* Selinux policy for x509_ima.der public certificate loaded by kernel during boot
@ 2020-11-06 12:22 rishi gupta
2020-11-06 15:12 ` Mikhail Novosyolov
0 siblings, 1 reply; 6+ messages in thread
From: rishi gupta @ 2020-11-06 12:22 UTC (permalink / raw)
To: linux-integrity, selinux-refpolicy, selinux
I am getting below error as selinux is denying access to the .ima
keyring. Looking for guidance for asymmetric public key selinux
policy.
[ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
[ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
uid=1021 auid=4294967295 ses=4294967295
subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
cause="invalid-signature" comm="mydaemon"
name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
(a) Do I need to set the selinux context of file
/etc/keys/x509_ima.der. If yes what it should be.
(b) Do I need to set some selinux rule for .ima keyring. If yes how. I
tried a lot but could not find any resource.
Regards,
Rishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot
2020-11-06 12:22 Selinux policy for x509_ima.der public certificate loaded by kernel during boot rishi gupta
@ 2020-11-06 15:12 ` Mikhail Novosyolov
2020-11-06 15:50 ` rishi gupta
0 siblings, 1 reply; 6+ messages in thread
From: Mikhail Novosyolov @ 2020-11-06 15:12 UTC (permalink / raw)
To: rishi gupta, linux-integrity, selinux-refpolicy, selinux
06.11.2020 15:22, rishi gupta пишет:
> I am getting below error as selinux is denying access to the .ima
> keyring. Looking for guidance for asymmetric public key selinux
> policy.
>
> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
I am getting the same error without selinux.
>
> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
> uid=1021 auid=4294967295 ses=4294967295
> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
> cause="invalid-signature" comm="mydaemon"
> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded.
>
> (a) Do I need to set the selinux context of file
> /etc/keys/x509_ima.der. If yes what it should be.
> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I
> tried a lot but could not find any resource.
Usually IMA policy is loaded before SELinux policy I think
>
> Regards,
> Rishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot
2020-11-06 15:12 ` Mikhail Novosyolov
@ 2020-11-06 15:50 ` rishi gupta
2020-11-06 22:15 ` Mikhail Novosyolov
0 siblings, 1 reply; 6+ messages in thread
From: rishi gupta @ 2020-11-06 15:50 UTC (permalink / raw)
To: Mikhail Novosyolov; +Cc: linux-integrity, selinux-refpolicy, selinux
On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov
<m.novosyolov@rosalinux.ru> wrote:
>
> 06.11.2020 15:22, rishi gupta пишет:
> > I am getting below error as selinux is denying access to the .ima
> > keyring. Looking for guidance for asymmetric public key selinux
> > policy.
> >
> > [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
> I am getting the same error without selinux.
If I make selinux permissive, it works for me. So I know in my case
the problem is selinux.
> >
> > [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
> > uid=1021 auid=4294967295 ses=4294967295
> > subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
> > cause="invalid-signature" comm="mydaemon"
> > name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded.
Basically when we access a file, driver checks if selinux allow access
to it or not. In my case this function is returning -EACCES
https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88
> >
> > (a) Do I need to set the selinux context of file
> > /etc/keys/x509_ima.der. If yes what it should be.
> > (b) Do I need to set some selinux rule for .ima keyring. If yes how. I
> > tried a lot but could not find any resource.
> Usually IMA policy is loaded before SELinux policy I think
I am using the policy defined in ima_policy driver as of now. My kernel is 4.14.
> >
> > Regards,
> > Rishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot
2020-11-06 15:50 ` rishi gupta
@ 2020-11-06 22:15 ` Mikhail Novosyolov
2020-11-09 15:44 ` rishi gupta
0 siblings, 1 reply; 6+ messages in thread
From: Mikhail Novosyolov @ 2020-11-06 22:15 UTC (permalink / raw)
To: rishi gupta; +Cc: linux-integrity, selinux-refpolicy, selinux
06.11.2020 18:50, rishi gupta пишет:
> On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov
> <m.novosyolov@rosalinux.ru> wrote:
>> 06.11.2020 15:22, rishi gupta пишет:
>>> I am getting below error as selinux is denying access to the .ima
>>> keyring. Looking for guidance for asymmetric public key selinux
>>> policy.
>>>
>>> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
>> I am getting the same error without selinux.
> If I make selinux permissive, it works for me. So I know in my case
> the problem is selinux.
>>> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
>>> uid=1021 auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
>>> cause="invalid-signature" comm="mydaemon"
>>> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
>> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded.
> Basically when we access a file, driver checks if selinux allow access
> to it or not. In my case this function is returning -EACCES
> https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88
>>> (a) Do I need to set the selinux context of file
>>> /etc/keys/x509_ima.der. If yes what it should be.
>>> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I
>>> tried a lot but could not find any resource.
