[Question] Keylime deployment issue

[ChuanDou2021]

Q1

The whitelist collection tool (generate_mb_defstate, creat_runtime_policy) is implemented in Python and requires installation of Python and dependency packages during deployment, which is inconvenient to use. Do you have any suggestions? Using go or rust to re implement these two tools and compile them into independent binary is relatively convenient to use

Q2

Ubuntu system does not enable selinux by default. Using IMA to achieve custom measurement goals on Ubuntu may cause problems. If Ubuntu closes AppArmor and opens selinux, what are the security risks ?

thanks

[mpeters]

Q1

The whitelist collection tool (generate_mb_defstate, creat_runtime_policy) is implemented in Python and requires installation of Python and dependency packages during deployment, which is inconvenient to use. Do you have any suggestions? Using go or rust to re implement these two tools and compile them into independent binary is relatively convenient to use

The new create_runtime_policy is under going rapid development in which case it makes sense to use python. We don't use golang anywhere else in the project so that's unlikely to happen and doing it in rust would limit the number of users without the need for the benefits of rust (enhanced security, smaller footprint, etc).

But you're right that being able to run it without python installed would be a benefit. Maybe we should package it in a container for easy use?

Q2

Ubuntu system does not enable selinux by default. Using IMA to achieve custom measurement goals on Ubuntu may cause problems. If Ubuntu closes AppArmor and opens selinux, what are the security risks ?

Maybe I'm missing something, but why would selinux interfere with IMA measurements? They should be orthogonal.