Menu
▾
▴
Re: [Linux-ima-user] IMA appraisal with signature issue
|
From: Mimi Z. <zo...@li...> - 2015-12-23 20:36:27
|
On Wed, 2015-12-23 at 20:02 +0100, Tao wrote: > Hi Mimi, > > Thank you very much for your reply. > > My answers are in-line. > > Another issue, when I open the file with vi or vim and make some > modifications of the file, > the security.ima attribute will disappear. But when I use nano to edit > the file, the value of > security.ima will be updated. I am not sure if this is another issue. "vi" doesn't edit the existing file, but creates a new file. Look at the inode (stat <pathname>) associated with the file before and after using "vi". (Your email is still mangled.) > >> But after I change the ownership of the file to user > >> ‘temp’ whose file is set to be appraised, and try to run the same > >> ima_verify again, it gives error with the following message: > >> > >> [8621.067731]digsig: key not found, id:DE253B20DFD8E3 > > Probably "_ima" is not on root's keyring. > It should be, because when I execute 'keyctl show', I can see _ima as a > sub keyring of keyring:_uid.0 > but the system still show that : > > digsig: key not found, id:DE253B20DFD8E3 > > Any other thoughts? The keyid lookup was broken and fixed twice. Perhaps one of these commits were backported to RHEL 7 without the corresponding fixes. - Commit 46963b7 "KEYS: Overhaul key identification when searching for asymmetric keys" broke the keyid lookup. Commit f1b731d "KEYS: Restore partial ID matching functionality for asymmetric keys" fixed it. - Commit 46963b774d44 "KEYS: Overhaul key identification when searching for asymmetric keys" broke the keyid lookup. Commit f2b3dee "KEYS: fix "ca_keys=" partial key matching" fixed it. Mimi |