>> Usually IMA policy is loaded before SELinux policy I think
> I am using the policy defined in ima_policy driver as of now. My kernel is 4.14.
What is "ima_policy driver"? How does selinux and IMA policies get loaded on your system?
>>> Regards,
>>> Rishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot
2020-11-06 22:15 ` Mikhail Novosyolov
@ 2020-11-09 15:44 ` rishi gupta
2020-11-10 20:45 ` Mimi Zohar
0 siblings, 1 reply; 6+ messages in thread
From: rishi gupta @ 2020-11-09 15:44 UTC (permalink / raw)
To: Mikhail Novosyolov; +Cc: linux-integrity, selinux-refpolicy, selinux
On Sat, Nov 7, 2020 at 3:45 AM Mikhail Novosyolov
<m.novosyolov@rosalinux.ru> wrote:
>
>
> 06.11.2020 18:50, rishi gupta пишет:
> > On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov
> > <m.novosyolov@rosalinux.ru> wrote:
> >> 06.11.2020 15:22, rishi gupta пишет:
> >>> I am getting below error as selinux is denying access to the .ima
> >>> keyring. Looking for guidance for asymmetric public key selinux
> >>> policy.
> >>>
> >>> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
> >> I am getting the same error without selinux.
> > If I make selinux permissive, it works for me. So I know in my case
> > the problem is selinux.
> >>> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
> >>> uid=1021 auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
> >>> cause="invalid-signature" comm="mydaemon"
> >>> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
> >> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded.
> > Basically when we access a file, driver checks if selinux allow access
> > to it or not. In my case this function is returning -EACCES
> > https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88
> >>> (a) Do I need to set the selinux context of file
> >>> /etc/keys/x509_ima.der. If yes what it should be.
> >>> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I
> >>> tried a lot but could not find any resource.
> >> Usually IMA policy is loaded before SELinux policy I think
> > I am using the policy defined in ima_policy driver as of now. My kernel is 4.14.
> What is "ima_policy driver"? How does selinux and IMA policies get loaded on your system?
For test purpose I am using "ima_policy=tcb ima_appraise_tcb" in the
commandline.
I have not changed anything in the policy defined in 4.14 kernel driver for now.
https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L132
https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L88
> >>> Regards,
> >>> Rishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot
2020-11-09 15:44 ` rishi gupta
@ 2020-11-10 20:45 ` Mimi Zohar
0 siblings, 0 replies; 6+ messages in thread
From: Mimi Zohar @ 2020-11-10 20:45 UTC (permalink / raw)
To: rishi gupta, Mikhail Novosyolov
Cc: linux-integrity, selinux-refpolicy, selinux
On Mon, 2020-11-09 at 21:14 +0530, rishi gupta wrote:
> On Sat, Nov 7, 2020 at 3:45 AM Mikhail Novosyolov
> <m.novosyolov@rosalinux.ru> wrote:
> >
> >
> > 06.11.2020 18:50, rishi gupta пишет:
> > > On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov
> > > <m.novosyolov@rosalinux.ru> wrote:
> > >> 06.11.2020 15:22, rishi gupta пишет:
> > >>> I am getting below error as selinux is denying access to the .ima
> > >>> keyring. Looking for guidance for asymmetric public key selinux
> > >>> policy.
> > >>>
> > >>> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
> > >> I am getting the same error without selinux.
> > > If I make selinux permissive, it works for me. So I know in my case
> > > the problem is selinux.
> > >>> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
> > >>> uid=1021 auid=4294967295 ses=4294967295
> > >>> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
> > >>> cause="invalid-signature" comm="mydaemon"
> > >>> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
> > >> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded.
> > > Basically when we access a file, driver checks if selinux allow access
> > > to it or not. In my case this function is returning -EACCES
> > > https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88
> > >>> (a) Do I need to set the selinux context of file
> > >>> /etc/keys/x509_ima.der. If yes what it should be.
> > >>> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I
> > >>> tried a lot but could not find any resource.
> > >> Usually IMA policy is loaded before SELinux policy I think
> > > I am using the policy defined in ima_policy driver as of now. My kernel is 4.14.
> > What is "ima_policy driver"? How does selinux and IMA policies get loaded on your system?
>
> For test purpose I am using "ima_policy=tcb ima_appraise_tcb" in the
> commandline.
> I have not changed anything in the policy defined in 4.14 kernel driver for now.
> https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L132
> https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L88
Is root able to verify a file signature signed with this key?
Afterwards are you able to verify this file's signature?
Mimi
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-11-10 20:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-06 12:22 Selinux policy for x509_ima.der public certificate loaded by kernel during boot rishi gupta
2020-11-06 15:12 ` Mikhail Novosyolov
2020-11-06 15:50 ` rishi gupta
2020-11-06 22:15 ` Mikhail Novosyolov
2020-11-09 15:44 ` rishi gupta
2020-11-10 20:45 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).