If security_filter_rule_init() doesn't return a rule, then not everything is as fine as the return code implies.
This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
Adding an empty LSM rule causes ima_match_rules() to always succeed, ignoring any remaining rules.
default IMA TCB policy:
< LSM specific rule >
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
Thus without the patch, with the boot parameters 'tcb selinux=0', adding the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB measurement policy, would result in nothing being measured. The patch prevents the default TCB policy from being replaced.
Introduced in 2.6.30-rc1 4af4662f
The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG are not affected by this issue. A future kernel update in Red Hat Enterprise Linux 6 may address this flaw.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0498 https://rhn.redhat.com/errata/RHSA-2011-0498.html