import keylime-6.5.2-4.el9

.gitignore

@@ -1 +1,2 @@
-SOURCES/v6.4.3.tar.gz
+SOURCES/keylime-selinux-1.0.0.tar.gz
+SOURCES/v6.5.2.tar.gz

.keylime.metadata

@@ -1 +1,2 @@
-097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz
+a1154fc19d2ae6f52b6b77a39e62d2420c0f4c5e SOURCES/keylime-selinux-1.0.0.tar.gz
+1c311bc1d3ab6c8050fd819410c593392187c2fa SOURCES/v6.5.2.tar.gz

SOURCES/0001-Do-not-use-default-values-that-need-reading-the-conf.patch

@@ -0,0 +1,130 @@
+From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 15 Nov 2022 07:09:13 -0300
+Subject: [PATCH] Do not use default values that need reading the config in
+ methods
+
+Following up from the recent refactoring that moved the EK validation
+to cert_utils, in a few places were added default method values that
+were reading the configuration files directly.
+
+It was not such a great idea becasue it then made those config files as
+required to even import the modules.
+
+Example "from keylime import cert_utils" now also requires that the
+tenant configuration be available for getting the path for the TPM
+cert store.
+
+Let's stop doing that.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ keylime/cert_utils.py       | 5 +++--
+ keylime/tenant.py           | 2 +-
+ keylime/tpm/tpm_abstract.py | 2 +-
+ keylime/tpm/tpm_main.py     | 4 ++--
+ keylime/tpm_ek_ca.py        | 6 +++---
+ 5 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
+index d2fc54d..3576c64 100644
+--- a/keylime/cert_utils.py
++++ b/keylime/cert_utils.py
+@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+ from pyasn1.codec.der import decoder, encoder
+ from pyasn1_modules import pem, rfc2459
+ 
+-from keylime import config, keylime_logging, tpm_ek_ca
++from keylime import keylime_logging, tpm_ek_ca
+ 
+ # Issue #944 -- python-cryptography won't parse malformed certs,
+ # such as some Nuvoton ones we have encountered in the field.
+@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
+         return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
+ 
+ 
+-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
+     """Verify that the provided EK certificate is signed by a trusted root
+     :param ekcert: The Endorsement Key certificate in DER format
++    :param tpm_cert_store: The path for the TPM certificate store
+     :returns: True if the certificate can be verified, False otherwise
+     """
+     try:
+diff --git a/keylime/tenant.py b/keylime/tenant.py
+index b574d04..076b849 100644
+--- a/keylime/tenant.py
++++ b/keylime/tenant.py
+@@ -430,7 +430,7 @@ class Tenant:
+             elif ekcert is None:
+                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")
+                 return False
+-            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
++            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
+                 logger.warning("Invalid EK certificate")
+                 return False
+ 
+diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
+index ff41837..df6222c 100644
+--- a/keylime/tpm/tpm_abstract.py
++++ b/keylime/tpm/tpm_abstract.py
+@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
+         pass
+ 
+     @abstractmethod
+-    def verify_ek(self, ekcert):
++    def verify_ek(self, ekcert, tpm_cert_store):
+         pass
+ 
+     @abstractmethod
+diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
+index e1d1cf8..e244dfa 100644
+--- a/keylime/tpm/tpm_main.py
++++ b/keylime/tpm/tpm_main.py
+@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
+                 os.remove(sesspath)
+         return key
+ 
+-    def verify_ek(self, ekcert):
++    def verify_ek(self, ekcert, tpm_cert_store):
+         """Verify that the provided EK certificate is signed by a trusted root
+         :param ekcert: The Endorsement Key certificate in DER format
+         :returns: True if the certificate can be verified, false otherwise
+         """
+-        return cert_utils.verify_ek(ekcert)
++        return cert_utils.verify_ek(ekcert, tpm_cert_store)
+ 
+     def get_tpm_manufacturer(self, output=None):
+         vendorStr = None
+diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
+index fb66c07..bc84571 100644
+--- a/keylime/tpm_ek_ca.py
++++ b/keylime/tpm_ek_ca.py
+@@ -1,13 +1,13 @@
+ import glob
+ import os
+ 
+-from keylime import config, keylime_logging
++from keylime import keylime_logging
+ 
+ logger = keylime_logging.init_logging("tpm_ek_ca")
+ trusted_certs = {}
+ 
+ 
+-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def check_tpm_cert_store(tpm_cert_store):
+     if not os.path.isdir(tpm_cert_store):
+         logger.error("The directory %s does not exist.", tpm_cert_store)
+         raise Exception(f"The directory {tpm_cert_store} does not exist.")
+@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
+         raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
+ 
+ 
+-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
++def cert_loader(tpm_cert_store):
+     file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
+     my_trusted_certs = {}
+     for file_path in file_list:
+-- 
+2.38.1
+

