[PATCH] ima: don't clear IMA_DIGSIG flag when setting non-IMA xattr
Mimi Zohar
zohar at linux.ibm.com
Wed Sep 10 12:21:33 UTC 2025
On Wed, 2025-09-10 at 09:36 +0800, Coiby Xu wrote:
> On Mon, Sep 08, 2025 at 04:58:05PM -0400, Mimi Zohar wrote:
> > On Mon, 2025-09-08 at 10:53 -0400, Mimi Zohar wrote:
> > > Hi Coiby,
> > >
> > > On Mon, 2025-09-08 at 19:12 +0800, Coiby Xu wrote:
> > > > >
> > > > > Even without an IMA appraise policy, the security xattrs are written out to the
> > > > > filesystem, but the IMA_DIGSIG flag is not cached.
> > > >
> > > > It seems I miss some context for the above sentence. If no IMA policy is
> > > > configured, no ima_iint_cache will be created. If you mean non-appraisal
> > > > policy, will not caching IMA_DIGSIG flag cause any problem?
> > >
> > > Sorry. What I was trying to say is that your test program illustrates the
> > > problem both with or without any of the boot command line options as you
> > > suggested - "ima_appraise=fix evm=fix ima_policy=appraise_tcb". Writing some
> > > other security xattr is a generic problem, whether the file is in policy or not,
> > > whether IMA or EVM are in fix mode or not. The rpm-plugin-ima should install
> > > the IMA signature regardless.
> >
> > My mistake. An appraise policy indeed needs to be defined for the file
> > signature to be replaced with a file hash.
>
> Thanks for the clarification! rpm-plugin-ima does try to install IMA
> signature as shown from the following strace output,
Agreed. I was referring to the SELinux label, which would be installed for new
files, but not necessarily re-installed on existing files. The test program
simplified testing. Thank you.
Mimi
More information about the Linux-security-module-archive
mailing list