From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-542708-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 9BC461382B7
	for <garchives@archives.gentoo.org>; Fri,  4 Jan 2013 18:39:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B42BB21C001;
	Fri,  4 Jan 2013 18:39:17 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 20A0321C001
	for <gentoo-commits@lists.gentoo.org>; Fri,  4 Jan 2013 18:39:17 +0000 (UTC)
Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id F036333D948
	for <gentoo-commits@lists.gentoo.org>; Fri,  4 Jan 2013 18:39:15 +0000 (UTC)
Received: by flycatcher.gentoo.org (Postfix, from userid 617)
	id EB6B92171D; Fri,  4 Jan 2013 18:39:13 +0000 (UTC)
From: "Sven Vermeulen (swift)" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Reply-To: gentoo-dev@lists.gentoo.org, swift@gentoo.org
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
X-VCS-Repository: gentoo
X-VCS-Files: ima-guide.xml
X-VCS-Directories: xml/htdocs/proj/en/hardened/integrity/docs
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Message-Id: <20130104183913.EB6B92171D@flycatcher.gentoo.org>
Date: Fri,  4 Jan 2013 18:39:13 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 84a70812-b62e-4b10-b055-9d5921a54c2a
X-Archives-Hash: c6622d2b37d0a528c61e0ef94af4b8ff

swift       13/01/04 18:39:13

  Modified:             ima-guide.xml
  Log:
  Add reference to patch needed for custom IMA policies

Revision  Changes    Path
1.8                  xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.8&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.8&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.7&r2=1.8

Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ima-guide.xml	29 Dec 2012 21:31:17 -0000	1.7
+++ ima-guide.xml	4 Jan 2013 18:39:13 -0000	1.8
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.7 2012/12/29 21:31:17 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.8 2013/01/04 18:39:13 swift Exp $ -->
 
 <guide lang="en">
 <title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 <license version="3.0" />
 
-<version>7</version>
-<date>2012-12-29</date>
+<version>8</version>
+<date>2013-01-04</date>
 
 <chapter>
 <title>Purpose of IMA</title>
@@ -545,6 +545,9 @@
 dont_appraise fsmagic=0xf97cff8c
 <comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
 dont_appraise fsmagic=0x27e0eb
+<comment># Some defaults for measurement</comment>
+measure func=FILE_MMAP mask=MAY_EXEC
+measure func=BPRM_CHECK mask=MAY_EXEC
 <comment># Do not measure all types that have the "logfile" SELinux attribute
 # You can use seinfo -alogfile -x to get an overview of all these types</comment>
 dont_measure obj_type=initrc_var_log_t
@@ -576,12 +579,18 @@
 dont_appraise obj_type=fsadm_log_t
 dont_appraise obj_type=auditd_log_t
 <comment># Remainder of the defaults</comment>
-measure func=FILE_MMAP mask=MAY_EXEC
-measure func=BPRM_CHECK mask=MAY_EXEC
 measure func=FILE_CHECK mask=MAY_READ uid=0
 appraise fowner=0
 </pre>
 
+<note>
+A small bug in the 3.7 kernel series requires a small <uri 
+link="https://sourceforge.net/mailarchive/message.php?msg_id=30306475">patch</uri>
+to be applied if you are planning on using a custom policy based on SELinux rules
+(actually any LSM-implemented security subsystem rule).
+</note>
+
+
 <p>
 Make sure no empty lines are in the policy; if not, it will be refused. You can
 check the output of <c>dmesg</c> for hints why the policy was refused (it shows
@@ -602,7 +611,7 @@
 #!/sbin/runscript
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.7 2012/12/29 21:31:17 swift Exp $
+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.8 2013/01/04 18:39:13 swift Exp $
 
 description="Load in custom IMA policy"