* Question on IMA Policy
@ 2018-07-06 9:46 Martin Townsend
2018-07-06 11:59 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: Martin Townsend @ 2018-07-06 9:46 UTC (permalink / raw)
To: linux-integrity
Hi,
If I have a root filesystem signed for IMA/EVM could I have a policy
that says appraise every file on this filesystem. Looking through the
source code I think I could use
appraise fsuuid=uuid-of-root-fs appraise_type=imasig
Would this do what I want?
Many Thanks,
Martin.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question on IMA Policy
2018-07-06 9:46 Question on IMA Policy Martin Townsend
@ 2018-07-06 11:59 ` Mimi Zohar
2018-07-06 13:32 ` Martin Townsend
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2018-07-06 11:59 UTC (permalink / raw)
To: Martin Townsend, linux-integrity
Hi Martin,
On Fri, 2018-07-06 at 10:46 +0100, Martin Townsend wrote:
> Hi,
>
> If I have a root filesystem signed for IMA/EVM could I have a policy
> that says appraise every file on this filesystem. Looking through the
> source code I think I could use
>
> appraise fsuuid=uuid-of-root-fs appraise_type=imasig
>
> Would this do what I want?
Yes, that looks right. Remember all files on this filesystem will be
considered "immutable", meaning you won't be able to write/update
them, only delete them.
Mimi
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question on IMA Policy
2018-07-06 11:59 ` Mimi Zohar
@ 2018-07-06 13:32 ` Martin Townsend
0 siblings, 0 replies; 3+ messages in thread
From: Martin Townsend @ 2018-07-06 13:32 UTC (permalink / raw)
To: zohar; +Cc: linux-integrity
Hi Mimi,
On Fri, Jul 6, 2018 at 12:59 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Martin,
>
> On Fri, 2018-07-06 at 10:46 +0100, Martin Townsend wrote:
> > Hi,
> >
> > If I have a root filesystem signed for IMA/EVM could I have a policy
> > that says appraise every file on this filesystem. Looking through the
> > source code I think I could use
> >
> > appraise fsuuid=uuid-of-root-fs appraise_type=imasig
> >
> > Would this do what I want?
>
> Yes, that looks right. Remember all files on this filesystem will be
> considered "immutable", meaning you won't be able to write/update
> them, only delete them.
>
Thank you and being immutable is fine.
> Mimi
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-06 13:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-06 9:46 Question on IMA Policy Martin Townsend
2018-07-06 11:59 ` Mimi Zohar
2018-07-06 13:32 ` Martin Townsend
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.