
security.evm=0sAoOwy0XjhHWculydtncU+R2gRihz
security.selinux="root:object_r:var_run_t"

test test # chmod 0600 foo
chmod: changing permissions of 'foo': Operation not permitted
#v-

I can also confirm it is indeed EVM-related: running with IMA in enforcing
but EVM=fix doesn't show the behavior.

Wkr,
	Sven Vermeulen