[Linux-ima-user] Looking for definition of ima behavior "importing" signatures and hashes.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I've mentioned seeing odd behavior copying hashes and signatures using rsync and tar.
Is there documentation anywhere describing the expected behavior?

A couple examples. I just switched kernels from my own with ima-sig and hashes=sha256 built in to a standard
Ubuntu kernel and now all hashes and signatures get changes automatically to sha1.   I guess this should be expected but was a surprise in a way. (Apparently Ubuntu is shipping a kernel that defaults to sha1)

Things that seem to affect the behavior creating the hash or signature.

IMA kernel Mode: ima ima-ng or ima-sig
IMA hash default: sha1 sha256, sha512
(Can anyone tell me what the kernel command line arguments are for these two items?)

IMA can also be in a state where the xattrs are simply dropped when the copy is done.
(Can anyone point me to an explanation of conditions that must be met for the xattr to be retained?)
This may be related to the policy that is currently in force.  And seems to work when in either fix or
Enforcing mode.
There are times I think I should be in enforcing mode but hashes are dropped. I am not certain
if it is because I am not actually in enforcing mode or because the policy I loaded is bad.
Is there a definition for how policy settings affect the restoration of IMA xattrs when copying
with tar or rsync?

Any help on this would be profoundly appreciated!  (pointer to docs and/or the place the code implements the behavior or specific explanations would be very helpful.)

Best regards,
Curtis