SELinux, LSM and ima_policy rules

SELinux, LSM and ima_policy rules

[Lev Olshvang]

Hello everybody.

I learned recently that IMA kernel security  subsystem can be integrated with LSMs, such as SELinux, Smack, ...
https://sourceforge.net/p/linux-ima/wiki/Home/

https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy

It was present in kernel since v3.8 but not google does not know much about the usability.

Does anybody have any experience or references which I can read to learn restrictions, performance impact or just use cases? 

ThanX!
Lev.



_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: SELinux, LSM and ima_policy rules

[valdis.kletnieks]

On Mon, 04 Feb 2019 11:38:19 +0300, Lev Olshvang said:
> I learned recently that IMA kernel security  subsystem can be integrated with LSMs, such as SELinux, Smack, ...
> https://sourceforge.net/p/linux-ima/wiki/Home/
>
> https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
>
> It was present in kernel since v3.8 but not google does not know much about the usability.

Note that although it's been in the tree since v3.8, the ability to stack LSMs
is much more recent.  That means that if you had IMA running, you couldn't have
SELinux or AppArmor active. Thus the lack of usability documentation.

You'll need a working and enabled TPM chipset in your system to use this. If
your BIOS has a 'secure boot' option, you have a TPM (though secure boot isn't
needed for IMA, but if you're deploying IMA, you may as well go the whole way
and do secure boot as well).

I'm not sure anybody has reliable overhead numbers, as it will be fairly system
specific.  Also, the sort of people who would run IMA are more concerned about
security than throughput.....


_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies