[Rpm-maint] [rpm-software-management/rpm] Request to apply IMA signatures to files even if deemed a configuration file (#364)

patrickc25000 notifications at github.com
Tue Nov 28 16:16:14 UTC 2017

While using the relatively new "--signfiles" rpm option (i.e. rpm --addsign [--signfiles] PACKAGE), I found that IMA signatures for non-executable configuration files, as indicated by the RPM packager, were not applied as part of an RPM upgrade (and I assume installation) even though the signatures for these configuration files were in the metadata for the RPM package. Conceptually, IMHO, the author of the IMA policy in place for the system should be determining what files are appraised (and therefore need  IMA signatures affixed to them) and not the packager of an RPM. If the author of the IMA policy wants to appraise certain files of an RPM package, whether they are configuration files or not, why shouldn't they be allowed to do this and allowed to use RPM to update the appraised files. On some systems, for example embedded systems or appliances like a smart phone, where these configuration files are not allowed to be altered (i.e. are immutable), the owner of the system should be allowed to specify an IMA policy that protects these immutable configuration files from alteration. Of course, if the author of the IMA policy cannot prevent the configuration file from being updated, for example, the IMA policy is running on a system which is open and users can logon and edit configuration files or if the post install script of the RPM updates the configuration file, and many more examples, then the author of the IMA policy cannot list the file as being appraised since for their use of the RPM, the configuration file is mutable. 

Therefore, could the RPM IMA signature support be changed so that the RPM updating code treats the configuration file(s) like any other file and sets an IMA signature on them. The signature is an extended attribute of course (i.e. security.ima) and therefore ignored if the configuration file is not in the IMA policy as being appraised (which given how the code works today, the configuration file cannot be in the IMA policy because appraisal will fail due to the signature missing).

Thank you.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20171128/a48a0df8/attachment-0001.html>

More information about the Rpm-maint mailing list