From: Lennart Poettering <lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org>
To: Gustavo Sverzut Barbieri
<barbieri-Y3ZbgMPKUGA34EUeqzHoZw@public.gmane.org>
Cc: Roberto Sassu
<roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>,
initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
Michael Cassaniti
<m.cassaniti-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org
Subject: Re: [systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
Date: Mon, 20 Feb 2012 18:21:50 +0100 [thread overview]
Message-ID: <20120220172149.GF26356@tango.0pointer.de> (raw)
In-Reply-To: <CAPdpN3AAwJ6s-fOgTCV4h4OCKCw3RhEav56LJaUXWVpuf4Jowg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Thu, 16.02.12 12:30, Gustavo Sverzut Barbieri (barbieri-Y3ZbgMPKUGA34EUeqzHoZw@public.gmane.org) wrote:
> > Since the policy loading can be implemented in different ways depending
> > on the init system (systemd, upstart, ...), an user must identify the
> > components to be measured for each case. Instead, if the IMA policy is
> > loaded in the main Systemd executable, only this file must be measured
> > by the boot loader.
>
> Then I wonder: why not make an ima-init binary that:
> - does ima_setup()
> - exec systemd || upstart || ...
>
> this way you only have to audit this very small file and not systemd
> itself, it's very early and so on.
We worked really hard on being able to load the SELinux policy without
any unnecessary (re-)execs. I don't think we should reopen that problem
by loading IMA from a pre-init tool. Also, the management of such a
thing would seriously suck (i.e. you'd probably need something like
update-alternatives, and that sucks), especially since we now already
taught the initrd to spawn /usr/lib/systemd/systemd directly, instead of
/sbin/init.
Lennart
--
Lennart Poettering - Red Hat, Inc.
next prev parent reply other threads:[~2012-02-20 17:21 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri
2012-02-15 16:26 ` Roberto Sassu
[not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 16:55 ` [systemd-devel] " Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-15 17:12 ` Roberto Sassu
[not found] ` <4F3BE763.9060704-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-16 4:56 ` [Linux-ima-user] " Michael Cassaniti
2012-02-16 13:19 ` Mimi Zohar
2012-02-16 13:38 ` Roberto Sassu
2012-02-16 14:30 ` Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3AAwJ6s-fOgTCV4h4OCKCw3RhEav56LJaUXWVpuf4Jowg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-16 14:35 ` Roberto Sassu
2012-02-16 21:50 ` Gustavo Sverzut Barbieri
2012-02-20 17:24 ` [Linux-ima-user] " Lennart Poettering
2012-02-20 19:06 ` [systemd-devel] " Roberto Sassu
2012-02-20 19:18 ` Lennart Poettering
[not found] ` <20120220191804.GD360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-21 10:05 ` Roberto Sassu
[not found] ` <4F436C7A.9020206-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 13:01 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-21 13:58 ` Roberto Sassu
2012-02-21 16:15 ` Mimi Zohar
2012-02-21 17:32 ` Roberto Sassu
[not found] ` <4F43D532.7070006-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 17:54 ` Mimi Zohar
2012-02-21 17:56 ` Kay Sievers
[not found] ` <CAPXgP10zCVgj4gDTzkJ1+XqKSHhjrCHwkUazJ8caaeMF2j+mMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 18:07 ` Roberto Sassu
[not found] ` <4F43DD49.2040202-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 19:06 ` Kay Sievers
2012-02-21 14:07 ` [systemd-devel] [Linux-ima-user] " Colin Guthrie
2012-02-21 14:32 ` Kay Sievers
[not found] ` <CAPXgP13c1B80u14E4FrhZEJ89NDvDP--ciWikz0j+m4En6zPRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 16:14 ` Mimi Zohar
2012-02-21 18:25 ` Roberto Sassu
2012-02-21 12:25 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-20 17:21 ` Lennart Poettering [this message]
[not found] ` <4F3C8C6F.4010708-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-02-20 17:18 ` [systemd-devel] [Linux-ima-user] " Lennart Poettering
2012-02-20 17:14 ` [systemd-devel] " Lennart Poettering
2012-02-20 18:36 ` Roberto Sassu
[not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 19:07 ` Lennart Poettering
2012-02-21 9:17 ` Roberto Sassu
2012-02-20 17:13 ` Lennart Poettering
2012-02-20 17:12 ` Lennart Poettering
2012-02-20 18:23 ` Roberto Sassu
[not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 18:52 ` Lennart Poettering
[not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 19:11 ` Roberto Sassu
[not found] ` <1329312229-11856-1-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 17:04 ` [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Lennart Poettering
[not found] ` <20120220170436.GA26356-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 18:02 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120220172149.GF26356@tango.0pointer.de \
--to=lennart-mdgvqq1h2p+gdvjs77bj7q@public.gmane.org \
--cc=barbieri-Y3ZbgMPKUGA34EUeqzHoZw@public.gmane.org \
--cc=harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-ima-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=m.cassaniti-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org \
--cc=roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org \
--cc=systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.