From 761a2a27333c8c25f4560ac2546138c27c2b9ded Mon Sep 17 00:00:00 2001 From: Patrik Koncity Date: Mon, 12 Sep 2022 16:06:25 +0200 Subject: [PATCH] Add keylime selinux policy as subpackage and update CI --- .gitignore | 1 + e2e_tests.fmf | 4 +-- keylime.spec | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++- sources | 1 + 4 files changed, 78 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index d55016f..0433426 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /v6.4.1.tar.gz /v6.4.2.tar.gz /v6.4.3.tar.gz +/keylime-selinux-1.0.0.tar.gz diff --git a/e2e_tests.fmf b/e2e_tests.fmf index b2ba4ad..7652be2 100644 --- a/e2e_tests.fmf +++ b/e2e_tests.fmf @@ -23,13 +23,11 @@ discover: # change IMA policy to simple and run one attestation scenario # this is to utilize also a different parser - /setup/configure_kernel_ima_module/ima_policy_simple + - /setup/inject_SELinux_AVC_check - /functional/basic-attestation-on-localhost # now change IMA policy to signing and run all tests - /setup/configure_kernel_ima_module/ima_policy_signing - "/functional/.*" - # now set zeromq as a default revocation notifier and test it - - /setup/configure_default_revocation_notifier/zeromq - - /functional/basic-attestation-on-localhost execute: how: tmt diff --git a/keylime.spec b/keylime.spec index 2aa1470..c5f99e9 100644 --- a/keylime.spec +++ b/keylime.spec @@ -1,8 +1,11 @@ %global srcname keylime +%global policy_version 1.0.0 # Package is actually noarch, but it has an optional dependency that is # arch-specific. %global debug_package %{nil} +%global with_selinux 1 +%global selinuxtype targeted Name: keylime Version: 6.4.3 @@ -12,6 +15,8 @@ Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz Source1: %{srcname}.sysusers +# The selinux policy for keylime is distributed via this repo: https://github.com/RedHat-SP-Security/keylime-selinux +Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz # Main program: BSD # Icons: MIT @@ -58,6 +63,12 @@ Requires(pre): shadow-utils Requires: procps-ng Requires: tpm2-tss +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Recommends: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) +%endif + %ifarch %efi Requires: efivar-libs %endif @@ -142,6 +153,20 @@ The Keylime Agent is deployed to the remote machine that is to be measured or provisioned with secrets stored within an encrypted payload released once trust is established. +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: keylime SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module +%endif + %package tenant Summary: The Python Keylime Tenant License: MIT @@ -169,8 +194,17 @@ Requires: python3-%{srcname} = %{version}-%{release} %description tools The keylime tools package includes miscelaneous tools. + %prep -%autosetup -S git -n %{srcname}-%{version} +%autosetup -S git -n %{srcname}-%{version} -a2 + +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module + +make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp +bzip2 -9 %{srcname}.pp +%endif %build %py3_build @@ -187,6 +221,11 @@ sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf # rhbz#2114485 - using sha256 for tpm_hash_alg. sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf +%if 0%{?with_selinux} +install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 +install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +%endif + install -Dpm 600 %{srcname}.conf \ %{buildroot}%{_sysconfdir}/%{srcname}.conf @@ -234,6 +273,34 @@ exit 0 %post -n python3-%{srcname}-agent %systemd_post %{srcname}_agent.service +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # The services need to be restarted for the custom label to be + # applied in case they where already present in the system, + # restart fails silently in case they where not. + for svc in agent registrar verifier; do + [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \ + %systemd_postun_with_restart "%{srcname}_${svc}".service + done +fi +exit 0 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{srcname} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + %preun verifier %systemd_preun %{srcname}_verifier.service @@ -271,6 +338,13 @@ exit 0 %{_unitdir}/%{srcname}_agent_secure.mount %{_bindir}/%{srcname}_ima_emulator +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname} +%endif + %files tenant %license LICENSE %{_bindir}/%{srcname}_tenant diff --git a/sources b/sources index ba018be..39bd111 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (v6.4.3.tar.gz) = fbc66d1b8677606bf382f03056b05edd6117dd5d845506365d96fd3ee8b5b291870ee672fe3cb17e9cc89b1acd29c99661a45826425e3bba45204f03f538c37f +SHA512 (keylime-selinux-1.0.0.tar.gz) = d0b4fea7407ad493b08e6f087e8f32b1a65acbee59bf6e20a0e26aaa139f56c1206c7e707898fd8a2e11468cd918f76cb6985f68b8a2faa8a2a4b7a9ba4c3674