ima-setup: include the integrity module for the default kernel

Resolves: https://issues.redhat.com/browse/RHEL-34778 Conflict: fix a typo Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 62f613cbb7e1753b2e8fa0ce547c02be24842b22 Author: Coiby Xu <coxu@redhat.com> Date: Mon Jun 3 14:39:06 2024 +0800 ima-setup: include the integrity module for the default kernel ima-setup may run after a new kernel is installed. Detect this case by checking if the default kernel is the running kernel. Suggested-by: Marko Myllynen <myllynen@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>
2024-06-08 03:16:47 +08:00 · 2024-06-08 03:16:47 +08:00 · 6e0f7dff8d
commit 6e0f7dff8d
parent 15abff6d5f
1 changed files with 9 additions and 0 deletions
--- a/ima-setup.sh
+++ b/ima-setup.sh
@ -124,6 +124,15 @@ if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
 	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
 	dracut -f
+
+	if command -v grubby >/dev/null; then
+		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
+		if [[ $_default_kernel != $(uname -r) ]]; then
+			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
+			dracut -f --kver "$_default_kernel"
+		fi
+	fi
+
 fi

 if ! load_ima_policy "$ima_policy_path"; then