Resolves: https://issues.redhat.com/browse/RHEL-33751
Conflict: None
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 141a74d96ab3cdee1b0d2cf6a0cba19337920e02
Author: Coiby Xu <coxu@redhat.com>
Date: Tue May 28 09:54:19 2024 +0800
ima-setup: Allow users to specify custom reinstall_threshold
Some users may use custom built packages and we are not sure about the
number of this type of packages. So make reinstall_threshold
configurable.
Suggested-by: Marko Myllynen <myllynen@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Resolves: https://issues.redhat.com/browse/RHEL-33751
Conflict: Upstream has -libs subpackage
Upstream Status: https://src.fedoraproject.org/rpms/ima-evm-utils.git
commit 8980421a049c776e2b77e534793aafb925b3ad48
Author: Coiby Xu <coiby.xu@gmail.com>
Date: Mon May 6 17:48:52 2024 +0800
Add some IMA setup tools
Some IMA setup tools are added to ease IMA setup which will do
the following tasks,
- add IMA signatures to installed packages files
- load IMA keys and policy
- enable the dracut integrity module to load IMA keys and policy
automatically
Two IMA polices as suggested by Stefan Berger are also provided which
will be signed automatically with other package files.
Thanks to Marko Myllynen for coming up with the idea to have a tool
similar to fips-mode-setup. And thanks to Mimi Zohar and Stefan Berger
for providing the feedback!
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Add old ima-evm-utils version with the patches to expose the old soname for
satisfying rpm-sign runtime dependency on the old soname. Thus, the new
rpm-sign can be built and then depend on the new soname.
Related: rhbz#2026028
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
The new version already handles the two additional patches that were being
applied through the rpm package creation, with that, remove both of them.
Also, this commit modifies some specfile pieces to get closer to Fedora's
specfile.
Related: rhbz#2026028
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
One of the requests from the Crypto team in RHEL-9 was to drop the support
for SHA1 as a strong algorithm. For ima-evm-utils it's not quite possible,
since it's somewhat dependent on the underlying hardware (TPM version).
However, SHA1 was still being used as the default hash algorithm, with that,
make SHA256 the default instead.
Also, this patch substitutes the patch to solve the memory leak added in the
last release to the one accepted in upstream.
Related: rhbz#1934949
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
