[Rpm-maint] [PATCH 0/3] Fixes for file signatures

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Sep 21 18:04:05 UTC 2016

The following series of patches addresses some issues with signatures on
files. In particular:

- some files marked as config files are also executables and therefore
  need to have a signature applied
- the IMA plugin may only run on package install cycle rather than the
  remove cycle, which would apply the previous versions' signatures on
  the files
- some RPM packages require that the files be signed when the post
  install scriptlets are run since they may invoke executables that
  were just installed; so we have to also run the IMA plugin on the
  scriptlet_pre plugin hook, but have to extend that hook with the rpmte
  parameter type


Stefan Berger (3):
  ima-plugin: Have executable configuration files signed
  ima-plugin: Only run the IMA plugin on package installation
  plugins: Pass rpmte to scriptlet_pre and call IMA plugin in this hook

 lib/rpmplugin.h   |  3 ++-
 lib/rpmplugins.c  |  5 +++--
 lib/rpmplugins.h  |  3 ++-
 lib/rpmscript.c   |  5 +++--
 lib/rpmscript.h   |  3 ++-
 lib/transaction.c |  2 +-
 plugins/ima.c     | 38 ++++++++++++++++++++++++++++++--------
 7 files changed, 43 insertions(+), 16 deletions(-)


More information about the Rpm-maint mailing list