Re: [Linux-ima-user] IMA appraisal does not allow changing mode of files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2013-02-21 at 19:51 +0100, Sven Vermeulen wrote:
> On Tue, Feb 19, 2013 at 04:36:47PM -0500, Mimi Zohar wrote:
> > > It is just that changing the mode (chmod 0644 utmp) or even SELinux context
> > > fails:
> > > 
> > > #v+
> > > test run # chcon -t var_run_t utmp
> > > chcon: failed to change context of 'utmp' to 'system_u:object_r:var_run_t':
> > > Operation not permitted
> > > #v-
> > > 
> > > I do not get anything in dmesg, audit.log or kern.log. Someone any idea?
> > 
> > Before modifying an EVM protected extended attribute or anything
> > included in the HMAC calculation, the existing 'security.evm' is
> > verified.  Commit 74de668 "evm: add file system uuid to EVM hmac"
> > changed the HMAC calculation method to include the UUID.  If your system
> > is already 'security.evm' labeled, for backwards compatibility set
> > CONFIG_EVM_HMAC_VERSION to 1.
> 
> The problem is also there with a new file (so there is no security.evm xattr
> available yet):

The 'security.selinux' is created as soon as you open the file, which
causes 'security.evm' to be written as well.

> #v+
> test test # id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
> context=root:sysadm_r:sysadm_t
> 
> test test # pwd
> /run/test
> 
> test test # ls -la
> total 0
> drwxr-xr-x. 2 root root  40 Feb 21 19:47 .
> drwxr-xr-x. 7 root root 160 Feb 21 19:47 ..
> 
> test test # touch foo
> 
> test test # getfattr -m . -d foo
> # file: foo
> security.evm=0sAoOwy0XjhHWculydtncU+R2gRihz
> security.selinux="root:object_r:var_run_t"

Before changing the mode, you should be able to open the empty file.
Not being able to open the file, would explain why you can't change the
mode.

> test test # chmod 0600 foo
> chmod: changing permissions of 'foo': Operation not permitted
> #v-

> I can also confirm it is indeed EVM-related: running with IMA in enforcing
> but EVM=fix doesn't show the behavior.

Something is modifying the file's metadata without 'security.evm' being
updated.

It took me a while to figure out that the posix xattr acls are 'system'
prefixed, which normally would not affect security.evm.  An interesting
side affect of writing posix xattr acls is their modifying of the
i_mode, which is included in security.evm.

Your example works on my system, not that it makes a difference.

thanks,

Mimi