SOURCES/0002-Switch-to-sha256-hashes-for-signatures.patch

@@ -0,0 +1,67 @@
+From 1f9ee7437f5b712a892c6d13ac8d75e128c1a16f Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 22 Nov 2022 10:56:43 -0500
+Subject: [PATCH] tests: Switch to sha256 hashes for signatures
+
+Resolves: https://github.com/keylime/keylime/issues/1202
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ test/test_ima_ast.py          |  4 ++--
+ test/test_ima_verification.py | 12 ++++++------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/test/test_ima_ast.py b/test/test_ima_ast.py
+index cd54f95f9..e7d3841a7 100644
+--- a/test/test_ima_ast.py
++++ b/test/test_ima_ast.py
+@@ -14,11 +14,11 @@
+ VALID_ENTRIES = {
+     "ima-sig-rsa": (
+         ast.ImaSig,
+-        "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0",
++        "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f",
+     ),
+     "ima-sig-ec": (
+         ast.ImaSig,
+-        "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31",
++        "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3",
+     ),
+     "ima-sig-missing": (
+         ast.ImaSig,
+diff --git a/test/test_ima_verification.py b/test/test_ima_verification.py
+index bdb929c9c..d2fc9ef16 100644
+--- a/test/test_ima_verification.py
++++ b/test/test_ima_verification.py
+@@ -27,8 +27,8 @@
+         "/lib/modules/5.4.48-openpower1/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko": [
+             "cd026b58efdf66658685430ff526490d54a430a3f0066a35ac26a8acab66c55d"
+         ],
+-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc101"],
+-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f0e"],
++        "/usr/bin/dd": ["d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
++        "/usr/bin/zmore": ["b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
+         "/usr/bin/zless": ["233ad3a8e77c63a7d9a56063ec2cad1eafa58850"],
+     },
+     "keyrings": {
+@@ -50,8 +50,8 @@
+         "version": 1,
+     },
+     "hashes": {
+-        "/usr/bin/dd": ["1350320e5f7f51553bac8aa403489a1b135bc102"],
+-        "/usr/bin/zmore": ["1cb84b12db45d7da8de58ba6744187db84082f01"],
++        "/usr/bin/dd": ["bad05d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef"],
