Re: [Linux-ima-user] [PATCH] evm: add exceptions for inodes without getxattr() support.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2016-12-29 at 23:56 +0300, Mikhail Kurinnoi wrote:

> > On Fedora, "touch" creates the selinux label, which results in an EVM
> > label as well.  Everything works as expected.  
> 
> 
> I don't use SELinux, with "dont_appraise" policy "touch" don't creates 
> any xattrs that should be protected. And, since I see -EOPNOTSUPP error
> from getxattr(), this mean ->list, ->get, and ->set xattr handler
> operations removed in inode and I have disabled xattr support in inode.
> Have no idea why it's so, this is probably some kind of xattrs related
> work issue.

It's kind of irrelevant, but I'd like to know why it isn't working.  Are
you running these tests in a VM or container?  (If in a container, what
type of container?)

> I tested "security.foo" xattr, but this is not working. Looks like this
> work only with xattrs that should be protected by EVM.

By "not working", what do you mean?  Are you able to write the
security.foo xattr?

> In case of "appraise" policy, "touch" creates ima xattr, and I can work
> with attr/xattr changes.
> 
> I think, we probably also have some xattrs related issue in EVM
> code, since FS remove xattr support from inode that EVM only work
> with (in case of "dont_appraise", without SELinux and so on). In the
> same time I don't have any issues if EVM disabled.

Only files in policy have a security.ima xattr.  Doing a chmod
potentially changes whether or not the file is in policy.

Mimi