2022-06-21 10:21:18 +00:00
|
|
|
|
%global srcname keylime
|
2023-07-17 13:28:52 +00:00
|
|
|
|
%global policy_version 1.2.0
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%global with_selinux 1
|
|
|
|
|
%global selinuxtype targeted
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
2022-07-11 11:40:50 +00:00
|
|
|
|
# Package is actually noarch, but it has an optional dependency that is
|
|
|
|
|
# arch-specific.
|
|
|
|
|
%global debug_package %{nil}
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
Name: keylime
|
2023-07-19 15:00:54 +00:00
|
|
|
|
Version: 7.3.0
|
2023-09-01 13:48:17 +00:00
|
|
|
|
Release: 8%{?dist}
|
2022-06-21 10:21:18 +00:00
|
|
|
|
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
|
|
|
|
|
|
|
|
|
URL: https://github.com/keylime/keylime
|
|
|
|
|
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
|
|
|
|
|
Source1: %{srcname}.sysusers
|
2022-12-01 14:54:42 +00:00
|
|
|
|
Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
2023-07-19 15:00:54 +00:00
|
|
|
|
Patch: 0001-Remove-usage-of-Required-NotRequired-typing_ext.patch
|
2023-08-08 14:22:15 +00:00
|
|
|
|
Patch: 0002-Allow-keylime_server_t-tcp-connect-to-several-domain.patch
|
2023-08-15 13:41:58 +00:00
|
|
|
|
Patch: 0003-Use-version-2.0-as-the-minimum-for-the-configuration.patch
|
|
|
|
|
Patch: 0004-Duplicate-str_to_version-for-the-upgrade-tool.patch
|
|
|
|
|
Patch: 0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch
|
|
|
|
|
Patch: 0006-Revert-mapping-changes.patch
|
|
|
|
|
Patch: 0007-Handle-session-close-using-a-session-manager.patch
|
2023-08-22 12:53:54 +00:00
|
|
|
|
Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
|
2023-08-25 16:28:17 +00:00
|
|
|
|
Patch: 0009-CVE-2023-38201.patch
|
2023-08-28 13:27:44 +00:00
|
|
|
|
Patch: 0010-CVE-2023-38200.patch
|
2023-08-28 20:55:42 +00:00
|
|
|
|
Patch: 0011-Automatically-update-agent-API-version.patch
|
2022-11-14 22:24:32 +00:00
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
License: ASL 2.0 and MIT
|
|
|
|
|
|
|
|
|
|
BuildRequires: git-core
|
|
|
|
|
BuildRequires: swig
|
|
|
|
|
BuildRequires: openssl-devel
|
|
|
|
|
BuildRequires: python3-devel
|
|
|
|
|
BuildRequires: python3-dbus
|
2022-09-20 15:13:33 +00:00
|
|
|
|
BuildRequires: python3-jinja2
|
2022-06-21 10:21:18 +00:00
|
|
|
|
BuildRequires: python3-setuptools
|
|
|
|
|
BuildRequires: systemd-rpm-macros
|
2023-07-17 13:28:52 +00:00
|
|
|
|
BuildRequires: tpm2-abrmd-selinux
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
Requires: python3-%{srcname} = %{version}-%{release}
|
|
|
|
|
Requires: %{srcname}-base = %{version}-%{release}
|
|
|
|
|
Requires: %{srcname}-verifier = %{version}-%{release}
|
|
|
|
|
Requires: %{srcname}-registrar = %{version}-%{release}
|
|
|
|
|
Requires: %{srcname}-tenant = %{version}-%{release}
|
|
|
|
|
|
|
|
|
|
# Agent.
|
|
|
|
|
Requires: keylime-agent
|
|
|
|
|
Suggests: keylime-agent-rust
|
|
|
|
|
|
|
|
|
|
%{?python_enable_dependency_generator}
|
|
|
|
|
%description
|
|
|
|
|
Keylime is a TPM based highly scalable remote boot attestation
|
|
|
|
|
and runtime integrity measurement solution.
