Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp4297216pxb; Tue, 10 Nov 2020 12:46:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJxFn/qlj5AAQm0J4PhM19kbps0JIPYT9l+McY1rJJK8TjWa0G1cM5KkmZGdGgYpFWMiY0bB X-Received: by 2002:a17:906:7d16:: with SMTP id u22mr21729550ejo.169.1605041204237; Tue, 10 Nov 2020 12:46:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605041204; cv=none; d=google.com; s=arc-20160816; b=gus+KgJBbGyVRfpmyX0qh9Mp4G34QXvQWre8lLqnUDlcrU3xOfZKUSdZ949iGTGI5k TGl5CaNsSIzesQXLWWFtkpTwAcaFATG08wpBNUYAsS93JaKJJ1OQmol7j+0TSEqQl4B2 hOCrFrw7Mg/0s15tS8POUmuZHiDU6UAf3HlUOmJOexYWydRrPZx6r3jYWgTBhsHDTTMS PivLrHNbYEe/TjVQ3YzdzJ3ASTedk85+8Wc9+8WSGDHnGnSY/Dw5Vp+AoI/enUSA7f7u OgQrRFT5tV8n/VBQKuyTtCxV1ovcY3xcOQpArIm6ucLSjjkEBKXuEipJk3WrohMJ7eiS nqzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=2VO+94e+Dk3VB+OstCmu/TP+xBZpBf20QR+VJ2RJ4Iw=; b=CNKgj+Bqu3KFL9G8yqg5oGlqtRQMjIfaMggbroXGddebZkjQD+WtXq3UGELH8+ATWs oIXOM0btQbEXjWeD46IbQsuwI3grj72dol6CjNwkfJs7u33x5kLBdu/7FA90Hrv2p3H0 Ytmphddx31IXU5VSFXEKYCbci6TS/bd79/T1kAzi72EV7YXbhGdFGSVOtH4c5MLeqaRs Ligl9cc2IsRGVg/khvVNXo0zH0F6qhSS3uYaWcRCjowNKIXuX18moZ8YxEvs9QNLYpOD SP9on5denWGCR4uglhNEtQ1FwP1lgSdGOh8MumFtlXK61odK3ReH5Z+u0mc9sqIPr9Pt +fkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="YAg0x/Y/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u19si10007947ejc.310.2020.11.10.12.46.33; Tue, 10 Nov 2020 12:46:44 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="YAg0x/Y/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726428AbgKJUp4 (ORCPT + 17 others); Tue, 10 Nov 2020 15:45:56 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33662 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726179AbgKJUpz (ORCPT ); Tue, 10 Nov 2020 15:45:55 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AAKXZKE077959; Tue, 10 Nov 2020 15:45:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=2VO+94e+Dk3VB+OstCmu/TP+xBZpBf20QR+VJ2RJ4Iw=; b=YAg0x/Y/qpct0OESH4xjIeGz8XzZ05jmx9EKr8K5iI8I+4MPdfJbmclxD0yfmgxs0gdK bpfXMsqB+Dnqre3jhYNhdDTpCAmBUR6m7AYhzeWnnprg1DEryUjPfqoQlF+gb6UiB36v W1ERckowXa+ZsceLu1jlI94xAy4FP2Wz62SMtpmkYzmizFZtAGrm/vopQi11tL5MGo/f 9ksykmCPvDx0qNjgOrgqGiUTu7TlIQP/l/yrtZRavStv1S4Y+V3ViMGacjd2fDJjl5Wx 5zJkvfHGGZmh5R3+yt4WTr9jtgumbKVVNCOVKLZdt2mmASAcva46LKyVN0QurvLYi9HT fA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 34r0992tgf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Nov 2020 15:45:44 -0500 Received: from m0098414.ppops.net (m0098414.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AAKXfbq078352; Tue, 10 Nov 2020 15:45:44 -0500 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0b-001b2d01.pphosted.com with ESMTP id 34r0992tfw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Nov 2020 15:45:44 -0500 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AAKfoZm025287; Tue, 10 Nov 2020 20:45:42 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma06ams.nl.ibm.com with ESMTP id 34njuh3hda-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Nov 2020 20:45:42 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0AAKjejl57475442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 10 Nov 2020 20:45:40 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2C3D842042; Tue, 10 Nov 2020 20:45:40 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C80884203F; Tue, 10 Nov 2020 20:45:38 