SELinux, LSM and ima_policy rules

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Mon Feb 4 17:06:26 EST 2019


On Mon, 04 Feb 2019 11:38:19 +0300, Lev Olshvang said:
> I learned recently that IMA kernel security  subsystem can be integrated with LSMs, such as SELinux, Smack, ...
> https://sourceforge.net/p/linux-ima/wiki/Home/
>
> https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
>
> It was present in kernel since v3.8 but not google does not know much about the usability.

Note that although it's been in the tree since v3.8, the ability to stack LSMs
is much more recent.  That means that if you had IMA running, you couldn't have
SELinux or AppArmor active. Thus the lack of usability documentation.

You'll need a working and enabled TPM chipset in your system to use this. If
your BIOS has a 'secure boot' option, you have a TPM (though secure boot isn't
needed for IMA, but if you're deploying IMA, you may as well go the whole way
and do secure boot as well).

I'm not sure anybody has reliable overhead numbers, as it will be fairly system
specific.  Also, the sort of people who would run IMA are more concerned about
security than throughput.....




More information about the Kernelnewbies mailing list