++        "/usr/bin/zmore": ["bad00b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b"],
+     },
+ }
+ 
+@@ -73,8 +73,8 @@
+ # 1st signature: RSA
+ # 2nd signature: EC
+ SIGNATURES = (
+-    "10 50873c47693cf9458e87eb4a02dd4f594f7a0c0f ima-sig sha1:1350320e5f7f51553bac8aa403489a1b135bc101 /usr/bin/dd 030202f3452d23010084c2a6cf7de1aeefa119220df0da265a7c44d34380f0d97002e7c778d09cfcf88c018e6595df3ee70eda926851f159332f852e7981a8fca1bc5e959958d06d234a0896861f13cc60da825905c8ed234df26c1deecfa816d5aa9bfb11b905e2814084a86b588be60423afada8dd0dd5a143774c6d890b64195ac42fb47ef5a9a00f0d6c80711d8e0c2b843ec38c02f60fd46bc46c7b4c329ad2dbb1b7625293703f9c739dc4c2bf0769126a2f3cb2cd031d1881cd0af64bf20fd474a993b48620f103a5c14999a2f17d60721bcc019a896b4138a688a59f50cb6cd94a4cfe3b8052e82dec025fef4feabb08c7ce412e3de850f903797e293ec27c329f57fd84e0\n"
+-    "10 06e804489a77ddab51b9ef27e17053c0e5d503bd ima-sig sha1:1cb84b12db45d7da8de58ba6744187db84082f0e /usr/bin/zmore 030202531f402500483046022100bff9c02dc7b270c83cc94bfec10eecd42831de2cdcb04f024369a14623bc3a91022100cc4d015ae932fb98d6846645ed7d1bb1afd4621ec9089bc087126f191886dd31\n"
++    "10 1e70a3e1af66f42826ad63b761b4cb9c4df195e1 ima-sig sha256:d33d5d13792292e202dbf69a6f1b07bc8a02f01424db8489ba7bb7d43c0290ef /usr/bin/dd 030204f3452d2301009dd340c852f37e35748363586939d4199b6684be27e7c1236ca1528f708372ed9cd52a0d991f66448790f5616ed5bd7f9bbd22193b1e3e54f6bf29a1497945a34d1b418b24f4cbeaef897bf3cebca27065ebb8761b46bc2662fe76f141245b9186a5ac8493c7f4976cf0d6dfc085c3e503e3f771bc3ccb121230db76fd8aba4f45f060ad64ab3afd99b4e52824b9eba12e93e46f9dcb2fa01d9cef89f298a0da02a82a4fb56924afd3e3c277a1302d99f770d488449df2d43eb5b174a0a528827e6877b965c2f0b7c89cf1aa26a7417a892df4c2294e2872d62748b72ea04ecb0689b5d792e615a9bf9d56f6e0f298560bf9441df0a22729c5f23389f028c25f\n"
++    "10 5d4d5141ccd5066d50dc3f21d79ba02fedc24256 ima-sig sha256:b8ae0b8dd04a5935cd8165aa2260cd11b658bd71629bdb52256a675a1f73907b /usr/bin/zmore 030204531f402500483046022100fe24678d21083ead47660e1a2d553a592d777c478d1b0466de6ed484b54956b3022100cad3adb37f277bbb03544d6107751b4cd4f2289d8353fa36257400a99334d5c3\n"
+ )
+ 
+ COMBINED = MEASUREMENTS + SIGNATURES

