From: rishi gupta <gupt21@gmail.com>
To: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
selinux-refpolicy@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot
Date: Mon, 9 Nov 2020 21:14:14 +0530 [thread overview]
Message-ID: <CALUj-gtQsSnU0Yq5Syc7aOkN0PH_MHvziuuG1-9zotVUAJ2QoQ@mail.gmail.com> (raw)
In-Reply-To: <bdd1becf-c72d-876a-cd9b-cef7b6fe55e9@rosalinux.ru>
On Sat, Nov 7, 2020 at 3:45 AM Mikhail Novosyolov
<m.novosyolov@rosalinux.ru> wrote:
>
>
> 06.11.2020 18:50, rishi gupta пишет:
> > On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov
> > <m.novosyolov@rosalinux.ru> wrote:
> >> 06.11.2020 15:22, rishi gupta пишет:
> >>> I am getting below error as selinux is denying access to the .ima
> >>> keyring. Looking for guidance for asymmetric public key selinux
> >>> policy.
> >>>
> >>> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13
> >> I am getting the same error without selinux.
> > If I make selinux permissive, it works for me. So I know in my case
> > the problem is selinux.
> >>> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825
> >>> uid=1021 auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data"
> >>> cause="invalid-signature" comm="mydaemon"
> >>> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0
> >> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded.
> > Basically when we access a file, driver checks if selinux allow access
> > to it or not. In my case this function is returning -EACCES
> > https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88
> >>> (a) Do I need to set the selinux context of file
> >>> /etc/keys/x509_ima.der. If yes what it should be.
> >>> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I
> >>> tried a lot but could not find any resource.
> >> Usually IMA policy is loaded before SELinux policy I think
> > I am using the policy defined in ima_policy driver as of now. My kernel is 4.14.
> What is "ima_policy driver"? How does selinux and IMA policies get loaded on your system?
For test purpose I am using "ima_policy=tcb ima_appraise_tcb" in the
commandline.
I have not changed anything in the policy defined in 4.14 kernel driver for now.
https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L132
https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L88
> >>> Regards,
> >>> Rishi
next prev parent reply other threads:[~2020-11-09 15:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-06 12:22 Selinux policy for x509_ima.der public certificate loaded by kernel during boot rishi gupta
2020-11-06 15:12 ` Mikhail Novosyolov
2020-11-06 15:50 ` rishi gupta
2020-11-06 22:15 ` Mikhail Novosyolov
2020-11-09 15:44 ` rishi gupta [this message]
2020-11-10 20:45 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALUj-gtQsSnU0Yq5Syc7aOkN0PH_MHvziuuG1-9zotVUAJ2QoQ@mail.gmail.com \
--to=gupt21@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=m.novosyolov@rosalinux.ru \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).