Re: [Linux-ima-user] Getting an error with file created by systemd-logind

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2015-07-08 at 17:46 +0000, Curtis Veit wrote:
> Hi,
> 
> I'm looking for help understanding an error (shown below).
> 
> The "tasks" files created by systemd-logind that give the error are
> shown by "file" to be "empty" and by "mimetype -b -M" to be "text/plain"
> and ownership and perms are root:root 644.
> 
> These seems to work most of the time but are occasionally created or
> updated without hashes. If it fails it continues to fail afterward
> even though it is creating new directories and files.
> 
> Does anyone have suggestions for a proper fix?
> 
> I wondered if this is a bug in systemd-logind (running ubuntu 14.04),
> or if I missed a fsmagic number I should have included in the list of
> "dont_measure" "dont_appraise"
> or if I should somehow have the system ignore /proc and /sys if I
> cannot find a solution?

The builtin ima_tcb policy doesn't measure either procfs or sysfs.

Mimi

> Here are the errors in kern.log
> 
> Jul  7 20:57:48 irms-25276 kernel: [   56.330439] audit: type=1800 audit(1436302668.756:51): pid=981 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="missing-hash" comm="systemd-logind" name="/sys/fs/cgroup/systemd/user/1000.user/1.session/tasks" dev="cgroup" ino=21 res=0
> Jul  7 20:57:51 irms-25276 kernel: [   59.313945] audit: type=1800 audit(1436302671.736:52): pid=981 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="missing-hash" comm="systemd-logind" name="/sys/fs/cgroup/systemd/user/1000.user/c1.session/tasks" dev="cgroup" ino=26 res=0
> Jul  7 21:02:23 irms-25276 kernel: [  331.666603] audit: type=1800 audit(1436302943.733:53): pid=981 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="missing-hash" comm="systemd-logind" name="/sys/fs/cgroup/systemd/user/1000.user/tasks" dev="cgroup" ino=16 res=0
> 
> 
> Currently my "dont" list in policy is as follows:
> 
> # Default Rules
> dont_measure fsmagic=0x9fa0
> dont_appraise fsmagic=0x9fa0
> dont_measure fsmagic=0x62656572
> dont_appraise fsmagic=0x62656572
> dont_measure fsmagic=0x64626720
> dont_appraise fsmagic=0x64626720
> dont_measure fsmagic=0x01021994
> dont_appraise fsmagic=0x01021994
> dont_measure fsmagic=0x858458f6
> dont_appraise fsmagic=0x858458f6
> dont_measure fsmagic=0x73636673
> dont_appraise fsmagic=0x73636673
> 
> 
> Comments and suggestions are always appreciated.
> 
> Best regards,
> Curtis
> 
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________ Linux-ima-user mailing list Lin...@li... https://lists.sourceforge.net/lists/listinfo/linux-ima-user