SOURCES/0003-logging-remove-option-to-log-into-separate-file.patch

@@ -0,0 +1,136 @@
+From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
+From: Thore Sommer <mail@thson.de>
+Date: Mon, 16 Jan 2023 07:26:08 -0300
+Subject: [PATCH 3/3] logging: remove option to log into separate file
+
+The implementation had the issue that only the main loggers were added and that
+the permissions were not set strict enough. Users should use the logging
+provided by systemd instead.
+
+Signed-off-by: Thore Sommer <mail@thson.de>
+---
+ keylime.conf                       | 10 ----------
+ keylime/keylime_logging.py         | 31 ------------------------------
+ scripts/templates/2.0/registrar.j2 |  9 ---------
+ scripts/templates/2.0/verifier.j2  |  9 ---------
+ 4 files changed, 59 deletions(-)
+
+diff --git a/keylime.conf b/keylime.conf
+index d896f9f..043b6a8 100644
+--- a/keylime.conf
++++ b/keylime.conf
+@@ -342,11 +342,6 @@ tomtou_errors = False
+ # signature check before storing them in the database.
+ require_allow_list_signatures = False
+ 
+-# Destination for log output, in addition to console. Values can be 'file', 
+-# with the file being named after the "service" - cloud_verifier - created under 
+-# /var/log/keylime), 'stream' or it can be left empty (which results in 
+-# logging to console only, recommended when running inside a container)
+-log_destination = file
+ 
+ #=============================================================================
+ [tenant]
+@@ -595,11 +590,6 @@ auto_migrate_db = True
+ # The file to use for SQLite persistence of provider hypervisor data.
+ prov_db_filename = provider_reg_data.sqlite
+ 
+-# Destination for log output, in addition to console. Values can be 'file',
+-# with the file being named after the "service" - registrar - created under
+-# /var/log/keylime), 'stream' or it can be left empty (which results in
+-# logging to console only, recommended when running inside a container)
+-log_destination = file
+ 
+ #=============================================================================
+ [ca]
+diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
+index bc8a11d..f7c7a8f 100644
+--- a/keylime/keylime_logging.py
++++ b/keylime/keylime_logging.py
+@@ -1,17 +1,10 @@
+ import logging
+-import os
+ from logging import Logger
+ from logging import config as logging_config
+ from typing import Any, Callable, Dict
+ 
+ from keylime import config
+ 
+-LOG_TO_FILE = set()
+-LOG_TO_STREAM = set()
+-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
+-# not clear that this works right.  console logging may not work
+-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
+-
+ logging_config.fileConfig(config.get_config("logging"))
+ 
+ 
+@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
+ 
+ 
+ def init_logging(loggername: str) -> Logger:
+-
+-    if loggername in ("verifier", "registrar"):
+-        logdest = config.get(loggername, "log_destination", fallback="")
+-        if logdest == "file":
+-            LOG_TO_FILE.add(loggername)
+-        if logdest == "stream":
+-            LOG_TO_STREAM.add(loggername)
+-
+     logger = logging.getLogger(f"keylime.{loggername}")
+     logging.getLogger("requests").setLevel(logging.WARNING)
+-    mainlogger = logging.getLogger("keylime")
+-    basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
+-    if loggername in LOG_TO_FILE:
+-        logfilename = os.path.join(LOGDIR, f"{loggername}.log")
+-        if not os.path.exists(LOGDIR):
+-            os.makedirs(LOGDIR, 0o750)
+-        fh = logging.FileHandler(logfilename)
+-        fh.setLevel(logger.getEffectiveLevel())
+-        fh.setFormatter(basic_formatter)
+-        mainlogger.addHandler(fh)
+-
+-    if loggername in LOG_TO_STREAM:
+-        fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
+-        fh.setLevel(logger.getEffectiveLevel())
+-        fh.setFormatter(basic_formatter)
+-        mainlogger.addHandler(fh)
+ 
+     return logger
+diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
+index 3d92303..8de7a50 100644
+--- a/scripts/templates/2.0/registrar.j2
++++ b/scripts/templates/2.0/registrar.j2
+@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
+ 
+ # The file to use for SQLite persistence of provider hypervisor data.
+ prov_db_filename: {{ registrar.prov_db_filename }}
+-
+-# Destination for log output, in addition to console. If left empty, the log
+-# output will only be printed to console (recommended for containers to avoid
+-# filling data storage). The accepted values are:
+-# 'file': The log output will also be written to a file named after the
+-#         component in '/var/log/keylime/registrar.log'
+-# 'stream': The log output will be written to a common file in
+-#           'var/log/keylime/keylime-stream.log'
+-log_destination = {{ registrar.log_destination }}
+diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
+index d1584df..7a66cb1 100644
+--- a/scripts/templates/2.0/verifier.j2
++++ b/scripts/templates/2.0/verifier.j2
+@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
+ 
+ # Webhook url for revocation notifications.
+ webhook_url = {{ verifier.webhook_url }}
+-
+-# Destination for log output, in addition to console. If left empty, the log
+-# output will only be printed to console (recommended for containers to avoid
+-# filling data storage). The accepted values are:
+-# 'file': The log output will also be written to a file named after the
+-#         component in '/var/log/keylime/verifier.log'
+-# 'stream': The log output will be written to a common file in
+-#           'var/log/keylime/keylime-stream.log'
+-log_destination = {{ verifier.log_destination }}
+-- 
+2.38.1
+

