**** BEGIN LOGGING AT Fri Jun 08 03:00:18 2018
Jun 08 11:50:54 <smurray> moto-timo: Tartarus has been tinkering with the IMA stuff from one of the meta-secure-core layers, has it working reasonably well
Jun 08 13:14:32 <georgem> smurray: Tartarus mentioned he was working with it but I hadn't heard much about what he was using for policies. Other system design choices like file system layout and update mechanism can help or hurt the ability to write effective policies. Without using selinux labels on systemd unit files and then writing an IMA policy to enforce IMA signatures on that type I'm not sure how you'd protect those from modification for instance.
Jun 08 13:15:27 <georgem> I'm kind of wondering if he's ventured into EVM or he's found that as infeasible as I did.
Jun 08 13:16:04 <georgem> Or possibly some of the path based policy patches (pretty sure those were never upstreamed)
Jun 08 13:20:15 <smurray> georgem: Tartarus can elaborate, there’s been some work on more complicated policies, but I don’t think we’ve added selinux into the mix yet.
Jun 08 13:24:01 <georgem> Ah, now I'm recalling he said someone else may have been handling some of the policy work
Jun 08 13:32:17 <Tartarus> georgem: Yeah, so, to me one important part of meta-secure-core is that it does have all of the right hooks (afaict) in order to have your custom policy be dropped in via a layer and applied at boot time in the initramfs
Jun 08 13:32:31 <Tartarus> The provided default policy is one of the "trivial" ones
Jun 08 13:33:47 <georgem> Tartarus: ah. yeah I have a custom policy being applied in the initramfs as well
Jun 08 13:34:35 <Tartarus> with m-s-c it's just a small bbappends to install and package your policy and then the init.ima script will check for and apply it
Jun 08 13:35:10 <georgem> yeah. sounds like it's probably more straightforward
Jun 08 20:36:19 <ant_home> khem, argh ... Alignment traps on armv5t with gcc 7.3
Jun 08 20:37:34 <ant_home> https://pastebin.com/FRQpXibj
Jun 08 20:43:43 <georgem> hmmm. evince seems unable to open a PDF without abort()ing unless gsettings-desktop-schemas is installed. I suppose I ought to send a patch to add that as an RDEPENDS.
Jun 08 20:50:09 <khem> georgem: yes that would be good 
Jun 08 20:51:03 <georgem> k. will do
Jun 08 20:51:29 <georgem> found that while testing the poppler patch
Jun 08 20:51:56 <khem> ant_home: what is your build configuration, do you have thumb on or not ?
Jun 08 20:53:32 <ant_home> khem, yes. It is a while I don't run-test userspace..
Jun 08 20:54:46 <ant_home> TARGET_SYS           = "arm-oe-linux-musleabi"
Jun 08 20:54:46 <ant_home> MACHINE              = "c7x0"
Jun 08 20:54:46 <ant_home> DISTRO               = "nodistro"
Jun 08 20:54:46 <ant_home> DISTRO_VERSION       = "nodistro.0"
Jun 08 20:54:46 <ant_home> TUNE_FEATURES        = "arm armv5 thumb dsp"
Jun 08 20:54:47 <ant_home> TARGET_FPU           = "soft"
Jun 08 20:55:16 <ant_home> master of today
Jun 08 22:15:42 <ant_home> khem, should I check gcc8 or gcc6 to verify it's gcc?
Jun 08 22:16:13 <ant_home> (armv4 kernel seems miscompiled as well so I'd say gcc)
Jun 08 22:16:42 <ant_home> I can fire a build overnite
**** ENDING LOGGING AT Sat Jun 09 03:00:06 2018