|
|
|
|
|
|
|
|
|
|
%package base
|
|
|
|
|
Summary: The base package contains the default configuration
|
|
|
|
|
License: MIT
|
|
|
|
|
|
|
|
|
|
|
2023-09-01 13:48:17 +00:00
|
|
|
|
Requires(pre): python3-jinja2
|
2022-06-21 10:21:18 +00:00
|
|
|
|
Requires(pre): shadow-utils
|
2023-09-01 13:48:17 +00:00
|
|
|
|
Requires(pre): util-linux
|
2022-06-21 10:21:18 +00:00
|
|
|
|
Requires: procps-ng
|
|
|
|
|
Requires: tpm2-tss
|
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%if 0%{?with_selinux}
|
|
|
|
|
# This ensures that the *-selinux package and all it’s dependencies are not pulled
|
|
|
|
|
# into containers and other systems that do not use SELinux
|
2022-09-20 15:13:33 +00:00
|
|
|
|
Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%endif
|
|
|
|
|
|
2022-07-11 11:40:50 +00:00
|
|
|
|
%ifarch %efi
|
|
|
|
|
Requires: efivar-libs
|
|
|
|
|
%endif
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
%description base
|
|
|
|
|
The base package contains the Keylime default configuration
|
|
|
|
|
|
|
|
|
|
%package -n python3-%{srcname}
|
|
|
|
|
Summary: The Python Keylime module
|
|
|
|
|
License: MIT
|
|
|
|
|
|
|
|
|
|
Requires: %{srcname}-base = %{version}-%{release}
|
|
|
|
|
%{?python_provide:%python_provide python3-%{srcname}}
|
|
|
|
|
|
|
|
|
|
Requires: python3-tornado
|
|
|
|
|
Requires: python3-sqlalchemy
|
|
|
|
|
Requires: python3-alembic
|
|
|
|
|
Requires: python3-cryptography
|
|
|
|
|
Requires: python3-pyyaml
|
|
|
|
|
Requires: python3-packaging
|
|
|
|
|
Requires: python3-requests
|
|
|
|
|
Requires: python3-gpg
|
|
|
|
|
Requires: python3-lark-parser
|
2022-08-25 23:17:08 +00:00
|
|
|
|
Requires: python3-pyasn1
|
|
|
|
|
Requires: python3-pyasn1-modules
|
2023-07-19 15:00:54 +00:00
|
|
|
|
Requires: python3-jsonschema
|
2022-08-25 23:17:08 +00:00
|
|
|
|
Requires: tpm2-tools
|
2022-11-14 22:24:32 +00:00
|
|
|
|
Requires: openssl
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
%description -n python3-%{srcname}
|
|
|
|
|
The python3-keylime module implements the functionality used
|
|
|
|
|
by Keylime components.
|
|
|
|
|
|
|
|
|
|
%package verifier
|
|
|
|
|
Summary: The Python Keylime Verifier component
|
|
|
|
|
License: MIT
|
|
|
|
|
|
|
|
|
|
Requires: %{srcname}-base = %{version}-%{release}
|
|
|
|
|
Requires: python3-%{srcname} = %{version}-%{release}
|
|
|
|
|
|
|
|
|
|
%description verifier
|
|
|
|
|
The Keylime Verifier continuously verifies the integrity state
|
|
|
|
|
of the machine that the agent is running on.
|
|
|
|
|
|
|
|
|
|
%package registrar
|
|
|
|
|
Summary: The Keylime Registrar component
|
|
|
|
|
License: MIT
|
|
|
|
|
|
|
|
|
|
Requires: %{srcname}-base = %{version}-%{release}
|
|
|
|
|
Requires: python3-%{srcname} = %{version}-%{release}
|
|
|
|
|
|
|
|
|
|
%description registrar
|
|
|
|
|
The Keylime Registrar is a database of all agents registered
|
|
|
|
|
with Keylime and hosts the public keys of the TPM vendors.