SOURCES/keylime.fc

@@ -1,24 +0,0 @@
-/usr/bin/keylime_agent		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
-/usr/bin/keylime_ima_emulator		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
-/usr/bin/keylime_userdata_encrypt		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
-
-/usr/bin/keylime_ca		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/bin/keylime_migrations_apply		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/bin/keylime_registrar		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/bin/keylime_verifier		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/bin/keylime_tenant		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-
-/usr/local/bin/keylime_agent		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
-/usr/local/bin/keylime_ima_emulator		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
-/usr/local/bin/keylime_userdata_encrypt		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
-
-/usr/local/bin/keylime_ca		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/local/bin/keylime_migrations_apply		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/local/bin/keylime_registrar		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/local/bin/keylime_verifier		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-/usr/local/bin/keylime_tenant		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
-
-/var/lib/keylime(/.*)?		gen_context(system_u:object_r:keylime_var_lib_t,s0)
-/var/lib/keylime-agent(/.*)?		gen_context(system_u:object_r:keylime_var_lib_t,s0)
-
-/var/log/keylime(/.*)?		gen_context(system_u:object_r:keylime_log_t,s0)

SOURCES/keylime.if

@@ -1,37 +0,0 @@
-## <summary>policy for keylime</summary>
-
-########################################
-## <summary>
-##      Add to specified type to keylime_type attribute .
-## </summary>
-## <param name="type">
-##      <summary>
-##      Type to be used for keylime domains.
-##      </summary>
-## </param>
-#
-interface(`keylime_use_keylime_domain',`
-        gen_require(`
-                attribute keylime_domain;
-        ')
-
-        typeattribute $1 keylime_domain;
-')
-
-########################################
-## <summary>
-##      Mounton keylime lib directory.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`keylime_mounton_var_lib',`
-        gen_require(`
-                type keylime_var_lib_t;
-        ')
-
-        allow $1 keylime_var_lib_t:dir mounton;
-')

SOURCES/keylime.te

@@ -1,140 +0,0 @@
-policy_module(keylime, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute keylime_domain;
-
-type keylime_agent_t;
-keylime_use_keylime_domain(keylime_agent_t)
-type keylime_agent_exec_t;
-init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
-
-type keylime_server_t;
-keylime_use_keylime_domain(keylime_server_t)
-type keylime_server_exec_t;
-init_daemon_domain(keylime_server_t, keylime_server_exec_t)
-
-type keylime_log_t;
-logging_log_file(keylime_log_t)
-
-type keylime_var_lib_t;
-files_type(keylime_var_lib_t)
-
-type keylime_tmp_t;
-files_tmp_file(keylime_tmp_t)
-
-########################################
-#
-# keylime domain policy
-#
-
-allow keylime_domain self:tcp_socket create_stream_socket_perms;
-
-manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
-manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
-files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
-
-manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
-manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
-files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
-
-corecmd_exec_bin(keylime_domain)
-
-corenet_tcp_bind_generic_node(keylime_domain)
-corenet_tcp_bind_all_ports(keylime_domain)
-corenet_tcp_connect_all_unreserved_ports(keylime_domain)
-
-dev_read_sysfs(keylime_domain)
-
-fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
-
-init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
-
-miscfiles_read_generic_certs(keylime_domain)
-
-sysnet_read_config(keylime_domain)
-
-userdom_exec_user_tmp_files(keylime_domain)
-userdom_manage_user_tmp_dirs(keylime_domain)
-userdom_manage_user_tmp_files(keylime_domain)
-
-########################################
-#
-# keylime server policy
-#
-
-allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
-allow keylime_server_t self:udp_socket create_stream_socket_perms;
-
-manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
-manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
-
-fs_rw_inherited_tmpfs_files(keylime_server_t)
-
-optional_policy(`
-        gpg_exec(keylime_server_t)
-')
-
-optional_policy(`
-        kerberos_read_config(keylime_server_t)
-        kerberos_read_keytab(keylime_server_t)
-')
-
-optional_policy(`
-        sssd_run_stream_connect(keylime_server_t)
-')
-
-
-########################################
-#
-# keylime agent policy
-#
-#work with /var/lib/keylime/secure
-allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
-allow keylime_agent_t self:chr_file getattr;
-
-#FIX ME, add to tabrmd policy interface related with this
-allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
-
-dev_rw_tpm(keylime_agent_t)
-
-exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
-files_read_var_lib_files(keylime_agent_t)
-
-fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
-fs_getattr_cgroup(keylime_agent_t)
-fs_mount_tmpfs(keylime_agent_t)
-fs_setattr_tmpfs_dirs(keylime_agent_t)
-
-init_dontaudit_stream_connect(keylime_agent_t)
-
-kernel_read_all_proc(keylime_agent_t)
-
-userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
-
-auth_read_passwd(keylime_agent_t)
-
-keylime_mounton_var_lib(keylime_agent_t)
-
-mount_domtrans(keylime_agent_t)
-
-selinux_read_policy(keylime_agent_t)
-
-optional_policy(`
-        #FIX ME, add to tabrmd policy interface related with this
-        #https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
-        dbus_chat_system_bus(keylime_agent_t)
-')
-
-optional_policy(`
-        dbus_stream_connect_system_dbusd(keylime_agent_t)
-        dbus_system_bus_client(keylime_agent_t)
-')
-
-optional_policy(`
-        systemd_userdbd_stream_connect(keylime_agent_t)
-        systemd_machined_stream_connect(keylime_agent_t)
-')