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com (unknown [9.160.83.27]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 10 Nov 2020 20:45:38 +0000 (GMT) Message-ID: <0694c3637dddaaddb6a2a5b679c58448746bc70d.camel@linux.ibm.com> Subject: Re: Selinux policy for x509_ima.der public certificate loaded by kernel during boot From: Mimi Zohar To: rishi gupta , Mikhail Novosyolov Cc: linux-integrity , selinux-refpolicy@vger.kernel.org, selinux@vger.kernel.org Date: Tue, 10 Nov 2020 15:45:38 -0500 In-Reply-To: References: <28afd683-8423-0331-4b7d-ec71d46be30c@rosalinux.ru> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 (3.28.5-12.el8) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312,18.0.737 definitions=2020-11-10_07:2020-11-10,2020-11-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 bulkscore=0 mlxlogscore=999 clxscore=1011 lowpriorityscore=0 adultscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011100138 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Mon, 2020-11-09 at 21:14 +0530, rishi gupta wrote: > On Sat, Nov 7, 2020 at 3:45 AM Mikhail Novosyolov > wrote: > > > > > > 06.11.2020 18:50, rishi gupta пишет: > > > On Fri, Nov 6, 2020 at 8:42 PM Mikhail Novosyolov > > > wrote: > > >> 06.11.2020 15:22, rishi gupta пишет: > > >>> I am getting below error as selinux is denying access to the .ima > > >>> keyring. Looking for guidance for asymmetric public key selinux > > >>> policy. > > >>> > > >>> [ 172.014855] integrity: Request for unknown key 'id:87deb3bf' err -13 > > >> I am getting the same error without selinux. > > > If I make selinux permissive, it works for me. So I know in my case > > > the problem is selinux. > > >>> [ 172.015035] audit: type=1800 audit(1604596570.579:240): pid=825 > > >>> uid=1021 auid=4294967295 ses=4294967295 > > >>> subj=system_u:system_r:mydaemon_t:s0-s15:c0.c1023 op="appraise_data" > > >>> cause="invalid-signature" comm="mydaemon" > > >>> name="/usr/lib/libstdc++.so.6.0.25" dev="ubifs" ino=14353 res=0 > > >> Selinux context is just logged here. It has nothing to do with reasons of ivalid signature. Public key seems to be not loaded. > > > Basically when we access a file, driver checks if selinux allow access > > > to it or not. In my case this function is returning -EACCES > > > https://github.com/torvalds/linux/blob/master/security/keys/permission.c#L88 > > >>> (a) Do I need to set the selinux context of file > > >>> /etc/keys/x509_ima.der. If yes what it should be. > > >>> (b) Do I need to set some selinux rule for .ima keyring. If yes how. I > > >>> tried a lot but could not find any resource. > > >> Usually IMA policy is loaded before SELinux policy I think > > > I am using the policy defined in ima_policy driver as of now. My kernel is 4.14. > > What is "ima_policy driver"? How does selinux and IMA policies get loaded on your system? > > For test purpose I am using "ima_policy=tcb ima_appraise_tcb" in the > commandline. > I have not changed anything in the policy defined in 4.14 kernel driver for now. > https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L132 > https://github.com/torvalds/linux/blob/bebc6082da0a9f5d47a1ea2edc099bf671058bd4/security/integrity/ima/ima_policy.c#L88 Is root able to verify a file signature signed with this key? Afterwards are you able to verify this file's signature? Mimi