[LTP] [PATCH 2/3] ima_setup.sh: Allow to load predefined policy
Mimi Zohar
zohar@linux.ibm.com
Wed Dec 11 13:18:38 CET 2024
On Tue, 2024-11-26 at 18:38 +0100, Petr Vorel wrote:
> environment variable LTP_IMA_LOAD_POLICY=1 tries to load example policy
> if available. This should be used only if tooling running LTP tests
> allows to reboot afterwards (because policy may be writable only once,
> e.g. missing CONFIG_IMA_WRITE_POLICY=y, or policies can influence each
> other).
Thanks, Petr. Allowing the policy to be updated only if permitted is a good
idea. Even with the LTP_IMA_LOAD_POLICY=1 environment variable, the policy
might not be loaded. For example, when secure boot is enabled and the kernel is
configured with CONFIG_IMA_ARCH_POLICY enabled, an "appraise func=POLICY_CHECK
appraise_type=imasig" rule is loaded, requiring the IMA policy itself to be
signed.
On failure to load a policy, the ima_conditionals.sh and ima_policy.sh tests say
"TINFO: SELinux enabled in enforcing mode, this may affect test results". We
should stop blaming SELinux. :)
thanks,
Mimi
More information about the ltp
mailing list