On 11/29/2016 06:49 AM, Lennart Poettering wrote:
On Mon, 28.11.16 14:17, Stefan Berger ([email protected]) wrote:
From: Stefan Berger <[email protected]>
Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
has it in /etc/default/ima-policy. So we try to read the IMA policy
from one location and try it from another location if it couldn't
be found. To maintainer backwards compatibility, we also try
/etc/ima/ima-policy.
Sorry, but this looks very wrong. I am not sure what /etc/sysconfig/
and /etc/default/ima-policy are supposed to be, but I am pretty sure
placing IMA policy there is just wrong. Moreover, our goal is to
remove any distro-specific hooks in systemd in favour of common paths,
not adding new.
It's confusing... Dracut for example expects it in
/etc/sysconfig/ima-policy:
https://github.com/dracutdevs/dracut/blob/master/modules.d/98integrity/ima-policy-load.sh#L10
So following that either one has to change. I chose to change systemd.
To me /etc/default on Debian systems is the equivalent of /etc/sysconfig
on RPM based ones (or at least RedHat based ones), so that's where this
is coming from.
Hence I am sorry, but I don't think this is right. Please ask the
downstream maintainers to agree on /etc/ima/ima-policy (or any oher
common path). Let's fix the distros, let's not work around them in
systemd.
Fine, if that's the common understanding that the proposed directories
are not appropriate.
Stefan
I hope this makes sense,
sorry,
Lennart
_______________________________________________
systemd-devel mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
