Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy

[PATCH v5 0/4] LSM: Measure security module data · Lakshmi Ramasubramanian <hidden> · 2020-07-30
[PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Tyler Hicks <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Tyler Hicks <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Casey Schaufler <casey@schaufler-ca.com> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
[PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-04
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-04
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-04
[PATCH v5 4/4] IMA: Handle early boot data measurement · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 4/4] IMA: Handle early boot data measurement · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 4/4] IMA: Handle early boot data measurement · Tyler Hicks <hidden> · 2020-07-30
[PATCH v5 2/4] IMA: Define IMA hooks to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 2/4] IMA: Define IMA hooks to measure LSM state and policy · Tyler Hicks <hidden> · 2020-07-30

From: Lakshmi Ramasubramanian <hidden>
Date: 2020-08-03 16:14:17
Also in: linux-integrity, lkml, selinux

On 8/3/20 8:11 AM, Stephen Smalley wrote:

Possibly I'm missing something but with these patches applied on top of 
next-integrity, and the following lines added to /etc/ima/ima-policy:

measure func=LSM_STATE template=ima-buf
measure func=LSM_POLICY

I still don't get the selinux-state or selinux-policy-hash entries in 
the ascii_runtime_measurements file.  No errors during loading of the 
ima policy as far as I can see.

Could you please check if the following config is set?
CONFIG_IMA_QUEUE_EARLY_BOOT_DATA=y

Try changing /sys/fs/selinux/checkreqprot and check 
ascii_runtime_measurements file again?

Also, could you please check if
/sys/kernel/security/integrity/ima/policy contains LSM_STATE and 
LSM_POLICY entries?

  -lakshmi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help