Hi @sopos have question for you I noticed that fapolicyd integrity check with IMA allow executing binary after cat fapTestProgram > /usr/local/bin/fapTestProgram. But when I check and update IMA extended attributes it seem that hash is changed.

:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'cat fapTestProgram > /usr/local/bin/fapTestProgram'
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'cat fapTestProgram > /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram'
getfattr: Removing leading '/' from absolute path names
file: usr/local/bin/fapTestProgram
security.ima=0x040429209638bae3f3375e33b7af99d571dad39531e525af6ed7c579271eb1d575d0
security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'evmctl ima_hash -a sha256 /usr/local/bin/fapTestProgram'
hash(sha256): 040464e508443d30e995125aa9f34aaa93124771c40a80ff132860f44c69361e8481
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'evmctl ima_hash -a sha256 /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram'
getfattr: Removing leading '/' from absolute path names
file: usr/local/bin/fapTestProgram
security.ima=0x040464e508443d30e995125aa9f34aaa93124771c40a80ff132860f44c69361e8481
security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'timeout 2 su - testuser1 -c "/usr/local/bin/fapTestProgram"'
fapTestProgram2
Session terminated, killing shell... ...killed.
:: [ 03:32:25 ] :: [   FAIL   ] :: Command 'timeout 2 su - testuser1 -c "/usr/local/bin/fapTestProgram"' (Expected 126, got 124)

Is this behavior normal or have I encountered a bug? Just FYI, when you use the sha256 integrity check, fapolicyd refuses to run the binary in the same step.

That really seems to be a bug. Though, it is suspicious that the fapTestProgram does not print the fapTestProgram string.

That really seems to be a bug. Though, it is suspicious that the fapTestProgram does not print the fapTestProgram string.

But probably that's not related issue, when I provide integrity check via sha256 the output fapTestProgram also does not print the fapTestProgram string.

But probably that's not related issue, when I provide integrity check via sha256 the output fapTestProgram also does not print the fapTestProgram string.

Seems it could be just by terminal handling. If I run tmt in --interactive I can see the strings while in the normal mode I cannot. May be using unbuffer or something like that could improve it.

But probably that's not related issue, when I provide integrity check via sha256 the output fapTestProgram also does not print the fapTestProgram string.

Seems it could be just by terminal handling. If I run tmt in --interactive I can see the strings while in the normal mode I cannot. May be using unbuffer or something like that could improve it.

Weird, I also use interactive mode and cannot see anything.

tmt run -vvv plan -n ima-integrity discover prepare provision -h connect --guest IP --password PASSWD execute --how tmt --interactive login finish

That really seems to be a bug. Though, it is suspicious that the fapTestProgram does not print the fapTestProgram string.

Anyways I'll try it on various version of OS and report it.

Change for now for debuging.

Test work properly with different IMA setup, but in previous IMA setup bug persist.