Kernel Newbies archive on lore.kernel.org
 help / Atom feed
* SELinux, LSM and ima_policy rules
@ 2019-02-04  8:38 Lev Olshvang
  2019-02-04 22:06 ` valdis.kletnieks
  0 siblings, 1 reply; 2+ messages in thread
From: Lev Olshvang @ 2019-02-04  8:38 UTC (permalink / raw)
  To: linux-il, kernelnewbies

Hello everybody.

I learned recently that IMA kernel security  subsystem can be integrated with LSMs, such as SELinux, Smack, ...
https://sourceforge.net/p/linux-ima/wiki/Home/

https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy

It was present in kernel since v3.8 but not google does not know much about the usability.

Does anybody have any experience or references which I can read to learn restrictions, performance impact or just use cases? 

ThanX!
Lev.



_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: SELinux, LSM and ima_policy rules
  2019-02-04  8:38 SELinux, LSM and ima_policy rules Lev Olshvang
@ 2019-02-04 22:06 ` valdis.kletnieks
  0 siblings, 0 replies; 2+ messages in thread
From: valdis.kletnieks @ 2019-02-04 22:06 UTC (permalink / raw)
  To: Lev Olshvang; +Cc: linux-il, kernelnewbies

On Mon, 04 Feb 2019 11:38:19 +0300, Lev Olshvang said:
> I learned recently that IMA kernel security  subsystem can be integrated with LSMs, such as SELinux, Smack, ...
> https://sourceforge.net/p/linux-ima/wiki/Home/
>
> https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
>
> It was present in kernel since v3.8 but not google does not know much about the usability.

Note that although it's been in the tree since v3.8, the ability to stack LSMs
is much more recent.  That means that if you had IMA running, you couldn't have
SELinux or AppArmor active. Thus the lack of usability documentation.

You'll need a working and enabled TPM chipset in your system to use this. If
your BIOS has a 'secure boot' option, you have a TPM (though secure boot isn't
needed for IMA, but if you're deploying IMA, you may as well go the whole way
and do secure boot as well).

I'm not sure anybody has reliable overhead numbers, as it will be fairly system
specific.  Also, the sort of people who would run IMA are more concerned about
security than throughput.....


_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-04  8:38 SELinux, LSM and ima_policy rules Lev Olshvang
2019-02-04 22:06 ` valdis.kletnieks

Kernel Newbies archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kernelnewbies/0 kernelnewbies/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kernelnewbies kernelnewbies/ https://lore.kernel.org/kernelnewbies \
		kernelnewbies@kernelnewbies.org kernelnewbies@archiver.kernel.org
	public-inbox-index kernelnewbies


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernelnewbies.kernelnewbies


AGPL code for this site: git clone https://public-inbox.org/ public-inbox