Some Linux Security Modules (LSM) maintain file metadata, which can be leveraged using IMA :ref:`policy-syntax-conditions` such as :ref:`obj-type` to limit the number of files measured.
IMA policy can filter on SELinux labels.
A file’s labels can be displayed with ls -1Z. object_r: shows
the file’s label.
seinfo -t displays all the possible labels.
seinfo -a displays all the possible attributes.
seinfo -afile_type -x displays all the possible file labels,
useful for constructing file policies.
These are useful for constructing exclusion rules (dont_measure,
dont_appraise) for files with unpredictable or changing data that
cannot be signed or validated against an approved list of
file hashes. Examples are:
seinfo -alogfile -xdisplays log files.seinfo -atmpfile -xdisplays temporary files.seinfo -aspoolfile -xdisplays spool files.seinfo -alockfile -xdisplays lock files.
Labels in the extended attribute can also be viewed
security.selinux using
getfattr -m - -d <file>
where -m - requests all attributes and -d dumps the values.
User ID labels (user, role, and domain) can be displayed with
id -Z
obj_type can be used in the policy rule :ref:`obj-type-equals`.
Example:
dont_measure obj_type=var_log_t
| SELinux Label | Typical use |
| acct_data_t | /var/account |
| admin_home_t | /root |
| autofs_t | /gsa /misc /net |
| bin_t | /bin /usr/bin /sbin /usr/sbin |
| boot_t | /boot |
| default_t | (before labeling) |
| device_t | /dev |
| dosfs_t | /boot/efi_t /var/log |
| games_data_t | /var/games |
| httpd_sys_content_t | /var/www |
| kdump_crash_t | /var/crash |
| mail_spool_t | /var/mail -> spool/mail |
| mysql_db_t | /var/lib/mysql |
| public_content_t | /var/ftp |
| system_db_t | /var/db |
| tmp_t | /var/tmp |
| var_t | /var/adm /var/cache /var/local /var/empty /var/kerberos /var/nis /var/opt /var/preserve |
| var_lib_t | /var/lib |
| var_log_t | /var/log |
| var_lock_t | /var/lock |
| var_run_t | /var/run |
| var_spool_t | /var/spool |
| var_yp_t | /var/yp |