On 3/4/21 5:45 PM, Paul Moore wrote:

On Thu, Mar 4, 2021 at 2:20 PM Lakshmi Ramasubramanian
[off-list ref] wrote:

quoted

On 2/12/21 8:37 AM, Lakshmi Ramasubramanian wrote:

Hi Paul,

quoted

SELinux stores the configuration state and the policy capabilities
in kernel memory.  Changes to this data at runtime would have an impact
on the security guarantees provided by SELinux.  Measuring this data
through IMA subsystem provides a tamper-resistant way for
an attestation service to remotely validate it at runtime.

Measure the configuration state and policy capabilities by calling
the IMA hook ima_measure_critical_data().

I have addressed your comments on the v2 patch for selinux measurement
using IMA. Could you please let me know if there are any other comments
that I need to address in this patch?

The merge window just closed earlier this week, and there were a
handful of bugs that needed to be addressed before I could look at
this patch.  If I don't get a chance to review this patch tonight, I
will try to get to it this weekend or early next week.

Thanks Paul.

  -lakshmi