You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rpm_sha256_only only filtered RPM trust data while it was imported. If a weak RPM digest was already present in the active LMDB trust database, digest-based integrity lookup could still evaluate that stale SHA1 or MD5 record after the option was enabled.
Snapshot rpm_sha256_only into the immutable decision config and have trust lookup skip sub-SHA256 records for SHA256 and IMA integrity modes when the floor is active. SHA1/MD5 RPM records remain usable when rpm_sha256_only is disabled, and strict mode can still trust a SHA256-or-stronger duplicate for the same path.
Add decision-config coverage for the new pinned field and an LMDB regression that imports a SHA1 RPM record, verifies compatibility-mode trust, verifies strict-mode rejection without rebuilding the DB, and verifies trust again after adding a SHA256 duplicate. Update the manpage to document the ingestion and lookup-side behavior.
Copy file name to clipboardExpand all lines: doc/fapolicyd.conf.5
+16-5Lines changed: 16 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -154,7 +154,17 @@ Example:
154
154
155
155
.TP
156
156
.Brpm_sha256_only
157
-
When this option is set to 1, it will force the daemon to work only with SHA256 and larger hashes. This is useful on the systems where the integrity is set to SHA256 or IMA and some rpms were originally built with e.g. SHA1. The daemon will ignore these SHA1 entries. If set to 0 the daemon stores SHA1/MD5 in trustdb as well. This is compatible with older behavior which works with the integrity set to NONE and SIZE. The NONE or SIZE integrity setting considers the files installed via rpm as trusted and it does not care about their hashes at all. On the other hand the integrity set to SHA256 or IMA will never consider a file with SHA1 in trustdb as trusted. The default value is 0.
157
+
When this option is set to 1, it will force RPM trust entries to use SHA256
158
+
or larger hashes. This is useful on systems where the integrity is set to
159
+
SHA256 or IMA and some rpms were originally built with e.g. SHA1. The daemon
160
+
will ignore these SHA1 entries when the RPM backend imports trust data. Hash
161
+
integrity lookups also reject SHA1/MD5 records that are already present in the
162
+
active trust database, so stale weak RPM entries do not remain trusted after a
163
+
configuration reload enables this option. If set to 0 the daemon stores and
164
+
uses SHA1/MD5 from RPM trust data as well. This is compatible with older
165
+
behavior which works with the integrity set to NONE and SIZE. The NONE or SIZE
166
+
integrity setting considers the files installed via rpm as trusted and it does
167
+
not care about their hashes at all. The default value is 0.
158
168
159
169
.TP
160
170
.Ballow_filesystem_mark
@@ -239,17 +249,18 @@ The following
239
249
settings are live after a successful reload:
240
250
.RS
241
251
.IP\[bu]2
242
-
\fBpermissive\fP and \fBintegrity\fP are decision-used fields and are
243
-
published together as one immutable generation.
252
+
\fBpermissive\fP, \fBintegrity\fP, and the lookup-side
253
+
\fBrpm_sha256_only\fP digest floor are decision-used fields and are published
0 commit comments