SPECS/keylime.spec

@@ -1,4 +1,5 @@
 %global srcname keylime
+%global policy_version 1.0.0
 %global with_selinux 1
 %global selinuxtype targeted
 
@@ -7,18 +8,18 @@
 %global debug_package %{nil}
 
 Name:    keylime
-Version: 6.4.3
-Release: 1%{?dist}
+Version: 6.5.2
+Release: 4%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
 Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
 Source1:        %{srcname}.sysusers
-%if 0%{?with_selinux}
-Source2:        %{srcname}.te
-Source3:        %{srcname}.if
-Source4:        %{srcname}.fc
-%endif
+Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
+
+Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
+Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
+Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
 
 License: ASL 2.0 and MIT
 
@@ -27,6 +28,7 @@ BuildRequires: swig
 BuildRequires: openssl-devel
 BuildRequires: python3-devel
 BuildRequires: python3-dbus
+BuildRequires: python3-jinja2
 BuildRequires: python3-setuptools
 BuildRequires: systemd-rpm-macros
 
@@ -57,7 +59,7 @@ Requires: tpm2-tss
 %if 0%{?with_selinux}
 # This ensures that the *-selinux package and all it’s dependencies are not pulled
 # into containers and other systems that do not use SELinux
-Requires:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
+Recommends:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
 %endif
 
 %ifarch %efi
@@ -87,6 +89,7 @@ Requires: python3-lark-parser
 Requires: python3-pyasn1
 Requires: python3-pyasn1-modules
 Requires: tpm2-tools
+Requires: openssl
 
 %description -n python3-%{srcname}
 The python3-keylime module implements the functionality used
@@ -140,15 +143,12 @@ Requires: python3-%{srcname} = %{version}-%{release}
 The Keylime Tenant can be used to provision a Keylime Agent.
 
