红帽全球峰会24.5. Troubleshooting systemd failure to load the IMA policy
If systemd does not load /etc/ima/ima-policy, the system hangs and displays the error systemd[1]: Freezing execution.
[ 5.829882] ima: policy update failed
[ 5.830094] ima: signed policy file (specified as an absolute pathname) required
[!!!!!!] Failed to load IMA policy.
…
[ 5.859994] systemd[1]: Freezing execution.There are three methods that you can use to recover your system.
24.5.1. Turn off Secure Boot
If the policy cannot be loaded because it is not signed, you might see errors similar to the following examples.
[ 5.661906] ima: policy update failed
[ 5.662290] ima: signed policy file (specified as an absolute pathname) required
[ 5.662496] systemd[1]: Failed to load the IMA custom policy file /etc/ima/ima-policy1: Permission denied
[ 5.662663] ima: policy update failed
[ 5.662856] audit: type=1800 audit(1744968172.925:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=appraise_data cause=IMA-signature-required comm="systemd" name="/etc/ima/ima-policy" dev="vda3" ino=25679834 res=0 errno=0
[ 5.663205] audit: type=1802 audit(1744968172.925:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=policy_update cause=failed comm="systemd" res=0 errno=0
[!!!!!!] Failed to load IMA policy.As a workaround, you can turn off Secure Boot temporarily and follow Deploying a custom signed IMA policy for UEFI systems to fix the issue.
To boot the system with the init=/bin/bash kernel parameter, you can use the following steps.
-
Modify the bootloader entry and add the
init=/bin/bashkernel parameter. After you access the shell, remount the system with write permissions:
# mount -o remount,rw /Rename
/etc/ima/ima-policyto/etc/ima/ima-policy.bak:# mv /etc/ima/ima-policy /etc/ima/ima-policy.bakReboot the system:
# echo 1 > /proc/sys/kernel/sysrq # printf "s\nb" > /proc/sysrq-triggerResolve any issues in
/etc/ima/ima-policy.bakand verify that the policy can be loaded:# echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policyRename
/etc/ima/ima-policy.bakto/etc/ima/ima-policy:# mv /etc/ima/ima-policy.bak /etc/ima/ima-policy
If the system hangs with the error systemd[1]: Freezing execution, you can boot the system with the initcall_blacklist=init_ima kernel parameter to disable the IMA policy.
-
Modify the boot loader entry and add the
initcall_blacklist=init_imakernel parameter. Rename
/etc/ima/ima-policyto/etc/ima/ima-policy.bak:# mv /etc/ima/ima-policy /etc/ima/ima-policy.bakReboot the system:
# systemctl rebootResolve any issues in
/etc/ima/ima-policy.bakand verify that the policy can be loaded:# echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policyRename
/etc/ima/ima-policy.bakto/etc/ima/ima-policy:# mv /etc/ima/ima-policy.bak /etc/ima/ima-policy
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}