Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-130158

keyiime-policy --ima-measurement-list not properly setting the default value

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1
    • keylime
    • None
    • None
    • None
    • rhel-security-special-projects
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      --ima-measurement-list have an optional argument but when it is not provided some other options like --keyrings do not work properly as the default value doesn't seem to be propagated correctly.

       

      1. keylime-policy create runtime --ima-measurement-list --rootfs / --keyrings -o runtime_policy.json
        INFO:keylime.config:Reading configuration from ['/etc/keylime/logging.conf']
        Traceback (most recent call last):
          File "/bin/keylime-policy", line 33, in <module>
            sys.exit(load_entry_point('keylime==7.12.1', 'console_scripts', 'keylime-policy')())
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
          File "/usr/lib/python3.12/site-packages/keylime/cmd/keylime_policy.py", line 61, in main
            ret = args.func(args)
                  ^^^^^^^^^^^^^^^
          File "/usr/lib/python3.12/site-packages/keylime/policy/create_runtime_policy.py", line 1026, in create_runtime_policy
            policy["keyrings"], policy["ima-buf"], ok = process_ima_buf_in_measurement_list(
                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
          File "/usr/lib/python3.12/site-packages/keylime/policy/create_runtime_policy.py", line 747, in process_ima_buf_in_measurement_list
            with open(ima_measurement_list_file, "r", encoding="UTF-8") as fobj:
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        TypeError: expected str, bytes or os.PathLike object, not NoneType

      keylime-policy create runtime --ima-measurement --rootfs '/' --ramdisk-dir '/boot/' --output <policy.json>

        -m [IMA_MEASUREMENT_LIST], --ima-measurement-list [IMA_MEASUREMENT_LIST]
                              Use an IMA measurement list for hash, keyring, and critical data extraction. If a list is not specified, it uses
                              /sys/kernel/security/ima/ascii_runtime_measurements. Use /dev/null for an empty list.

      What is the impact of this issue to you?

      need to find a workaround 

      Please provide the package NVR for which the bug is seen:

      keylime-7.12.1-11.el10.x86_64

      How reproducible is this bug?:

      aways

      Steps to reproduce

      1.  above
      2.  
      3.  

      Expected results

      Actual results

              scorreia@redhat.com Sergio Correia
              ksrot@redhat.com Karel Srot
              Sergio Correia Sergio Correia
              Karel Srot Karel Srot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: