On Thu, 16.02.12 15:40, Tomasz Torcz ([email protected]) wrote: > > On Thu, Feb 16, 2012 at 12:30:31PM -0200, Gustavo Sverzut Barbieri wrote: > > On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu <[email protected]> > > wrote: > > > the reason for which the loading of IMA policies has been placed in > > > the main Systemd executable is that the measurement process performed > > > by IMA should start as early as possible. Otherwise, in order to build > > > the 'chain of trust' during the boot process from the BIOS to software > > > applications, it is required to measure those components loaded before > > > IMA is initialized with other means (for example from the boot loader). > > > > Then I wonder: why not make an ima-init binary that: > > - does ima_setup() > > - exec systemd || upstart || ... > > > > this way you only have to audit this very small file and not systemd > > itself, it's very early and so on. > > Isn't that a job for initramfs?
We support booting without initramfs in systemd. SELinux/IMA should be available for those systems, too. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