|
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%if 0%{?with_selinux}
|
|
|
|
|
# SELinux subpackage
|
|
|
|
|
%package selinux
|
|
|
|
|
Summary: keylime SELinux policy
|
|
|
|
|
BuildArch: noarch
|
|
|
|
|
Requires: selinux-policy-%{selinuxtype}
|
|
|
|
|
Requires(post): selinux-policy-%{selinuxtype}
|
|
|
|
|
BuildRequires: selinux-policy-devel
|
|
|
|
|
%{?selinux_requires}
|
|
|
|
|
|
|
|
|
|
%description selinux
|
|
|
|
|
Custom SELinux policy module
|
|
|
|
|
%endif
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%package tenant
|
|
|
|
|
Summary: The Python Keylime Tenant
|
|
|
|
|
License: MIT
|
|
|
|
|
|
|
|
|
|
Requires: %{srcname}-base = %{version}-%{release}
|
|
|
|
|
Requires: python3-%{srcname} = %{version}-%{release}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
%description tenant
|
|
|
|
|
The Keylime Tenant can be used to provision a Keylime Agent.
|
|
|
|
|
|
|
|
|
|
%prep
|
2022-12-01 14:54:42 +00:00
|
|
|
|
%autosetup -S git -n %{srcname}-%{version} -a2
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%if 0%{?with_selinux}
|
|
|
|
|
# SELinux policy (originally from selinux-policy-contrib)
|
|
|
|
|
# this policy module will override the production module
|
|
|
|
|
mkdir selinux
|
|
|
|
|
|
|
|
|
|
make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
|
|
|
|
|
bzip2 -9 %{srcname}.pp
|
|
|
|
|
%endif
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%build
|
|
|
|
|
%py3_build
|
|
|
|
|
|
|
|
|
|
%install
|
|
|
|
|
%py3_install
|
|
|
|
|
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
|
|
|
|
|
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
|
|
|
|
|
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
|
|
|
|
|
|
2022-09-20 15:13:33 +00:00
|
|
|
|
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
|
|
|
|
|
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
|
|
|
|
|
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
|
|
|
|
|
install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# Ship some scripts.
|
|
|
|
|
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
|
2023-07-19 15:00:54 +00:00
|
|
|
|
for s in create_runtime_policy.sh \
|
2022-09-20 15:13:33 +00:00
|
|
|
|
create_mb_refstate \
|
2022-11-14 22:24:32 +00:00
|
|
|
|
ek-openssl-verify; do
|
2022-09-20 15:13:33 +00:00
|
|
|
|
install -Dpm 755 scripts/${s} \
|
|
|
|
|
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
|
|
|
|
|
done
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
2023-07-19 15:00:54 +00:00
|
|
|
|
# Ship configuration templates.
|
|
|
|
|
cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
|
|
|
|
|
|
|
|
|
|
mkdir -p --mode=0755 %{buildroot}/%{_bindir}
|
2023-08-15 13:41:58 +00:00
|
|
|
|
install -Dpm 755 ./keylime/cmd/convert_config.py %{buildroot}/%{_bindir}/keylime_upgrade_config
|
2023-07-19 15:00:54 +00:00
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%if 0%{?with_selinux}
|
|
|
|
|
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
|
2022-12-01 14:54:42 +00:00
|
|
|
|
install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%endif
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
install -Dpm 644 ./services/%{srcname}_verifier.service \
|
|
|
|
|
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
|
|
|
|
|
|
|
|
|
|
install -Dpm 644 ./services/%{srcname}_registrar.service \
|
|
|
|
|
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
|
|
|
|
|
|
2022-09-20 15:13:33 +00:00
|
|
|
|
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
|
|
|
|
|
chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
install -p -d %{buildroot}/%{_tmpfilesdir}
|
|
|
|
|
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
|
|
|
|
|
d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} -
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
|
|
|
|
|
|
|
|
|
|
%pre base
|
|
|
|
|
%sysusers_create_compat %{SOURCE1}
|
|
|
|
|
exit 0
|
|
|
|
|
|
2023-08-15 13:41:58 +00:00
|
|
|
|
%post base
|
|
|
|
|
/usr/bin/keylime_upgrade_config --component ca --component logging >/dev/null
