[Linux-ima-user] IMA (latest patches) do not allow creation of in policy files.

[Curtis V. <ve...@vp...>]

Background:
I have taken the latest IMA patches from linux integrity and applied 
them to a 4.0.3 kernel source and built. ( also includes mu gid patch)
Things seem to work pretty much as expected:
- cannot write the ima hash from user space
- more methods of writing files (that are already "in policy") do
  seem to update hashes on file close. (Some of the previous strange
  behavior I noticed is gone - probably related to the rw patch
  Mimi mentioned.
  works: vim, emacs, cat >> foo  
So this is good progress...


The Problem:
But I cannot seem to figure out how to create a usable file that
is owned by root.  This may or may not be related to some specific
examples of failure:

  cannot change passwords ( only tested as root) 
     shadow hash does not get updated and becomes unreadable.
  df does not work. It cannot read the table that it tries
     to access.
  emacs newfile.txt            # creates an unreadable file
  vim newfile2.txt               # ditto
  cat "Hello World" > newfile3.txt # ditto


I suspect that the failure with passwd and df are related
to the new file creation issue. But I'm not sure if their 
implementations are essentially making a new file.


Looking for help:
I've looked some at the IMA code to see if I can spot a 
fix but thought that it would be wise to get input from
all of you...

I am not familiar enough with the IMA kernel code to
find and fix without some guidance. (Also I would not mind 
if someone else fixed it ;-)

Also it is very possible that I have made other mistakes in
the use of IMA.  (will post an example policy for comments)

Best regards,
Curtis