如何解决未能将 selinux 特定规则添加到 IMA 策略
问题:无法加载特定于 selinux 的 IMA 规则。
描述:我尝试在我的电脑上添加带有 selinux 特定规则的自定义 IMA 策略。
这是我所做的:
- 在 /etc/ima/policy 中添加规则“measure obj_type=test_ima_t”
measure func=BPRM_CHECK
# dont_measure func=FILE_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
# measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK uid=0
# appraise fowner=0
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK
measure obj_type=ima_test_t
- 编辑文件 /etc/initramfs-tools/hooks/ima.sh
#!/bin/sh -e
PREREQS=""
case $1 in
prereqs)
echo "${PREREQS}";
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
echo "Adding IMA binaries"
#copy custom files to initramfs
mkdir -p $DESTDIR/etc/ima
cp -a /etc/ima/policy $DESTDIR/etc/ima
exit 0
- 编辑文件 /etc/initramfs-tools/scripts/local-top/ima.sh
#!/bin/sh -e
PRER
Your system is not activated. Please activate as soon as possible for normal use.
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
mount -n -t securityfs securityfs /sys/kernel/security
cat /etc/ima/policy | grep -v "^#" > /sys/kernel/security/ima/policy
- 更新initramfs
update-initramfs -k `uname -r` -u
-
使用启动参数“ima_policy=tcb”“appraise_ima=off”重新启动
-
重启后,cat /sys/kernel/security/ima/policy 不显示“measure obj_type=ima_test_t”
我搜索了答案,最后从https://sourceforge.net/p/linux-ima/wiki/Home/#defining-an-lsm-specific-policy
那里得到了一些提示“如果 IMA 策略包含 LSM 标签,则必须在 IMA 策略之前加载 LSM 策略。(例如,如果 systemd 加载 SELinux 策略,则 systemd 也必须加载 IMA 策略。”
我尝试了以下方法:
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/local-bottom/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/local-init/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-top/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-premount/ima.sh
- mv /etc/initramfs-tools/scripts/local-top/ima.sh /etc/initramfs-tools/scripts/init-bottom/ima.sh 但没有人成功。
有人遇到同样的问题吗?
环境: Deepin 4.19.0-arm64-desktop(启用IMA)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。