Add keylime selinux policy as subpackage and update CI

2022-09-12 16:06:25 +02:00 · 2022-09-12 16:06:25 +02:00 · 761a2a2733
commit 761a2a2733
parent ca613224de
4 changed files with 78 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,4 @@
 /v6.4.1.tar.gz
 /v6.4.2.tar.gz
 /v6.4.3.tar.gz
+/keylime-selinux-1.0.0.tar.gz
--- a/e2e_tests.fmf
+++ b/e2e_tests.fmf
@ -23,13 +23,11 @@ discover:
     # change IMA policy to simple and run one attestation scenario
     # this is to utilize also a different parser
     - /setup/configure_kernel_ima_module/ima_policy_simple
+     - /setup/inject_SELinux_AVC_check
     - /functional/basic-attestation-on-localhost
     # now change IMA policy to signing and run all tests
     - /setup/configure_kernel_ima_module/ima_policy_signing
     - "/functional/.*"
-     # now set zeromq as a default revocation notifier and test it
-     - /setup/configure_default_revocation_notifier/zeromq
-     - /functional/basic-attestation-on-localhost

 execute:
    how: tmt
--- a/keylime.spec
+++ b/keylime.spec
@ -1,8 +1,11 @@
 %global srcname keylime
+%global policy_version 1.0.0

 # Package is actually noarch, but it has an optional dependency that is
 # arch-specific.
 %global debug_package %{nil}
+%global with_selinux 1
+%global selinuxtype targeted

 Name:    keylime
 Version: 6.4.3
@ -12,6 +15,8 @@ Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 URL:            https://github.com/keylime/keylime
 Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
 Source1:        %{srcname}.sysusers
+# The selinux policy for keylime is distributed via this repo: https://github.com/RedHat-SP-Security/keylime-selinux
+Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz

 # Main program: BSD
 # Icons: MIT
@ -58,6 +63,12 @@ Requires(pre): shadow-utils
 Requires: procps-ng
 Requires: tpm2-tss

+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Recommends:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 %ifarch %efi
 Requires: efivar-libs
 %endif
@ -142,6 +153,20 @@ The Keylime Agent is deployed to the remote machine that is to be
 measured or provisioned with secrets stored within an encrypted
 payload released once trust is established.

+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:             keylime SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+%endif
+
 %package tenant
 Summary: The Python Keylime Tenant
 License: MIT
@ -169,8 +194,17 @@ Requires: python3-%{srcname} = %{version}-%{release}
 %description tools
 The keylime tools package includes miscelaneous tools.

+
 %prep
-%autosetup -S git -n %{srcname}-%{version}
+%autosetup -S git -n %{srcname}-%{version} -a2
+
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+
+make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
+bzip2 -9 %{srcname}.pp
+%endif

 %build
 %py3_build
@ -187,6 +221,11 @@ sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf
 # rhbz#2114485 - using sha256 for tpm_hash_alg.
 sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf

+%if 0%{?with_selinux}
+install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%endif
+
 install -Dpm 600 %{srcname}.conf \
    %{buildroot}%{_sysconfdir}/%{srcname}.conf

@ -234,6 +273,34 @@ exit 0
 %post -n python3-%{srcname}-agent
 %systemd_post %{srcname}_agent.service

+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+    # The services need to be restarted for the custom label to be
+    # applied in case they where already present in the system,
+    # restart fails silently in case they where not.
+    for svc in agent registrar verifier; do
+        [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
+            %systemd_postun_with_restart "%{srcname}_${svc}".service
+    done
+fi
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{srcname}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
 %preun verifier
 %systemd_preun %{srcname}_verifier.service

@ -271,6 +338,13 @@ exit 0
 %{_unitdir}/%{srcname}_agent_secure.mount
 %{_bindir}/%{srcname}_ima_emulator

+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname}
+%endif
+
 %files tenant
 %license LICENSE
 %{_bindir}/%{srcname}_tenant
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (v6.4.3.tar.gz) = fbc66d1b8677606bf382f03056b05edd6117dd5d845506365d96fd3ee8b5b291870ee672fe3cb17e9cc89b1acd29c99661a45826425e3bba45204f03f538c37f
+SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674