allow to read IMA policy at runtime, keep loading x509 by kernel offed and keep changing IMA policy after initial load offed (initrd or systemd load the policy)

kernel-i586.config

@@ -2936,14 +2936,14 @@ CONFIG_IMA_DEFAULT_HASH_SHA1=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=n
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
-# CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_WRITE_POLICY=n
 CONFIG_IMA=y
 CONFIG_IMG_ASCII_LCD=m
 CONFIG_INA2XX_ADC=m

kernel-x86_64.config

@@ -2959,15 +2959,15 @@ CONFIG_IMA_DEFAULT_HASH_SHA1=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_LOAD_X509=n
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
 # CONFIG_IMA_SIG_TEMPLATE is not set
 # CONFIG_IMA_TEMPLATE is not set
 CONFIG_IMA_TRUSTED_KEYRING=y
-# CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_WRITE_POLICY=n
 CONFIG_IMA=y
 CONFIG_IMG_ASCII_LCD=m
 CONFIG_INA2XX_ADC=m

kernel.spec

@@ -24,7 +24,7 @@
 %define sublevel	72
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		2
+%define rpmrel		3
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}