From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: ltp@lists.linux.it, linux-integrity@vger.kernel.org,
Roberto Sassu <roberto.sassu@huaweicloud.com>
Subject: Re: [PATCH 2/3] ima_setup.sh: Allow to load predefined policy
Date: Wed, 11 Dec 2024 20:48:36 +0100 [thread overview]
Message-ID: <20241211194836.GE443680@pevik> (raw)
In-Reply-To: <710315f59b9378d76d226e209fee698f6bc11c06.camel@linux.ibm.com>
Hi Mimi, all,
> On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> > environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> > if available. This should be used only if tooling running LTP tests
> > allows to reboot afterwards (because policy may be writable only once,
> > e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> > other).
> Thanks, Petr. Allowing the policy to be updated only if permitted is a good
> idea. Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy
> might not be loaded. For example, when secure boot is enabled and the kernel is
> configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK
> appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be
> signed.
Yes, it's an attempt, which can fail for various reasons. I'll add this example
of failure to load the policy to the commit message and to the docs.
I'd like to detect if policy got updated to avoid wasting time with SUT reboot
when policy was not updated. But this probably will not be always possible
(e.g. (CONFIG_IMA_READ_POLICY not set).
> On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say
> "TINFO: SELinux enabled in enforcing mode, this may affect test results". We
> should stop blaming SELinux. :)
This info was added for LTP shell tests, which got often affected by
SELinux/Apparmor. Because IMA is written in LTP shell API it gets this.
Error message is printed on TBROK, TFAIL, TWARN. Is this the only part where you
would like to avoid the message? Or do you want to remove SELinux/Apparmor
warning from all IMA tests?
Kind regards,
Petr
> thanks,
> Mimi
next prev parent reply other threads:[~2024-12-11 19:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-26 17:38 [PATCH 0/3] LTP tests: load predefined policy Petr Vorel
2024-11-26 17:38 ` [PATCH 1/3] ima: Add TCB policy as an example Petr Vorel
2024-12-11 12:26 ` Mimi Zohar
2024-12-12 8:55 ` Petr Vorel
2024-11-26 17:38 ` [PATCH 2/3] ima_setup.sh: Allow to load predefined policy Petr Vorel
2024-11-26 22:09 ` Petr Vorel
2024-12-11 12:18 ` Mimi Zohar
2024-12-11 19:48 ` Petr Vorel [this message]
2024-12-12 14:29 ` Mimi Zohar
2024-12-12 15:11 ` Petr Vorel
2024-11-26 17:38 ` [PATCH 3/3] ima_{kexec,keys,selinux}: Set minimal kernel version Petr Vorel
2024-12-11 12:36 ` Mimi Zohar
2024-12-12 8:30 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241211194836.GE443680@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=roberto.sassu@huaweicloud.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).