From: walid.fakim@cgi.com (Fakim, Walid)
Date: Mon, 12 Dec 2016 22:18:24 +0000
Subject: [refpolicy] SELinux and IMA
In-Reply-To: <20161208132125.GA12019@meriadoc.perfinion.com>
References: <67130EC7AFA3FE4E9290B03665B351F407E5CE@SE-EX021.groupinfra.com>
	<20161208132125.GA12019@meriadoc.perfinion.com>
Message-ID: <67130EC7AFA3FE4E9290B03665B351F4080E8C@SE-EX021.groupinfra.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi Jason,

Apologies for the late response. I went through the existing info from the Gentoo website which has been helpful.

>>> Is there something specific you are trying to work on? Maybe if you explained more what you're looking for we could provide more pointers?

I was just looking at some host-level security tools that would be complementary to one another, I looked into grsecurity, SELinux and IMA/EVM. Since grsecurity costs' are prohibitive for our budget ;) and IMA/EVM is still a bit too "bleeding edge", we have ruled them out of our security suite for now.

Thanks.

Best Regards,

Walid Fakim

-----Original Message-----
From: Jason Zaman [mailto:jason at perfinion.com] 
Sent: 08 December 2016 13:21
To: Fakim, Walid
Cc: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] SELinux and IMA

On Tue, Dec 06, 2016 at 10:49:33PM +0000, Fakim, Walid via refpolicy wrote:
> Hi Guys,
> 
> Does anyone here have experience of using both SELinux & Integrity Measurement Architecture (IMA) on a target system? From my online reading, they perform different functions and achieve different security goals - how do they perform when used together?
> 
> Would be great to hear anyone's experience, good or bad.

I dont personally have much experience, but here is some info that Sven has put on the gentoo wiki.

https://wiki.gentoo.org/wiki/Project:Integrity
https://wiki.gentoo.org/wiki/Integrity
https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
https://wiki.gentoo.org/wiki/Extended_Verification_Module

AIUI, there is more of a link between EVM and SELinux than between IMA and SELinux so you might want to look at that as well.

I use tboot (Intel TXT) on my laptop so know that part and TPM interaction but I have not had the time to fully explore IMA and what happens there.

Is there something specific you are trying to work on? Maybe if you explained more what you're looking for we could provide more pointers?

-- Jason