Menu
▾
▴
Re: [Linux-ima-user] copying files with security.ima xattr
|
From: Patrick O. <pat...@in...> - 2016-11-03 08:26:51
|
On Wed, 2016-11-02 at 09:47 -0400, Mimi Zohar wrote: > In order to revert the patch, we need to explain the reason for doing > so. Could you expand/update the two reasons given below? > > - Applications have been modified to write security xattrs, but they are > not necessarily context aware. In the case of security.ima, the > security xattr can be either a file hash or a file signature. > Permitting writing one, but not the other requires the application to be > context aware. > > - Applications write files to a staging area, which might not be in > policy, and then change some file metadata (eg owner) making it in > policy. As a result, these files are not labeled properly. That describes it well. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. |