|
|
|
|
|
exit 0
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%posttrans base
|
2022-09-20 15:13:33 +00:00
|
|
|
|
if [ -d %{_sysconfdir}/%{srcname} ]; then
|
|
|
|
|
chmod 500 %{_sysconfdir}/%{srcname}
|
|
|
|
|
chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
|
|
|
|
|
|
|
|
|
|
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
|
|
|
|
|
[ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
|
|
|
|
|
chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
[ -d %{_sharedstatedir}/%{srcname} ] && \
|
|
|
|
|
chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
|
2022-09-20 15:13:33 +00:00
|
|
|
|
|
|
|
|
|
[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
|
|
|
|
|
chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
|
|
|
|
|
chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
[ -d %{_localstatedir}/log/%{srcname} ] && \
|
|
|
|
|
chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
|
|
|
|
|
exit 0
|
|
|
|
|
|
|
|
|
|
%post verifier
|
2023-08-15 13:41:58 +00:00
|
|
|
|
/usr/bin/keylime_upgrade_config --component verifier >/dev/null
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%systemd_post %{srcname}_verifier.service
|
2023-08-15 13:41:58 +00:00
|
|
|
|
exit 0
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
%post registrar
|
2023-08-15 13:41:58 +00:00
|
|
|
|
/usr/bin/keylime_upgrade_config --component registrar >/dev/null
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%systemd_post %{srcname}_registrar.service
|
2023-08-15 13:41:58 +00:00
|
|
|
|
exit 0
|
|
|
|
|
|
|
|
|
|
%post tenant
|
|
|
|
|
/usr/bin/keylime_upgrade_config --component tenant >/dev/null
|
|
|
|
|
exit 0
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
%preun verifier
|
|
|
|
|
%systemd_preun %{srcname}_verifier.service
|
|
|
|
|
|
|
|
|
|
%preun registrar
|
|
|
|
|
%systemd_preun %{srcname}_registrar.service
|
|
|
|
|
|
|
|
|
|
%postun verifier
|
|
|
|
|
%systemd_postun_with_restart %{srcname}_verifier.service
|
|
|
|
|
|
|
|
|
|
%postun registrar
|
|
|
|
|
%systemd_postun_with_restart %{srcname}_registrar.service
|
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%if 0%{?with_selinux}
|
|
|
|
|
# SELinux contexts are saved so that only affected files can be
|
|
|
|
|
# relabeled after the policy module installation
|
|
|
|
|
%pre selinux
|
|
|
|
|
%selinux_relabel_pre -s %{selinuxtype}
|
|
|
|
|
|
|
|
|
|
%post selinux
|
|
|
|
|
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
|
|
|
|
|
%selinux_relabel_post -s %{selinuxtype}
|
|
|
|
|
|
|
|
|
|
if [ "$1" -le "1" ]; then # First install
|
|
|
|
|
# The services need to be restarted for the custom label to be
|
|
|
|
|
# applied in case they where already present in the system,
|
|
|
|
|
# restart fails silently in case they where not.
|
|
|
|
|
for svc in agent registrar verifier; do
|
|
|
|
|
[ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
|
|
|
|
|
%systemd_postun_with_restart "%{srcname}_${svc}".service
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
exit 0
|
|
|
|
|
|
|
|
|
|
%postun selinux
|
|
|
|
|
if [ $1 -eq 0 ]; then
|
|
|
|
|
%selinux_modules_uninstall -s %{selinuxtype} %{srcname}
|
|
|
|
|
%selinux_relabel_post -s %{selinuxtype}
|
|
|
|
|
fi
|
|
|
|
|
%endif
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%files verifier
|
|
|
|
|
%license LICENSE
|
2022-09-20 15:13:33 +00:00
|
|
|
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
|
2023-08-22 12:53:54 +00:00
|
|
|
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%{_bindir}/%{srcname}_verifier
|
|
|
|
|
%{_bindir}/%{srcname}_ca
|
|
|
|
|
%{_unitdir}/keylime_verifier.service
|
|
|
|
|
|
|
|
|
|
%files registrar
|
|
|
|
|
%license LICENSE
|
2022-09-20 15:13:33 +00:00
|
|
|
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
|
2023-08-22 12:53:54 +00:00
|
|
|
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%{_bindir}/%{srcname}_registrar
|
|
|
|
|
%{_unitdir}/keylime_registrar.service
|
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
