Okay. It makes _some_ sense but it’s still weird:

Failed to load the IMA custom policy file /etc/ima/ima-policy1: Permission denied
[!!!!!!] Failed to load IMA policy, freezing

So what really happened: /etc/ima/ima-policy exists. It is not looking for a file ima-policy1. The appended 1 is probably an exit code and it’s error message is misleading.

I had some rules making use of labels like dont_appraise obj_type=systemd_journal_t in the policy and that goes boom when not bootet with SELinux support (e.g. selinux=0) at all. Good to know.

Also: System is still in dev mode so loading custom policy is fine 🤓

Leave a Reply