Re: [Linux-ima-user] IMA appraisal with signature issue

[Mimi Z. <zo...@li...>]

On Wed, 2015-12-23 at 20:02 +0100, Tao wrote:
> Hi Mimi,
> 
>      Thank you very much for your reply.
> 
>      My answers are in-line.
> 
>      Another issue, when I open the file with vi or vim and make some 
> modifications of the file,
> the security.ima attribute will disappear. But when I use nano to edit 
> the file, the value of
> security.ima will be updated. I am not sure if this is another issue.

"vi" doesn't edit the existing file, but creates a new file.  Look at
the inode (stat  <pathname>) associated with the file before and after
using "vi".

(Your email is still mangled.)

> >>                   But after I change the ownership of the file to user
> >> ‘temp’ whose file is set to be appraised, and try to run the same
> >> ima_verify again, it gives error with the following message:
> >>
> >> [8621.067731]digsig: key not found, id:DE253B20DFD8E3
> > Probably "_ima" is not on root's keyring.
> It should be, because when I execute 'keyctl show', I can see _ima as a 
> sub keyring of keyring:_uid.0
> but the system still show that :
> 
> digsig: key not found, id:DE253B20DFD8E3
> 
> Any other thoughts?

The keyid lookup was broken and fixed twice.  Perhaps one of these
commits were backported to RHEL 7 without the corresponding fixes.

- Commit 46963b7 "KEYS: Overhaul key identification when searching for
asymmetric  keys" broke the keyid lookup.  Commit   f1b731d "KEYS:
Restore partial ID matching functionality for asymmetric keys" fixed it.

- Commit 46963b774d44 "KEYS: Overhaul key identification when searching
for asymmetric keys" broke the keyid lookup.   Commit f2b3dee "KEYS: fix
"ca_keys=" partial key matching" fixed it.

Mimi