Update to 6.5.0
Resolves: rhbz#2120686 - Keylime configuration is too complex
This commit is contained in:
Sergio Correia
parent
d27537fb46
commit
346f3201ee
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
/v6.4.1.tar.gz
|
||||
/v6.4.2.tar.gz
|
||||
/v6.4.3.tar.gz
|
||||
/v6.5.0.tar.gz
|
||||
|
||||
80
keylime.spec
80
keylime.spec
@ -7,18 +7,16 @@
|
||||
%global debug_package %{nil}
|
||||
|
||||
Name: keylime
|
||||
Version: 6.4.3
|
||||
Version: 6.5.0
|
||||
Release: 1%{?dist}
|
||||
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
||||
|
||||
URL: https://github.com/keylime/keylime
|
||||
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
|
||||
Source1: %{srcname}.sysusers
|
||||
%if 0%{?with_selinux}
|
||||
Source2: %{srcname}.te
|
||||
Source3: %{srcname}.if
|
||||
Source4: %{srcname}.fc
|
||||
%endif
|
||||
|
||||
License: ASL 2.0 and MIT
|
||||
|
||||
@ -27,6 +25,7 @@ BuildRequires: swig
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python3-dbus
|
||||
BuildRequires: python3-jinja2
|
||||
BuildRequires: python3-setuptools
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
@ -57,7 +56,7 @@ Requires: tpm2-tss
|
||||
%if 0%{?with_selinux}
|
||||
# This ensures that the *-selinux package and all it’s dependencies are not pulled
|
||||
# into containers and other systems that do not use SELinux
|
||||
Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
|
||||
Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype})
|
||||
%endif
|
||||
|
||||
%ifarch %efi
|
||||
@ -163,37 +162,37 @@ mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
|
||||
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
|
||||
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
|
||||
|
||||
# Remove agent and webapp.
|
||||
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
|
||||
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
|
||||
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
|
||||
install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
|
||||
done
|
||||
|
||||
# Remove agent.
|
||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
|
||||
|
||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.*
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.*
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.*
|
||||
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.*
|
||||
rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/
|
||||
|
||||
# Remove misc progs.
|
||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
|
||||
rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
|
||||
|
||||
# Setting up the agent to use keylime:keylime user/group after dropping privileges.
|
||||
sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf
|
||||
|
||||
# Using sha256 for tpm_hash_alg.
|
||||
sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf
|
||||
# Ship some scripts.
|
||||
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
|
||||
for s in create_allowlist.sh \
|
||||
create_mb_refstate \
|
||||
create_policy; do
|
||||
install -Dpm 755 scripts/${s} \
|
||||
%{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
|
||||
done
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
|
||||
install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
|
||||
%endif
|
||||
|
||||
install -Dpm 600 %{srcname}.conf \
|
||||
%{buildroot}%{_sysconfdir}/%{srcname}.conf
|
||||
|
||||
install -Dpm 644 ./services/%{srcname}_verifier.service \
|
||||
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
|
||||
@ -201,7 +200,8 @@ install -Dpm 644 ./services/%{srcname}_verifier.service \
|
||||
install -Dpm 644 ./services/%{srcname}_registrar.service \
|
||||
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
|
||||
|
||||
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
|
||||
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
|
||||
chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
||||
|
||||
install -p -d %{buildroot}/%{_tmpfilesdir}
|
||||
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
|
||||
@ -215,11 +215,24 @@ install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
|
||||
exit 0
|
||||
|
||||
%posttrans base
|
||||
[ -f %{_sysconfdir}/%{srcname}.conf ] && \
|
||||
chmod 600 %{_sysconfdir}/%{srcname}.conf && \
|
||||
chown %{srcname} %{_sysconfdir}/%{srcname}.conf
|
||||
if [ -d %{_sysconfdir}/%{srcname} ]; then
|
||||
chmod 500 %{_sysconfdir}/%{srcname}
|
||||
chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
|
||||
|
||||
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
|
||||
[ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
|
||||
chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
[ -d %{_sharedstatedir}/%{srcname} ] && \
|
||||
chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
|
||||
|
||||
[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
|
||||
chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
|
||||
chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
|
||||
|
||||
[ -d %{_localstatedir}/log/%{srcname} ] && \
|
||||
chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
|
||||
exit 0
|
||||
@ -272,6 +285,8 @@ fi
|
||||
|
||||
%files verifier
|
||||
%license LICENSE
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
|
||||
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
|
||||
%{_bindir}/%{srcname}_verifier
|
||||
%{_bindir}/%{srcname}_ca
|
||||
%{_bindir}/%{srcname}_migrations_apply
|
||||
@ -279,6 +294,8 @@ fi
|
||||
|
||||
%files registrar
|
||||
%license LICENSE
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
|
||||
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
|
||||
%{_bindir}/%{srcname}_registrar
|
||||
%{_unitdir}/keylime_registrar.service
|
||||
|
||||
@ -291,27 +308,40 @@ fi
|
||||
|
||||
%files tenant
|
||||
%license LICENSE
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
|
||||
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
|
||||
%{_bindir}/%{srcname}_tenant
|
||||
|
||||
%files -n python3-%{srcname}
|
||||
%license LICENSE
|
||||
%{python3_sitelib}/%{srcname}-*.egg-info/
|
||||
%{python3_sitelib}/%{srcname}
|
||||
%{_datadir}/%{srcname}/scripts/create_mb_refstate
|
||||
%{_datadir}/%{srcname}/scripts/create_policy
|
||||
|
||||
%files base
|
||||
%license LICENSE
|
||||
%doc README.md
|
||||
%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
|
||||
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
|
||||
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
|
||||
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
|
||||
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
|
||||
%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
|
||||
%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
|
||||
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
|
||||
%{_tmpfilesdir}/%{srcname}.conf
|
||||
%{_sysusersdir}/%{srcname}.conf
|
||||
%{_datadir}/%{srcname}/scripts/create_allowlist.sh
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
|
||||
%changelog
|
||||
* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
|
||||
- Update to 6.5.0
|
||||
Resolves: rhbz#2120686 - Keylime configuration is too complex
|
||||
|
||||
* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
|
||||
- Update to 6.4.3
|
||||
Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (v6.4.3.tar.gz) = fbc66d1b8677606bf382f03056b05edd6117dd5d845506365d96fd3ee8b5b291870ee672fe3cb17e9cc89b1acd29c99661a45826425e3bba45204f03f538c37f
|
||||
SHA512 (v6.5.0.tar.gz) = a0f78f841ff3d1b87fb5e6ff222626ba9be72a1cc57077dada09f4c8b938ff2155b493ee6b5cb5e1e22d432edeec0b99e0e75412fd488008121c70339b94267e
|
||||
|
||||
Loading…
Reference in New Issue
Block a user