[PATCH v5 3/4] LSM: Define SELinux function to measure state and policy
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Mon Aug 3 16:14:16 UTC 2020
On 8/3/20 8:11 AM, Stephen Smalley wrote:
>
> Possibly I'm missing something but with these patches applied on top of
> next-integrity, and the following lines added to /etc/ima/ima-policy:
>
> measure func=LSM_STATE template=ima-buf
> measure func=LSM_POLICY
>
> I still don't get the selinux-state or selinux-policy-hash entries in
> the ascii_runtime_measurements file. No errors during loading of the
> ima policy as far as I can see.
>
Could you please check if the following config is set?
CONFIG_IMA_QUEUE_EARLY_BOOT_DATA=y
Try changing /sys/fs/selinux/checkreqprot and check
ascii_runtime_measurements file again?
Also, could you please check if
/sys/kernel/security/integrity/ima/policy contains LSM_STATE and
LSM_POLICY entries?
-lakshmi
More information about the Linux-security-module-archive
mailing list