Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.3k views
in Technique[技术] by (71.8m points)

failed to add selinux-specific rule to IMA policy

Problem: failed to load selinux-specific IMA rule.

Descrpition:I try to add custom IMA policy with selinux-specific rules on my pc.

Here is what I have done:

  1. add rule "measure obj_type=test_ima_t" in /etc/ima/policy
measure func=BPRM_CHECK
# dont_measure func=FILE_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
# measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK uid=0
# appraise fowner=0
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK


measure obj_type=ima_test_t

  1. edit file /etc/initramfs-tools/hooks/ima.sh
#!/bin/sh -e
PREREQS=""
case $1 in
prereqs)
        echo "${PREREQS}"; 
        exit 0
        ;;
esac
. /usr/share/initramfs-tools/hook-functions

echo "Adding IMA binaries"

#copy custom files to initramfs
mkdir -p $DESTDIR/etc/ima
cp -a /etc/ima/policy $DESTDIR/etc/ima

exit 0

  1. edit file /etc/initramfs-tools/scripts/local-top/ima.sh
#!/bin/sh -e

PRER                                                                               
Your system is not activated. Please activate as soon as possible for normal use.
                                                                               
prereqs()
{
        echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /scripts/functions
mount -n -t securityfs securityfs /sys/kernel/security
cat /etc/ima/policy | grep -v "^#" > /sys/kernel/security/ima/policy

  1. update the initramfs
 update-initramfs  -k `uname -r` -u

  1. reboot with boot parameter "ima_policy=tcb" "appraise_ima=off"

  2. after reboot, cat /sys/kernel/security/ima/policy donot show "measure obj_type=ima_test_t"

I search answers and finally get some tips from https://sourceforge.net/p/linux-ima/wiki/Home/#defining-an-lsm-specific-policy

"If the IMA policy contains LSM labels, then the LSM policy must be loaded prior to the IMA policy. (eg. if systemd loads the SELinux policy, then systemd must also load the IMA policy."

I tried the following ways:

  • mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/local-bottom/ima.sh
  • mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/local-init/ima.sh
  • mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-top/ima.sh
  • mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-premount/ima.sh
  • mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-bottom/ima.sh but no one succeed.

Any one faced the same problem?

Enviroment: Deepin 4.19.0-arm64-desktop (IMA enabled)

question from:https://stackoverflow.com/questions/65878879/failed-to-add-selinux-specific-rule-to-ima-policy

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...