Menu
▾
▴
Re: [Linux-ima-user] IMA (latest patches) do not allow creation of in policy files.
|
From: Curtis V. <cu...@vp...> - 2015-06-22 18:28:52
|
>-----Original Message----- >From: Curtis Veit [mailto:ve...@vp...] >Sent: Monday, June 22, 2015 11:05 AM >To: Mimi Zohar >Cc: lin...@li... >Subject: Re: [Linux-ima-user] IMA (latest patches) do not allow creation of in policy files. > >Hi Mimi, > >We are seeing interesting behavior here. I have two things to share. >first a repeatable test case. (on our box - we are using IMA only (no evm) and second a slightly simplified version of >the policy we are using. > > A test case. Session log from a co-worker, note that touch does not cause the hash update until after a failed attempt at reading the file. (I am looking again at i_version as this looks related. but I am sure that it is enabled in /etc/fstab and on the kernel commant line for the root-fs. I'll try changing the kernel command line to set i_version first and see if that helps.) ... So - I've noticed that I can't 'touch' the shadow file and get the hash applied until something else tries to access the shadow-file & fail. Here's a log: root@17208:/etc/old# getfattr -d -e hex -m security ../shadow # file: ../shadow security.ima=0x0404d4c1f8ab533a9f082e72c0d139e2a8e6f456d8874c5db040fad6e77aa55b9998 <-----------------change password here in web application--------------> root@17208:/etc/old# getfattr -d -e hex -m security ../shadow root@17208:/etc/old# sync root@17208:/etc/old# getfattr -d -e hex -m security ../shadow root@17208:/etc/old# touch ../shadow root@17208:/etc/old# getfattr -d -e hex -m security ../shadow root@17208:/etc/old# cat ../shadow cat: ../shadow: Permission denied root@17208:/etc/old# getfattr -d -e hex -m security ../shadow root@17208:/etc/old# touch ../shadow root@17208:/etc/old# getfattr -d -e hex -m security ../shadow # file: ../shadow security.ima=0x04049cd46d47210254d1c7c6e03c0e9233cd37c43987a918463a9b7c0a2b12af2907 |