%if 0%{?with_selinux}
|
|
|
|
|
%files selinux
|
|
|
|
|
%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
|
|
|
|
|
%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
|
|
|
|
|
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname}
|
|
|
|
|
%endif
|
|
|
|
|
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%files tenant
|
|
|
|
|
%license LICENSE
|
2022-09-20 15:13:33 +00:00
|
|
|
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
|
2023-08-22 12:53:54 +00:00
|
|
|
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%{_bindir}/%{srcname}_tenant
|
|
|
|
|
|
|
|
|
|
%files -n python3-%{srcname}
|
|
|
|
|
%license LICENSE
|
|
|
|
|
%{python3_sitelib}/%{srcname}-*.egg-info/
|
|
|
|
|
%{python3_sitelib}/%{srcname}
|
2022-09-20 15:13:33 +00:00
|
|
|
|
%{_datadir}/%{srcname}/scripts/create_mb_refstate
|
2023-07-19 15:00:54 +00:00
|
|
|
|
%{_bindir}/keylime_attest
|
|
|
|
|
%{_bindir}/keylime_convert_runtime_policy
|
|
|
|
|
%{_bindir}/keylime_create_policy
|
|
|
|
|
%{_bindir}/keylime_sign_runtime_policy
|
|
|
|
|
%{_bindir}/keylime_userdata_encrypt
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
%files base
|
2022-07-07 18:50:25 +00:00
|
|
|
|
%license LICENSE
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%doc README.md
|
2022-09-20 15:13:33 +00:00
|
|
|
|
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
|
2023-08-22 12:53:54 +00:00
|
|
|
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
|
|
|
|
|
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
|
|
|
|
|
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
|
2022-09-20 15:13:33 +00:00
|
|
|
|
%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
|
|
|
|
|
%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
|
|
|
|
|
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
2022-06-21 10:21:18 +00:00
|
|
|
|
%{_tmpfilesdir}/%{srcname}.conf
|
|
|
|
|
%{_sysusersdir}/%{srcname}.conf
|
2023-07-19 15:00:54 +00:00
|
|
|
|
%{_datadir}/%{srcname}/scripts/create_runtime_policy.sh
|
2022-11-14 22:24:32 +00:00
|
|
|
|
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
|
2023-07-19 15:00:54 +00:00
|
|
|
|
%{_datadir}/%{srcname}/templates
|
|
|
|
|
%{_bindir}/keylime_upgrade_config
|
2022-06-21 10:21:18 +00:00
|
|
|
|
|
|
|
|
|
%files
|
|
|
|
|
%license LICENSE
|
|
|
|
|
|
|
|
|
|
%changelog
|
2023-09-01 13:48:17 +00:00
|
|
|
|
* Fri Sep 01 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-8
|
|
|
|
|
- Add missing dependencies python3-jinja2 and util-linux
|
|
|
|
|
Resolves: RHEL-1898
|
|
|
|
|
|
2023-08-28 20:55:42 +00:00
|
|
|
|
* Mon Aug 28 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-7
|
|
|
|
|
- Automatically update agent API version
|
|
|
|
|
Resolves: RHEL-1518
|
|
|
|
|
|
2023-08-28 13:27:44 +00:00
|
|
|
|
* Mon Aug 28 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-6
|
|
|
|
|
- Fix registrar is subject to a DoS against SSL (CVE-2023-38200)
|
|
|
|
|
Resolves: rhbz#2222694
|
|
|
|
|
|
2023-08-25 16:28:17 +00:00
|
|
|
|
* Fri Aug 25 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-5
|
|
|
|
|
- Fix challenge-protocol bypass during agent registration (CVE-2023-38201)
|
|
|
|
|
Resolves: rhbz#2222695
|
|
|
|
|
|
2023-08-22 12:53:54 +00:00
|
|
|
|
* Tue Aug 22 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-4
|
|
|
|
|
- Update spec file to use %verify(not md5 size mode mtime) for files updated in %post scriptlets
|
|
|
|
|
Resolves: RHEL-475
|
|
|
|
|
|
2023-08-15 13:41:58 +00:00
|
|
|
|
* Tue Aug 15 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-3
|
|
|
|
|
- Fix Keylime configuration upgrades issues introduced in last rebase
|
|
|
|
|
Resolves: RHEL-475
|
|
|
|
|
- Handle session close using a session manager
|
|
|
|
|
Resolves: RHEL-1252
|
|
|
|
|
- Add ignores for EV_PLATFORM_CONFIG_FLAGS
|
|
|
|
|
Resolves: RHEL-947
|
|
|
|
|
|
2023-07-17 13:28:52 +00:00
|
|
|
|
* Tue Aug 8 2023 Patrik Koncity <pkoncity@redhat.com> - 7.3.0-2
|
|
|
|
|
- Keylime SELinux policy provides more restricted ports.
