Menu
▾
▴
Re: [Linux-ima-user] [systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
|
From: Stefan B. <st...@li...> - 2016-11-29 12:08:49
|
On 11/29/2016 06:49 AM, Lennart Poettering wrote: > On Mon, 28.11.16 14:17, Stefan Berger (st...@li...) wrote: > >> From: Stefan Berger <st...@us...> >> >> Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu >> has it in /etc/default/ima-policy. So we try to read the IMA policy >> from one location and try it from another location if it couldn't >> be found. To maintainer backwards compatibility, we also try >> /etc/ima/ima-policy. > Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/ > and /etc/default/ima-policy are supposed to be, but I am pretty sure > placing IMA policy there is just wrong. Moreover, our goal is to > remove any distro-specific hooks in systemd in favour of common paths, > not adding new. It's confusing... Dracut for example expects it in /etc/sysconfig/ima-policy: https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10 So following that either one has to change. I chose to change systemd. To me /etc/default on Debian systems is the equivalent of /etc/sysconfig on RPM based ones (or at least RedHat based ones), so that's where this is coming from. > > Hence I am sorry, but I don't think this is right. Please ask the > downstream maintainers to agree on /etc/ima/ima-policy (or any oher > common path). Let's fix the distros, let's not work around them in > systemd. Fine, if that's the common understanding that the proposed directories are not appropriate. Stefan > > I hope this makes sense, > > sorry, > > Lennart > |
