Re: [Linux-ima-user] IMA appraisal with signature issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> On 23 Dec 2015, at 21:35, Mimi Zohar <zo...@li...> wrote:
> 
> On Wed, 2015-12-23 at 20:02 +0100, Tao wrote:
>> Hi Mimi,
>> 
>>     Thank you very much for your reply.
>> 
>>     My answers are in-line.
>> 
>>     Another issue, when I open the file with vi or vim and make some 
>> modifications of the file,
>> the security.ima attribute will disappear. But when I use nano to edit 
>> the file, the value of
>> security.ima will be updated. I am not sure if this is another issue.
> 
> "vi" doesn't edit the existing file, but creates a new file.  Look at
> the inode (stat  <pathname>) associated with the file before and after
> using "vi".
> 
> (Your email is still mangled.)
> 
>>>>                  But after I change the ownership of the file to user
>>>> ‘temp’ whose file is set to be appraised, and try to run the same
>>>> ima_verify again, it gives error with the following message:
>>>> 
>>>> [8621.067731]digsig: key not found, id:DE253B20DFD8E3
>>> Probably "_ima" is not on root's keyring.
>> It should be, because when I execute 'keyctl show', I can see _ima as a 
>> sub keyring of keyring:_uid.0
>> but the system still show that :
>> 
>> digsig: key not found, id:DE253B20DFD8E3
>> 
>> Any other thoughts?
> 
> The keyid lookup was broken and fixed twice.  Perhaps one of these
> commits were backported to RHEL 7 without the corresponding fixes.
> 
> - Commit 46963b7 "KEYS: Overhaul key identification when searching for
> asymmetric  keys" broke the keyid lookup.  Commit   f1b731d "KEYS:
> Restore partial ID matching functionality for asymmetric keys" fixed it.
> 
> - Commit 46963b774d44 "KEYS: Overhaul key identification when searching
> for asymmetric keys" broke the keyid lookup.   Commit f2b3dee "KEYS: fix
> "ca_keys=" partial key matching" fixed it.
> 

Hi Mimi,

	Thank you for your reply. 

	I tried to recompile the kernel to 4.1.15, which is the latest longterm version. But the aforementioned problem still exists. 

	When I run “keyctl show”, I can see the following output:

		Session Keyring
		841881916   —alswrv	0	   0  keyring: _ses
		1060565120 —alswrv	0 65534   \_ keyring: _uid.0
		332490404   —alswrv 	0	   0		\_ keyring: _ima
		452725264   —alswrv	0	   0		\_ user: 821C0DFD4C617DA

	But when I want to read from a file under appraisal with enforce mode, it still shows:

		[   358.334856] digsig: key not found, id: 821C0DFD4C617DA
		cat: file: Permission denied

	Should I try with more recent kernel?

Thank you for your time and best wishes!
Tao
> Mimi
> 