ima-evm-utils

rpms/ima-evm-utils

Fork 0

Commit Graph

Author	SHA1	Message	Date
Coiby Xu	909a75b554	Skip some file systems for appraisal Resolves: https://issues.redhat.com/browse/RHEL-34778 Conflict: None Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 83b610d7edee02804dc1cecab8e151728925e90b Author: Coiby Xu <coxu@redhat.com> Date: Wed Oct 16 13:48:01 2024 +0800 Skip some file systems for appraisal Resolves: https://issues.redhat.com/browse/RHEL-62817 When 01-appraise-exectuables-and-lib-signatures is enabled, no login screen is available for user to log in. This happens because IMA stops gnome-shell from creating some temp files as can been from the audit log, type=INTEGRITY_DATA msg=audit(1728700747.130:10235): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/dev/shm/#3223" dev="tmpfs" ino=3223 res=0 errno=0UID="gdm" AUID="unset" type=INTEGRITY_DATA msg=audit(1728700747.130:10236): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/run/user/42/#454" dev="tmpfs" ino=454 res=0 errno=0UID="gdm" AUID="unset" type=INTEGRITY_DATA msg=audit(1728700747.131:10237): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="memfd:libffi" dev="tmpfs" ino=578 res=0 errno=0UID="gdm" AUID="unset" Skip the file systems as listed in https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy Reported-by: Raju Cheerla <rcheerla@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>	2024-11-08 10:58:05 +08:00
Coiby Xu	478b5e4548	Add some IMA setup tools Resolves: https://issues.redhat.com/browse/RHEL-34778 Conflict: Upstream has -libs subpackage Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git commit 8980421a049c776e2b77e534793aafb925b3ad48 Author: Coiby Xu <coiby.xu@gmail.com> Date: Mon May 6 17:48:52 2024 +0800 Add some IMA setup tools Some IMA setup tools are added to ease IMA setup which will do the following tasks, - add IMA signatures to installed packages files - load IMA keys and policy - enable the dracut integrity module to load IMA keys and policy automatically Two IMA polices as suggested by Stefan Berger are also provided which will be signed automatically with other package files. Thanks to Marko Myllynen for coming up with the idea to have a tool similar to fips-mode-setup. And thanks to Mimi Zohar and Stefan Berger for providing the feedback! Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Coiby Xu <coxu@redhat.com>	2024-11-08 10:58:05 +08:00

Author

SHA1

Message

Date

Coiby Xu

909a75b554

Skip some file systems for appraisal

Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: None

Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git

commit 83b610d7edee02804dc1cecab8e151728925e90b
Author: Coiby Xu <coxu@redhat.com>
Date:   Wed Oct 16 13:48:01 2024 +0800

    Skip some file systems for appraisal

    Resolves: https://issues.redhat.com/browse/RHEL-62817

    When 01-appraise-exectuables-and-lib-signatures is enabled, no login
    screen is available for user to log in. This happens because IMA stops
    gnome-shell from creating some temp files as can been from the audit log,

        type=INTEGRITY_DATA msg=audit(1728700747.130:10235): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/dev/shm/#3223" dev="tmpfs" ino=3223 res=0 errno=0UID="gdm" AUID="unset"
        type=INTEGRITY_DATA msg=audit(1728700747.130:10236): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="/run/user/42/#454" dev="tmpfs" ino=454 res=0 errno=0UID="gdm" AUID="unset"
        type=INTEGRITY_DATA msg=audit(1728700747.131:10237): pid=3240 uid=42 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="gnome-shell" name="memfd:libffi" dev="tmpfs" ino=578 res=0 errno=0UID="gdm" AUID="unset"

    Skip the file systems as listed in
    https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy

    Reported-by: Raju Cheerla <rcheerla@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>

2024-11-08 10:58:05 +08:00

Coiby Xu

478b5e4548

Add some IMA setup tools

Resolves: https://issues.redhat.com/browse/RHEL-34778
Conflict: Upstream has -libs subpackage

Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git

commit 8980421a049c776e2b77e534793aafb925b3ad48
Author: Coiby Xu <coiby.xu@gmail.com>
Date:   Mon May 6 17:48:52 2024 +0800

    Add some IMA setup tools

    Some IMA setup tools are added to ease IMA setup which will do
    the following tasks,
       - add IMA signatures to installed packages files
       - load IMA keys and policy
       - enable the dracut integrity module to load IMA keys and policy
         automatically

    Two IMA polices as suggested by Stefan Berger are also provided which
    will be signed automatically with other package files.

    Thanks to Marko Myllynen for coming up with the idea to have a tool
    similar to fips-mode-setup. And thanks to Mimi Zohar and Stefan Berger
    for providing the feedback!

    Signed-off-by: Coiby Xu <coxu@redhat.com>

Signed-off-by: Coiby Xu <coxu@redhat.com>

2024-11-08 10:58:05 +08:00

2 Commits