rpms/keylime
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Use source file for keylime selinux from upstream.

Browse Source 
Download keylime selinux upstream as tarball file and
build it.

Resolves: rhbz#2152135
This commit is contained in:
Patrik Koncity 2022-12-01 15:54:42 +01:00
parent 6c01a5e3ec
commit 12403b5c1c
5 changed files with 11 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -3,3 +3,4 @@
/v6.4.3.tar.gz /v6.4.3.tar.gz
/v6.5.0.tar.gz /v6.5.0.tar.gz
/v6.5.2.tar.gz /v6.5.2.tar.gz
/keylime-selinux-1.0.0.tar.gz

24
keylime.fc
View File

@ -1,24 +0,0 @@
/usr/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/local/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/local/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0)
/usr/local/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/usr/local/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0)
/var/lib/keylime(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0)
/var/lib/keylime-agent(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0)
/var/log/keylime(/.*)? gen_context(system_u:object_r:keylime_log_t,s0)

18
keylime.spec
View File

@ -1,4 +1,5 @@
%global srcname keylime %global srcname keylime
%global policy_version 1.0.0
%global with_selinux 1 %global with_selinux 1
%global selinuxtype targeted %global selinuxtype targeted
@ -8,15 +9,13 @@
Name: keylime Name: keylime
Version: 6.5.2 Version: 6.5.2
Release: 1%{?dist} Release: 2%{?dist}
Summary: Open source TPM software for Bootstrapping and Maintaining Trust Summary: Open source TPM software for Bootstrapping and Maintaining Trust
URL: https://github.com/keylime/keylime URL: https://github.com/keylime/keylime
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
Source1: %{srcname}.sysusers Source1: %{srcname}.sysusers
Source2: %{srcname}.te Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
Source3: %{srcname}.if
Source4: %{srcname}.fc
Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch Patch0: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch Patch1: 0002-Switch-to-sha256-hashes-for-signatures.patch
@ -143,15 +142,12 @@ Requires: python3-%{srcname} = %{version}-%{release}
The Keylime Tenant can be used to provision a Keylime Agent. The Keylime Tenant can be used to provision a Keylime Agent.
%prep %prep
%autosetup -S git -n %{srcname}-%{version} %autosetup -S git -n %{srcname}-%{version} -a2
%if 0%{?with_selinux} %if 0%{?with_selinux}
# SELinux policy (originally from selinux-policy-contrib) # SELinux policy (originally from selinux-policy-contrib)
# this policy module will override the production module # this policy module will override the production module
mkdir selinux mkdir selinux
cp -p %{SOURCE2} selinux/
cp -p %{SOURCE3} selinux/
cp -p %{SOURCE4} selinux/
make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
bzip2 -9 %{srcname}.pp bzip2 -9 %{srcname}.pp
@ -195,7 +191,7 @@ done
%if 0%{?with_selinux} %if 0%{?with_selinux}
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
%endif %endif
@ -345,6 +341,10 @@ fi
%license LICENSE %license LICENSE
%changelog %changelog
* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
- Use keylime selinux policy from upstream.
Resolves: rhbz#2152135
* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1 * Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
- Update to 6.5.2 - Update to 6.5.2
Resolves: CVE-2022-3500 Resolves: CVE-2022-3500

140
keylime.te
View File

@ -1,140 +0,0 @@
policy_module(keylime, 1.0.0)
########################################
#
# Declarations
#
attribute keylime_domain;
type keylime_agent_t;
keylime_use_keylime_domain(keylime_agent_t)
type keylime_agent_exec_t;
init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
type keylime_server_t;
keylime_use_keylime_domain(keylime_server_t)
type keylime_server_exec_t;
init_daemon_domain(keylime_server_t, keylime_server_exec_t)
type keylime_log_t;
logging_log_file(keylime_log_t)
type keylime_var_lib_t;
files_type(keylime_var_lib_t)
type keylime_tmp_t;
files_tmp_file(keylime_tmp_t)
########################################
#
# keylime domain policy
#
allow keylime_domain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
corecmd_exec_bin(keylime_domain)
corenet_tcp_bind_generic_node(keylime_domain)
corenet_tcp_bind_all_ports(keylime_domain)
corenet_tcp_connect_all_unreserved_ports(keylime_domain)
dev_read_sysfs(keylime_domain)
fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
miscfiles_read_generic_certs(keylime_domain)
sysnet_read_config(keylime_domain)
userdom_exec_user_tmp_files(keylime_domain)
userdom_manage_user_tmp_dirs(keylime_domain)
userdom_manage_user_tmp_files(keylime_domain)
########################################
#
# keylime server policy
#
allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
allow keylime_server_t self:udp_socket create_stream_socket_perms;
manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
fs_rw_inherited_tmpfs_files(keylime_server_t)
optional_policy(`
gpg_exec(keylime_server_t)
')
optional_policy(`
kerberos_read_config(keylime_server_t)
kerberos_read_keytab(keylime_server_t)
')
optional_policy(`
sssd_run_stream_connect(keylime_server_t)
')
########################################
#
# keylime agent policy
#
#work with /var/lib/keylime/secure
allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
allow keylime_agent_t self:chr_file getattr;
#FIX ME, add to tabrmd policy interface related with this
allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
dev_rw_tpm(keylime_agent_t)
exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
files_read_var_lib_files(keylime_agent_t)
fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
fs_getattr_cgroup(keylime_agent_t)
fs_mount_tmpfs(keylime_agent_t)
fs_setattr_tmpfs_dirs(keylime_agent_t)
init_dontaudit_stream_connect(keylime_agent_t)
kernel_read_all_proc(keylime_agent_t)
userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
auth_read_passwd(keylime_agent_t)
keylime_mounton_var_lib(keylime_agent_t)
mount_domtrans(keylime_agent_t)
selinux_read_policy(keylime_agent_t)
optional_policy(`
#FIX ME, add to tabrmd policy interface related with this
#https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
dbus_chat_system_bus(keylime_agent_t)
')
optional_policy(`
dbus_stream_connect_system_dbusd(keylime_agent_t)
dbus_system_bus_client(keylime_agent_t)
')
optional_policy(`
systemd_userdbd_stream_connect(keylime_agent_t)
systemd_machined_stream_connect(keylime_agent_t)
')

1
sources
View File

@ -1 +1,2 @@
SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649 SHA512 (v6.5.2.tar.gz) = de73de8d88dbf3bf394ea65036ef22cd5098318c09ff92b5548af2344a9a6f28d2432356d792b0eae72fe619255c4ecfa51f5c7d185b9612a4a04d2fb8e91649
SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674