Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65013

fapolicyd failed with error "IMA integrity checking selected, but the extended attributes can't be read"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • fapolicyd
    • None
    • No
    • None
    • rhel-sst-security-special-projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      As originally found by rhn-support-rcheerla, integrity = ima doesn't work for fapolicyd

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      fapolicyd-1.3.3-100.el9.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

      1.  Install fapolicyd 
        dnf install fapolicyd -y
      1. Add IMA signatures to installed package files using ima-add-sigs (provided by ima-evm-utils), 
        ima-add-sigs --package=ALL
      1. Set "integrity = ima" in /etc/fapolicyd/fapolicyd.conf 
      2. start fapolicyd service 
        systemctl restart fapolicyd

      Expected results

      fapolicyd can be started successfully

      Actual results

      fapolicyd.serivce failed to started and manually running fapolicyd shows the following errors,

      [root@localhost ~]# fapolicyd
10/28/24 06:13:21 [ ERROR ]: IMA integrity checking selected, but the extended attributes can't be read
10/28/24 06:13:21 [ ERROR ]: Exiting due to bad configuration

      Additional notes

      1. /bin/sh is a symbolic link to /bin/bash which has valid IMA signature ("evmctl ima_verify" doesn't support verify a symbolic file),

      [root@localhost ~]# evmctl ima_verify -k /etc/keys/ima/redhatimarelease-9.der /bin/bash 
key 1: d3320449 /etc/keys/ima/redhatimarelease-9.der
/bin/bash: verification is OK

      2. Replacing /bin/sh with /bin/bash won't work,

      [root@localhost ~]# evmctl ima_verify -k /etc/keys/ima/redhatimarelease-9.der /bin/sh
key 1: d3320449 /etc/keys/ima/redhatimarelease-9.der
/bin/sh: verification is OK

[root@localhost ~]# fapolicyd
10/28/24 06:13:21 [ ERROR ]: IMA integrity checking selected, but the extended attributes can't be read
10/28/24 06:13:21 [ ERROR ]: Exiting due to bad configuration

      3. After using IMA hash for /bin/sh could make fapolicd start,

      [root@localhost ~]# evmctl ima_hash /bin/sh
hash(sha256): 040497995faa249e5706dd0b0373c9da547709bf7349755d5fc8e52f97a4bd04feaf
1

[root@localhost ~]# getfattr -m - -d /bin/sh
getfattr: Removing leading '/' from absolute path names
# file: bin/sh
security.ima=0sBASXmV+qJJ5XBt0LA3PJ2lR3Cb9zSXVdX8jlL5ekvQT+rw==
security.selinux="system_u:object_r:shell_exec_t:s0"

[root@localhost ~]# fapolicyd --debug
10/28/24 01:56:02 [ INFO ]: Can handle 524288 file descriptors
10/28/24 01:56:02 [ INFO ]: Ruleset identity: 0549824ffd3a8ebea32d199fe96dc7a4391a95b64c867cd420cf89dd694b8231
...

              rsroka@redhat.com Radovan Sroka
              coxu@redhat.com Coiby Xu
              Radovan Sroka Radovan Sroka
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: