3 files changed, 5 insertions, 4 deletions

diff --git a/TODO b/TODO
index 8d4b937a5a..9b276746f1 100644
--- a/TODO
+++ b/TODO
@@ -456,8 +456,6 @@ Features:
 
 * ExecOnFailure=/usr/bin/foo
 
-* ConditionSecurity= should learn about IMA and SMACK
-
 * udev:
   - remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n)
   - move to LGPL
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index c56837a6e5..5ab988178d 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -983,9 +983,10 @@
                                 <para><varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the
-                                system.  Currently the only recognized
+                                system. Currently the recognized values
                                 values are <varname>selinux</varname>,
-                                <varname>apparmor</varname>, and
+                                <varname>apparmor</varname>,
+                                <varname>ima</varname> and
                                 <varname>smack</varname>.
                                 The test may be negated by prepending
                                 an exclamation
diff --git a/src/core/condition.c b/src/core/condition.c
index abed4e5bf0..4293d6d1f1 100644
--- a/src/core/condition.c
+++ b/src/core/condition.c
@@ -164,6 +164,8 @@ static bool test_security(const char *parameter) {
 #endif
         if (streq(parameter, "apparmor"))
                 return access("/sys/kernel/security/apparmor/", F_OK) == 0;
+        if (streq(parameter, "ima"))
+                return access("/sys/kernel/security/ima/", F_OK) == 0;
         if (streq(parameter, "smack"))
                 return access("/sys/fs/smackfs", F_OK) == 0;
         return false;