|
|
|
|
|
- New SELinux label for ports used by keylime.
|
|
|
|
|
- Adding tabrmd interfaces allow unix stream socket communication and dbus communication.
|
|
|
|
|
- Allow the keylime_server_t domain to get the attributes of all filesystems.
|
|
|
|
|
Resolves: RHEL-595
|
|
|
|
|
Resolves: RHEL-390
|
|
|
|
|
Resolves: RHEL-948
|
|
|
|
|
|
2023-07-19 15:00:54 +00:00
|
|
|
|
* Wed Jul 19 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-1
|
|
|
|
|
- Update to 7.3.0
|
|
|
|
|
Resolves: RHEL-475
|
|
|
|
|
|
2023-01-16 10:51:01 +00:00
|
|
|
|
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
|
|
|
|
|
- Backport upstream PR#1240 - logging: remove option to log into separate file
|
|
|
|
|
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
|
|
|
|
|
|
2022-12-13 19:02:22 +00:00
|
|
|
|
* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
|
|
|
|
|
- Remove leftover policy file
|
|
|
|
|
Related: rhbz#2152135
|
|
|
|
|
|
2022-12-01 14:54:42 +00:00
|
|
|
|
* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
|
|
|
|
|
- Use keylime selinux policy from upstream.
|
|
|
|
|
Resolves: rhbz#2152135
|
|
|
|
|
|
2022-11-14 22:24:32 +00:00
|
|
|
|
* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
|
|
|
|
|
- Update to 6.5.2
|
|
|
|
|
Resolves: CVE-2022-3500
|
|
|
|
|
Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
|
|
|
|
|
Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
|
|
|
|
|
Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
|
|
|
|
|
|
2022-09-20 15:13:33 +00:00
|
|
|
|
* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
|
|
|
|
|
- Update to 6.5.0
|
|
|
|
|
Resolves: rhbz#2120686 - Keylime configuration is too complex
|
|
|
|
|
|
2022-08-25 23:17:08 +00:00
|
|
|
|
* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
|
|
|
|
|
- Update to 6.4.3
|
|
|
|
|
Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
|
|
|
|
|
|
2022-08-26 20:18:56 +00:00
|
|
|
|
* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-6
|
|
|
|
|
- Update keylime SELinux policy
|
|
|
|
|
- Resolves: rhbz#2121058
|
|
|
|
|
|
2022-08-26 16:38:51 +00:00
|
|
|
|
* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-5
|
|
|
|
|
- Update keylime SELinux policy and removed duplicate rules
|
|
|
|
|
- Resolves: rhbz#2121058
|
|
|
|
|
|
2022-08-26 10:20:40 +00:00
|
|
|
|
* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-4
|
|
|
|
|
- Update keylime SELinux policy
|
|
|
|
|
- Resolves: rhbz#2121058
|
|
|
|
|
|
2022-08-17 13:29:29 +00:00
|
|
|
|
* Wed Aug 17 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-3
|
|
|
|
|
- Add keylime-selinux policy as subpackage
|
|
|
|
|
- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
|
|
|
|
|
- Resolves: rhbz#2121058
|
|
|
|
|
|
2022-07-11 11:40:50 +00:00
|
|
|
|
* Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
|
|
|
|
|
- Fix efivar-libs dependency
|
|
|
|
|
Related: rhbz#2082989
|
|
|
|
|
|
2022-07-07 18:50:25 +00:00
|
|
|
|
* Thu Jul 07 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
|
|
|
|
|
- Update to 6.4.2
|
|
|
|
|
Related: rhbz#2082989
|
|
|
|
|
|
|
|
|
|
* Tue Jun 21 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-1
|
|
|
|
|
- Add keylime to RHEL-9
|
|
|
|
|
Resolves: rhbz#2082989
|