Menu
▾
▴
[Linux-ima-devel] vim editor gets stuck on CLOSE when running IMA LOG Appraisal
|
From: Nasim, K. <Kam...@wi...> - 2017-10-03 21:40:44
|
Hi Experts, I am testing our IMA appraisal (appraise_type=log), to see how IMA would log appraisal failures. Everything seems fine except that when I close my file (without any edits), vim just hangs ( I need to kill the process manually) My policy: $ cat /etc/ima.policy # EXT4_SUPER_MAGIC measure func=FILE_CHECK uid=0 fsmagic=0xEF53 appraise func=FILE_MMAP mask=MAY_EXEC uid=0 appraise_type=imasig fsmagic=0xEF53 appraise func=FILE_CHECK mask=MAY_EXEC uid=0 appraise_type=imasig fsmagic=0xEF53 appraise func=BPRM_CHECK mask=MAY_EXEC uid=0 appraise_type=imasig fsmagic=0xEF53 My audit log entries (appraise_data / missing-hash): type=SYSCALL msg=audit(1507066020.544:1638): arch=c000003e syscall=9 success=yes exit=139688952565760 a0=0 a1=202110 a2=5 a3=802 items=0 ppid=3613 pid=3614 auid=1875 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="vim" exe="/usr/bin/vim" key=(null) type=INTEGRITY_DATA msg=audit(1507066020.544:1639): pid=3614 uid=0 auid=1875 ses=2 op="appraise_data" cause="missing-hash" comm=vim name=/usr/lib64/libfreebl3.so dev=sda3 ino=785508 res=0 type=SYSCALL msg=audit(1507066020.544:1639): arch=c000003e syscall=9 success=yes exit=139688950456320 a0=0 a1=2020c0 a2=5 a3=802 items=0 ppid=3613 pid=3614 auid=1875 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="vim" exe="/usr/bin/vim" key=(null) type=INTEGRITY_DATA msg=audit(1507066020.551:1640): pid=3614 uid=0 auid=1875 ses=2 op="appraise_data" cause="missing-hash" comm=vim name=/usr/lib64/libnss_files-2.17.so dev=sda3 ino=785569 res=0 vim stuck after I try closing it with :q localhost:~$ ps -auxf | grep vim root 3613 0.0 0.0 198120 3432 pts/0 S+ 21:26 0:00 | \_ sudo vim /var/log/audit/audit.log root 3614 0.0 0.0 150716 4488 pts/0 D+ 21:26 0:00 | \_ vim /var/log/audit/audit.log <<<<<<<<<<<<<<<<< Looks like my process is in Uninterruptible Sleep. Any ideas why this might be happening? Thanks, Kam -------------- next part -------------- An HTML attachment was scrubbed... |