 %prep
-%autosetup -S git -n %{srcname}-%{version}
+%autosetup -S git -n %{srcname}-%{version} -a2
 
 %if 0%{?with_selinux}
 # SELinux policy (originally from selinux-policy-contrib)
 # this policy module will override the production module
 mkdir selinux
-cp -p %{SOURCE2} selinux/
-cp -p %{SOURCE3} selinux/
-cp -p %{SOURCE4} selinux/
 
 make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
 bzip2 -9 %{srcname}.pp
@@ -163,37 +163,38 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
 mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
 mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
 
-# Remove agent and webapp.
+mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
+for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
+    mkdir -p --mode=0700  %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
+    install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
+done
+
+# Remove agent.
 rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
 rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
 rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
 rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
 rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
 
-rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.*
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.*
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.*
-rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.*
-rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/
-
 # Remove misc progs.
 rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
 rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
 
-# Setting up the agent to use keylime:keylime user/group after dropping privileges.
-sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf
-
-# Using sha256 for tpm_hash_alg.
-sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf
+# Ship some scripts.
+mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
+for s in create_allowlist.sh \
+         create_mb_refstate \
+         create_policy \
+         ek-openssl-verify; do
+    install -Dpm 755 scripts/${s} \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
+done
 
 %if 0%{?with_selinux}
 install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
-install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
 %endif
 
-install -Dpm 600 %{srcname}.conf \
-    %{buildroot}%{_sysconfdir}/%{srcname}.conf
 
 install -Dpm 644 ./services/%{srcname}_verifier.service \
     %{buildroot}%{_unitdir}/%{srcname}_verifier.service
@@ -201,7 +202,8 @@ install -Dpm 644 ./services/%{srcname}_verifier.service \
 install -Dpm 644 ./services/%{srcname}_registrar.service \
     %{buildroot}%{_unitdir}/%{srcname}_registrar.service
 
-cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
+chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 
 install -p -d %{buildroot}/%{_tmpfilesdir}
 cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
@@ -215,11 +217,24 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
 exit 0
 
 %posttrans base
-[ -f %{_sysconfdir}/%{srcname}.conf ] && \
-    chmod 600 %{_sysconfdir}/%{srcname}.conf && \
-    chown %{srcname} %{_sysconfdir}/%{srcname}.conf
+if [ -d %{_sysconfdir}/%{srcname} ]; then
+    chmod 500 %{_sysconfdir}/%{srcname}
+    chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
+
+    for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
+        [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
+            chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
+    done
+fi
+
+
 [ -d %{_sharedstatedir}/%{srcname} ] && \
     chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
+
+[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
+    chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
+    chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
+
 [ -d %{_localstatedir}/log/%{srcname} ] && \
     chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
 exit 0
@@ -272,6 +287,8 @@ fi
 
 %files verifier
 %license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
 %{_bindir}/%{srcname}_verifier
 %{_bindir}/%{srcname}_ca
 %{_bindir}/%{srcname}_migrations_apply
@@ -279,6 +296,8 @@ fi
 
 %files registrar
 %license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
 %{_bindir}/%{srcname}_registrar
 %{_unitdir}/keylime_registrar.service
 
@@ -291,27 +310,61 @@ fi
 
 %files tenant
 %license LICENSE
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
 %{_bindir}/%{srcname}_tenant
 
 %files -n python3-%{srcname}
 %license LICENSE
 %{python3_sitelib}/%{srcname}-*.egg-info/
 %{python3_sitelib}/%{srcname}
+%{_datadir}/%{srcname}/scripts/create_mb_refstate
+%{_datadir}/%{srcname}/scripts/create_policy
+%{_bindir}/keylime_convert_ima_policy
 
 %files base
 %license LICENSE
 %doc README.md
-%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
+%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
 %attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
 %attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
-%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
+%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
+%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
+%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+%{_datadir}/%{srcname}/scripts/ek-openssl-verify
 
 %files
 %license LICENSE
 
 %changelog
+* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
+- Backport upstream PR#1240 - logging: remove option to log into separate file
+  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
+
+* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
+- Remove leftover policy file
+  Related: rhbz#2152135
+
+* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
+- Use keylime selinux policy from upstream.
+  Resolves: rhbz#2152135
+
+* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
+- Update to 6.5.2
+  Resolves: CVE-2022-3500
+  Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
+  Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
+  Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
+
+* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
+- Update to 6.5.0
+  Resolves: rhbz#2120686 - Keylime configuration is too complex
+
 * Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
 - Update to 6.4.3
   Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM