* SELinux, LSM and ima_policy rules
@ 2019-02-04 8:38 Lev Olshvang
2019-02-04 22:06 ` valdis.kletnieks
0 siblings, 1 reply; 2+ messages in thread
From: Lev Olshvang @ 2019-02-04 8:38 UTC (permalink / raw)
To: linux-il, kernelnewbies
Hello everybody.
I learned recently that IMA kernel security subsystem can be integrated with LSMs, such as SELinux, Smack, ...
https://sourceforge.net/p/linux-ima/wiki/Home/
https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
It was present in kernel since v3.8 but not google does not know much about the usability.
Does anybody have any experience or references which I can read to learn restrictions, performance impact or just use cases?
ThanX!
Lev.
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: SELinux, LSM and ima_policy rules
2019-02-04 8:38 SELinux, LSM and ima_policy rules Lev Olshvang
@ 2019-02-04 22:06 ` valdis.kletnieks
0 siblings, 0 replies; 2+ messages in thread
From: valdis.kletnieks @ 2019-02-04 22:06 UTC (permalink / raw)
To: Lev Olshvang; +Cc: linux-il, kernelnewbies
On Mon, 04 Feb 2019 11:38:19 +0300, Lev Olshvang said:
> I learned recently that IMA kernel security subsystem can be integrated with LSMs, such as SELinux, Smack, ...
> https://sourceforge.net/p/linux-ima/wiki/Home/
>
> https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
>
> It was present in kernel since v3.8 but not google does not know much about the usability.
Note that although it's been in the tree since v3.8, the ability to stack LSMs
is much more recent. That means that if you had IMA running, you couldn't have
SELinux or AppArmor active. Thus the lack of usability documentation.
You'll need a working and enabled TPM chipset in your system to use this. If
your BIOS has a 'secure boot' option, you have a TPM (though secure boot isn't
needed for IMA, but if you're deploying IMA, you may as well go the whole way
and do secure boot as well).
I'm not sure anybody has reliable overhead numbers, as it will be fairly system
specific. Also, the sort of people who would run IMA are more concerned about
security than throughput.....
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-04 22:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-04 8:38 SELinux, LSM and ima_policy rules Lev Olshvang
2019-02-04 22:06 ` valdis.kletnieks
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).