Problem: failed to load selinux-specific IMA rule.
Descrpition:I try to add custom IMA policy with selinux-specific rules on my pc.
Here is what I have done:
- add rule "measure obj_type=test_ima_t" in /etc/ima/policy
measure func=BPRM_CHECK
# dont_measure func=FILE_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
# measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK uid=0
# appraise fowner=0
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK
measure obj_type=ima_test_t
- edit file /etc/initramfs-tools/hooks/ima.sh
#!/bin/sh -e
PREREQS=""
case $1 in
prereqs)
echo "${PREREQS}";
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
echo "Adding IMA binaries"
#copy custom files to initramfs
mkdir -p $DESTDIR/etc/ima
cp -a /etc/ima/policy $DESTDIR/etc/ima
exit 0
- edit file /etc/initramfs-tools/scripts/local-top/ima.sh
#!/bin/sh -e
PRER
Your system is not activated. Please activate as soon as possible for normal use.
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
mount -n -t securityfs securityfs /sys/kernel/security
cat /etc/ima/policy | grep -v "^#" > /sys/kernel/security/ima/policy
- update the initramfs
update-initramfs -k `uname -r` -u
reboot with boot parameter "ima_policy=tcb" "appraise_ima=off"
after reboot, cat /sys/kernel/security/ima/policy donot show "measure obj_type=ima_test_t"
I search answers and finally get some tips from https://sourceforge.net/p/linux-ima/wiki/Home/#defining-an-lsm-specific-policy
"If the IMA policy contains LSM labels, then the LSM policy must be loaded prior to the IMA policy. (eg. if systemd loads the SELinux policy, then systemd must also load the IMA policy."
I tried the following ways:
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/local-bottom/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/local-init/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-top/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-premount/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-bottom/ima.sh
but no one succeed.
Any one faced the same problem?
Enviroment:
Deepin 4.19.0-arm64-desktop (IMA enabled)
question from:
https://stackoverflow.com/questions/65878879/failed-to-add-selinux-specific-rule-to-ima-policy 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…