Relates: https://issues.redhat.com/browse/RHEL-92638
Conflict: None
commit 47853f2cf6575812d28093b750be2f2e897c153d
Author: Coiby Xu <coxu@redhat.com>
Date: Thu Oct 16 17:29:52 2025 +0800
Use RSAHEADER to tell if a package has been signed
Packages now use RPM v4 signature %{RSAHEADER}. %{SIGPGP} is the name
of the RPM v3 header+payload signature and can't be used to tell if
a package has been signed,
# uname -r
6.16.10-200.fc42.x86_64
# rpm -q --queryformat "%{SIGPGP:pgpsig}\n" --all|grep -c "^(none)$"
586
# rpm -q --queryformat "%{RSAHEADER}\n" --all|grep -c "^(none)$"
5
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-92638
Conflict: Caused by a typo that exists in upstream
commit ac36e54bee77c82bd7f48a507d014a1ec0055645
Author: Coiby Xu <coxu@redhat.com>
Date: Thu Jul 10 16:53:18 2025 +0800
ima-setup: rebuild all initramfs images to include the integrity dracut module
Resolves: https://issues.redhat.com/browse/RHEL-92638
Quoting Raju,
ima-setup currently only rebuild the initramfs of running kernel, so
the older kernel's(n-1 or n-2) initramfs does contain an outdated
information or it does not contain ima module, as a result the system
fails to boot with older kernel.
It is always recommended to have at least 2 older kernel's kept
installed on the system as a fallback option in case if the latest
kernel fails to boot due to some unforeseen issue. So that we can boot
the system with older kernel to troubleshoot the can't boot issue with
older kernel.
Suggested-by: Raju Cheerla <rcheerla@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-100320
Upstream: Fedora
Conflict: None
Some IMA signatures from the RPM database may fail the verification
because they can be changed. For examples, the following files on F41
can't pass IMA signature verification,
/usr/lib64/gconv/gconv-modules.cache
/boot/grub2/grubenv
/var/lib/selinux/targeted/active/commit_num
/var/lib/selinux/targeted/active/file_contexts
/etc/ssh/sshd_config
/etc/yum.repos.d/fedora-updates.repo
/etc/yum.repos.d/fedora.repo
/etc/group
/etc/gshadow
The kernel ima=fix mode won't generate IMA hash reference value for
files with IMA signature. As a result, users can be denied the access to
some files. So remove security.ima if a file fail the verification.
Relates: https://issues.redhat.com/browse/RHEL-82392
Conflict: None
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 7b800d82d0947fd0e75e92997a3aec7af079c1cc
Author: Coiby Xu <coxu@redhat.com>
Date: Tue Feb 25 13:24:33 2025 +0800
ima-setup: fix two shellcheck warnings
Fix the following two shellcheck warnings,
In ima-setup.sh line 36:
echo "$policy_file doesn't exist"
^----------^ SC2154 (warning): policy_file is referenced but not assigned.
In ima-setup.sh line 41:
reinstall_threshold=${_opt#*=}
^-----------------^ SC2034 (warning): reinstall_threshold appears unused. Verify use (or export if used externally).
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: None
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 83b610d7edee02804dc1cecab8e151728925e90b
Author: Coiby Xu <coxu@redhat.com>
Date: Wed Oct 16 13:48:01 2024 +0800
Skip some file systems for appraisal
Resolves: https://issues.redhat.com/browse/RHEL-62817
When 01-appraise-exectuables-and-lib-signatures is enabled, no login
screen is available for user to log in. This happens because IMA stops
gnome-shell from creating some temp files as can been from the audit log,
type=INTEGRITY_DATA msg=audit(1728700747.130:10235): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/dev/shm/#3223" dev="tmpfs" ino=3223 res=0 errno=0UID="gdm" AUID="unset"
type=INTEGRITY_DATA msg=audit(1728700747.130:10236): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/run/user/42/#454" dev="tmpfs" ino=454 res=0 errno=0UID="gdm" AUID="unset"
type=INTEGRITY_DATA msg=audit(1728700747.131:10237): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="memfd:libffi" dev="tmpfs" ino=578 res=0 errno=0UID="gdm" AUID="unset"
Skip the file systems as listed in
https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
Reported-by: Raju Cheerla <rcheerla@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: fix a typo
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 62f613cbb7e1753b2e8fa0ce547c02be24842b22
Author: Coiby Xu <coxu@redhat.com>
Date: Mon Jun 3 14:39:06 2024 +0800
ima-setup: include the integrity module for the default kernel
ima-setup may run after a new kernel is installed. Detect this case by
checking if the default kernel is the running kernel.
Suggested-by: Marko Myllynen <myllynen@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: None
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 141a74d96ab3cdee1b0d2cf6a0cba19337920e02
Author: Coiby Xu <coxu@redhat.com>
Date: Tue May 28 09:54:19 2024 +0800
ima-setup: Allow users to specify custom reinstall_threshold
Some users may use custom built packages and we are not sure about the
number of this type of packages. So make reinstall_threshold
configurable.
Suggested-by: Marko Myllynen <myllynen@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: Upstream has -libs subpackage
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 8980421a049c776e2b77e534793aafb925b3ad48
Author: Coiby Xu <coiby.xu@gmail.com>
Date: Mon May 6 17:48:52 2024 +0800
Add some IMA setup tools
Some IMA setup tools are added to ease IMA setup which will do
the following tasks,
- add IMA signatures to installed packages files
- load IMA keys and policy
- enable the dracut integrity module to load IMA keys and policy
automatically
Two IMA polices as suggested by Stefan Berger are also provided which
will be signed automatically with other package files.
Thanks to Marko Myllynen for coming up with the idea to have a tool
similar to fips-mode-setup. And thanks to Mimi Zohar and Stefan Berger
for providing the feedback!
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
