From: Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Kay Sievers <kay.sievers-tD+1rO4QERM@public.gmane.org>
Cc: Colin Guthrie <gmane-D409yXkIzt2rnn0nCzrM/w@public.gmane.org>,
initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies
Date: Tue, 21 Feb 2012 11:14:11 -0500 [thread overview]
Message-ID: <1329840852.2186.39.camel@falcor> (raw)
In-Reply-To: <CAPXgP13c1B80u14E4FrhZEJ89NDvDP--ciWikz0j+m4En6zPRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Tue, 2012-02-21 at 15:32 +0100, Kay Sievers wrote:
> On Tue, Feb 21, 2012 at 15:07, Colin Guthrie <gmane-D409yXkIzt2rnn0nCzrM/w@public.gmane.org> wrote:
>
> >> The code for loading IMA custom policies was placed in the initial
> >> ramdisk with the purpose to avoid distribution specific dependencies.
In a trusted-grub, or equivalent environment, the kernel, initramfs, and
kernel boot options are measured. The main reason for loading the IMA
policy in the initramfs was that the policy would be included in the
initramfs measurement.
Mimi
> >> However, since the SELinux initialization has been moved to Systemd
> >> and Systemd itself will be used by the major distributions, i think
> >> placing the IMA code here is the best solution, even if it is not the
> >> most general.
> >
> > Just for reference, not all distros use the same initrd generator
> > anyway. We're trying to move to dracut, but it's certainly not universal
> > at the moment. I think Suse use something else (maybe they plan to move
> > to dracut too?) and I've no idea about Ubuntu but I doubt they use dracut.
> >
> > So I'd suggest that at the moment, systemd will actually get you wider
> > coverage... although that's just a slightly ill-informed and hand-wave
> > analysis on my part. Either way, I think it's better in systemd :D
>
> Sounds right. The initramfs is definitely less generic than systemd
> is. Almost every distro has still its own here. The situation today
> with initramfs generators can probably not get more distro-specific;
> it is still almost at its maximum. :)
>
> So the thinking of moving anything to the initramfs to avoid the Linux
> distro balcanization problem will usually not work out.
>
> Kay
next prev parent reply other threads:[~2012-02-21 16:14 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri
2012-02-15 16:26 ` Roberto Sassu
[not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 16:55 ` [systemd-devel] " Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-15 17:12 ` Roberto Sassu
[not found] ` <4F3BE763.9060704-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-16 4:56 ` [Linux-ima-user] " Michael Cassaniti
2012-02-16 13:19 ` Mimi Zohar
2012-02-16 13:38 ` Roberto Sassu
2012-02-16 14:30 ` Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3AAwJ6s-fOgTCV4h4OCKCw3RhEav56LJaUXWVpuf4Jowg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-16 14:35 ` Roberto Sassu
2012-02-16 21:50 ` Gustavo Sverzut Barbieri
2012-02-20 17:24 ` [Linux-ima-user] " Lennart Poettering
2012-02-20 19:06 ` [systemd-devel] " Roberto Sassu
2012-02-20 19:18 ` Lennart Poettering
[not found] ` <20120220191804.GD360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-21 10:05 ` Roberto Sassu
[not found] ` <4F436C7A.9020206-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 13:01 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-21 13:58 ` Roberto Sassu
2012-02-21 16:15 ` Mimi Zohar
2012-02-21 17:32 ` Roberto Sassu
[not found] ` <4F43D532.7070006-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 17:54 ` Mimi Zohar
2012-02-21 17:56 ` Kay Sievers
[not found] ` <CAPXgP10zCVgj4gDTzkJ1+XqKSHhjrCHwkUazJ8caaeMF2j+mMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 18:07 ` Roberto Sassu
[not found] ` <4F43DD49.2040202-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 19:06 ` Kay Sievers
2012-02-21 14:07 ` [systemd-devel] [Linux-ima-user] " Colin Guthrie
2012-02-21 14:32 ` Kay Sievers
[not found] ` <CAPXgP13c1B80u14E4FrhZEJ89NDvDP--ciWikz0j+m4En6zPRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 16:14 ` Mimi Zohar [this message]
2012-02-21 18:25 ` Roberto Sassu
2012-02-21 12:25 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-20 17:21 ` [systemd-devel] [Linux-ima-user] " Lennart Poettering
[not found] ` <4F3C8C6F.4010708-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-02-20 17:18 ` Lennart Poettering
2012-02-20 17:14 ` [systemd-devel] " Lennart Poettering
2012-02-20 18:36 ` Roberto Sassu
[not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 19:07 ` Lennart Poettering
2012-02-21 9:17 ` Roberto Sassu
2012-02-20 17:13 ` Lennart Poettering
2012-02-20 17:12 ` Lennart Poettering
2012-02-20 18:23 ` Roberto Sassu
[not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 18:52 ` Lennart Poettering
[not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 19:11 ` Roberto Sassu
[not found] ` <1329312229-11856-1-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 17:04 ` [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Lennart Poettering
[not found] ` <20120220170436.GA26356-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 18:02 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1329840852.2186.39.camel@falcor \
--to=zohar-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=gmane-D409yXkIzt2rnn0nCzrM/w@public.gmane.org \
--cc=initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=kay.sievers-tD+1rO4QERM@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=systemd-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox