From: Roberto Sassu <roberto.sassu@polito.it>
To: Lennart Poettering <lennart@poettering.net>
Cc: Gustavo Sverzut Barbieri <barbieri@profusion.mobi>,
initramfs@vger.kernel.org, systemd-devel@lists.freedesktop.org,
linux-ima-user@lists.sourceforge.net,
linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com,
harald@redhat.com, ramunno@polito.it
Subject: Re: [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies
Date: Tue, 21 Feb 2012 10:17:56 +0100 [thread overview]
Message-ID: <4F436144.1010504@polito.it> (raw)
In-Reply-To: <20120220190720.GC360@tango.0pointer.de>
On 02/20/2012 08:07 PM, Lennart Poettering wrote:
> On Mon, 20.02.12 19:36, Roberto Sassu (roberto.sassu@polito.it) wrote:
>
>>
>> On 02/20/2012 06:14 PM, Lennart Poettering wrote:
>>> On Wed, 15.02.12 18:12, Roberto Sassu (roberto.sassu@polito.it) wrote:
>>>
>>>> The location of the policy file is not IMA dependent. I chose that
>>>> because it seemed to me the right place where to put this file.
>>>> So, i can easily modify the location to be distribution independent
>>>> but i don't known which directory would be appropriate.
>>>> Any proposal?
>>>
>>> /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates.
>>>
>>
>> I prefer the first one, because the second pathname raises the problem
>> of creating a new subdirectory. However, i think we should keep the
>> word 'policy' in the file name to avoid users believe that is a
>> configuration file.
>
> Creating a subdir is a problem? How so?
>
The problem i see is who creates the subdirectory. In the Systemd case,
i think this should be accomplished in the Makefile or in the RPM
script. Other boot solutions should implement something like that
and they need to create the subdirectory as well. This because, as
said above, there is no an IMA userspace package to perform the
operation. However, if the creation is made by the boot software
i think this should not be a problem.
> You should use a subdir /etc/ima/ if there's the chance that sooner or
> later you might have to add another config file of some sorts to IMA. If
> you are really sure that never happens, then you don't need the dir, but
> if you are in doubt, better use one. (But this is the policy file,
> right? so i figure you might end up with adding a conf file with options
> like selinux' enforcing/permissive later on, so i think you should
> better add a dir)
>
Ok, probably is better to add a new subdirectory to support additional
IMA configuration files. Maybe Mimi Zohar knows if there are plans
to introduce new files.
> (Oh, and in contrast to what i suggested, if this is the policy file,
> and not a configuration file, the .conf suffix of course makes little sense)
>
So, finally i think we can agree to use '/etc/ima/ima-policy' as
pathname for the IMA custom policy.
Thanks
Roberto Sassu
> Lennart
>
next prev parent reply other threads:[~2012-02-21 9:17 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-15 13:23 [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Roberto Sassu
2012-02-15 13:23 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329312229-11856-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 14:30 ` [systemd-devel] " Gustavo Sverzut Barbieri
2012-02-15 16:26 ` Roberto Sassu
[not found] ` <4F3BDCAA.7040001-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-15 16:55 ` [systemd-devel] " Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3C0xDeVBrbDxesPdEV+owf-q_wxUHTmr4YDCHw=NgPV1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-15 17:12 ` Roberto Sassu
[not found] ` <4F3BE763.9060704-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-16 4:56 ` [Linux-ima-user] " Michael Cassaniti
2012-02-16 13:19 ` Mimi Zohar
2012-02-16 13:38 ` Roberto Sassu
2012-02-16 14:30 ` Gustavo Sverzut Barbieri
[not found] ` <CAPdpN3AAwJ6s-fOgTCV4h4OCKCw3RhEav56LJaUXWVpuf4Jowg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-16 14:35 ` Roberto Sassu
2012-02-16 21:50 ` Gustavo Sverzut Barbieri
2012-02-20 17:24 ` [Linux-ima-user] " Lennart Poettering
2012-02-20 19:06 ` [systemd-devel] " Roberto Sassu
2012-02-20 19:18 ` Lennart Poettering
[not found] ` <20120220191804.GD360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-21 10:05 ` Roberto Sassu
[not found] ` <4F436C7A.9020206-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 13:01 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-21 13:58 ` Roberto Sassu
2012-02-21 16:15 ` Mimi Zohar
2012-02-21 17:32 ` Roberto Sassu
[not found] ` <4F43D532.7070006-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 17:54 ` Mimi Zohar
2012-02-21 17:56 ` Kay Sievers
[not found] ` <CAPXgP10zCVgj4gDTzkJ1+XqKSHhjrCHwkUazJ8caaeMF2j+mMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 18:07 ` Roberto Sassu
[not found] ` <4F43DD49.2040202-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-21 19:06 ` Kay Sievers
2012-02-21 14:07 ` [systemd-devel] [Linux-ima-user] " Colin Guthrie
2012-02-21 14:32 ` Kay Sievers
[not found] ` <CAPXgP13c1B80u14E4FrhZEJ89NDvDP--ciWikz0j+m4En6zPRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-02-21 16:14 ` Mimi Zohar
2012-02-21 18:25 ` Roberto Sassu
2012-02-21 12:25 ` [Linux-ima-user] [systemd-devel] " Mimi Zohar
2012-02-20 17:21 ` [systemd-devel] [Linux-ima-user] " Lennart Poettering
[not found] ` <4F3C8C6F.4010708-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2012-02-20 17:18 ` Lennart Poettering
2012-02-20 17:14 ` [systemd-devel] " Lennart Poettering
2012-02-20 18:36 ` Roberto Sassu
[not found] ` <4F4292A4.2030402-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 19:07 ` Lennart Poettering
2012-02-21 9:17 ` Roberto Sassu [this message]
2012-02-20 17:13 ` Lennart Poettering
2012-02-20 17:12 ` Lennart Poettering
2012-02-20 18:23 ` Roberto Sassu
[not found] ` <4F428FB0.3000200-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 18:52 ` Lennart Poettering
[not found] ` <20120220185236.GB360-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 19:11 ` Roberto Sassu
[not found] ` <1329312229-11856-1-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-02-20 17:04 ` [systemd-devel] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage Lennart Poettering
[not found] ` <20120220170436.GA26356-kS5D54t9nk0aINubkmmoJbNAH6kLmebB@public.gmane.org>
2012-02-20 18:02 ` Roberto Sassu
-- strict thread matches above, loose matches on Subject: below --
2012-02-22 14:52 Roberto Sassu
2012-02-22 14:52 ` [PATCH 2/2] main: added support for loading IMA custom policies Roberto Sassu
[not found] ` <1329922381-13451-2-git-send-email-roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 14:39 ` [systemd-devel] " Lennart Poettering
2012-03-05 16:15 ` Roberto Sassu
[not found] ` <4F54E688.2020306-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
2012-03-05 18:11 ` [systemd-devel] " Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F436144.1010504@polito.it \
--to=roberto.sassu@polito.it \
--cc=barbieri@profusion.mobi \
--cc=harald@redhat.com \
--cc=initramfs@vger.kernel.org \
--cc=lennart@poettering.net \
--cc=linux-ima-user@lists.sourceforge.net \
--cc=linux-security-module@vger.kernel.org \
--cc=ramunno@polito.it \
--cc=systemd-devel@lists.freedesktop.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox