File 0552-98integrity-support-validating-the-IMA-policy-file-s.patch of Package dracut.10369
From d31e03d34cc743c6538f532704ec7fc3bc75a03d Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@us.ibm.com>
Date: Thu, 13 Oct 2016 16:49:43 -0400
Subject: [PATCH] 98integrity: support validating the IMA policy file signature
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.
This patch first attempts to write the pathname, but on failure falls
back to cat'ing the IMA policy contents .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
modules.d/98integrity/ima-policy-load.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
index 0061cfff..5460d025 100755
--- a/modules.d/98integrity/ima-policy-load.sh
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -30,7 +30,8 @@ load_ima_policy()
# check the existence of the IMA policy file
[ -f "${IMAPOLICYPATH}" ] && {
info "Loading the provided IMA custom policy";
- cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+ echo -n "${IMAPOLICYPATH}" > ${IMASECDIR}/policy || \
+ cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
}
return 0
--
2.13.6