When trying to load the default policy, it looks like the code only goes halfway through before returning with "cat: write error: Invalid argument" dmesg shows: """ [ 48.646410] type=1805 audit(1356723853.967:36): action="dont_measure" fsmagic="0x9fa0" res=1 [ 48.646430] type=1805 audit(1356723853.967:37): action="dont_appraise" fsmagic="0x9fa0" res=1 [ 48.646455] type=1805 audit(1356723853.967:38): action="dont_measure" fsmagic="0x62656572" res=1 [ 48.646471] type=1805 audit(1356723853.967:39): action="dont_appraise" fsmagic="0x62656572" res=1 [ 48.646496] type=1805 audit(1356723853.967:40): action="dont_measure" fsmagic="0x64626720" res=1 [ 48.646512] type=1805 audit(1356723853.967:41): action="dont_appraise" fsmagic="0x64626720" res=1 [ 48.646536] type=1805 audit(1356723853.967:42): action="dont_measure" fsmagic="0x01021994" res=1 [ 48.646551] type=1805 audit(1356723853.967:43): action="dont_appraise" fsmagic="0x01021994" res=1 [ 48.646577] type=1805 audit(1356723853.967:44): action="dont_measure" fsmagic="0x858458f6" res=1 [ 48.646592] type=1805 audit(1356723853.967:45): action="dont_appraise" fsmagic="0x858458f6" res=1 """ After this, nothing. Currently used policy code: """ # Magics can be found in kernel/include/uapi/linux/magic.h # Default can be found in security/integrity/ima/ima_policy.c # PROC_SUPER_MAGIC = 0x9fa0 dont_measure fsmagic=0x9fa0 dont_appraise fsmagic=0x9fa0 # SYSFS_MAGIC = 0x62656572 dont_measure fsmagic=0x62656572 dont_appraise fsmagic=0x62656572 # DEBUGFS_MAGIC = 0x64626720 dont_measure fsmagic=0x64626720 dont_appraise fsmagic=0x64626720 # TMPFS_MAGIC = 0x01021994 dont_measure fsmagic=0x01021994 dont_appraise fsmagic=0x01021994 # RAMFS_MAGIC = 0x858458f6 dont_measure fsmagic=0x858458f6 dont_appraise fsmagic=0x858458f6 # DEVPTS_SUPER_MAGIC = 0x1cd1 dont_measure fsmagic=0x1cd1 dont_appraise fsmagic=0x1cd1 # BINFMTFS_MAGIC = 0x42494e4d dont_measure fsmagic=0x42494e4d dont_appraise fsmagic=0x42494e4d # SECURITYFS_MAGIC = 0x73636673 dont_measure fsmagic=0x73636673 dont_appraise fsmagic=0x73636673 # SELINUX_MAGIC = 0xf97cff8c dont_measure fsmagic=0xf97cff8c dont_appraise fsmagic=0xf97cff8c # CGROUP_SUPER_MAGIC = 0x27e0eb dont_appraise fsmagic=0x27e0eb dont_measure obj_type=logfile measure func=FILE_MMAP mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC measure func=FILE_CHECK mask=MAX_READ uid=0 appraise fowner=0 """ Except for the obj_type=logfile, this should be the default policy. I've tried removing the lines before and after the last one that got parsed (as well as the last one itself) to no avail. Reproducible: Always
The problem was that the policy contains a blank line, which fails the in-kernel checks on the policy. Removing the blank lines works. Documented in the ima-guide.xml.