import keylime-6.4.3-1.el9

6 months ago · 85e3bc95f3
commit 85e3bc95f3
7 changed files with 551 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/v6.4.3.tar.gz
--- a/.keylime.metadata
+++ b/.keylime.metadata
@ -0,0 +1 @@
+097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz
--- a/SOURCES/keylime.fc
+++ b/SOURCES/keylime.fc
@ -0,0 +1,24 @@
+/usr/bin/keylime_agent		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/bin/keylime_ima_emulator		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/bin/keylime_userdata_encrypt		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+
+/usr/bin/keylime_ca		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_migrations_apply		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_registrar		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_verifier		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_tenant		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+
+/usr/local/bin/keylime_agent		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/local/bin/keylime_ima_emulator		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/local/bin/keylime_userdata_encrypt		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+
+/usr/local/bin/keylime_ca		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_migrations_apply		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_registrar		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_verifier		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_tenant		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+
+/var/lib/keylime(/.*)?		gen_context(system_u:object_r:keylime_var_lib_t,s0)
+/var/lib/keylime-agent(/.*)?		gen_context(system_u:object_r:keylime_var_lib_t,s0)
+
+/var/log/keylime(/.*)?		gen_context(system_u:object_r:keylime_log_t,s0)
--- a/SOURCES/keylime.if
+++ b/SOURCES/keylime.if
@ -0,0 +1,37 @@
+## <summary>policy for keylime</summary>
+
+########################################
+## <summary>
+##      Add to specified type to keylime_type attribute .
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used for keylime domains.
+##      </summary>
+## </param>
+#
+interface(`keylime_use_keylime_domain',`
+        gen_require(`
+                attribute keylime_domain;
+        ')
+
+        typeattribute $1 keylime_domain;
+')
+
+########################################
+## <summary>
+##      Mounton keylime lib directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`keylime_mounton_var_lib',`
+        gen_require(`
+                type keylime_var_lib_t;
+        ')
+
+        allow $1 keylime_var_lib_t:dir mounton;
+')
--- a/SOURCES/keylime.sysusers
+++ b/SOURCES/keylime.sysusers
@ -0,0 +1,2 @@
+u keylime -   "Keylime unprivileged user" /var/lib/keylime /usr/sbin/nologin
+m keylime tss
--- a/SOURCES/keylime.te
+++ b/SOURCES/keylime.te
@ -0,0 +1,140 @@
+policy_module(keylime, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute keylime_domain;
+
+type keylime_agent_t;
+keylime_use_keylime_domain(keylime_agent_t)
+type keylime_agent_exec_t;
+init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
+
+type keylime_server_t;
+keylime_use_keylime_domain(keylime_server_t)
+type keylime_server_exec_t;
+init_daemon_domain(keylime_server_t, keylime_server_exec_t)
+
+type keylime_log_t;
+logging_log_file(keylime_log_t)
+
+type keylime_var_lib_t;
+files_type(keylime_var_lib_t)
+
+type keylime_tmp_t;
+files_tmp_file(keylime_tmp_t)
+
+########################################
+#
+# keylime domain policy
+#
+
+allow keylime_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
+manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
+files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
+
+manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
+manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
+files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
+
+corecmd_exec_bin(keylime_domain)
+
+corenet_tcp_bind_generic_node(keylime_domain)
+corenet_tcp_bind_all_ports(keylime_domain)
+corenet_tcp_connect_all_unreserved_ports(keylime_domain)
+
+dev_read_sysfs(keylime_domain)
+
+fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
+
+init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
+
+miscfiles_read_generic_certs(keylime_domain)
+
+sysnet_read_config(keylime_domain)
+
+userdom_exec_user_tmp_files(keylime_domain)
+userdom_manage_user_tmp_dirs(keylime_domain)
+userdom_manage_user_tmp_files(keylime_domain)
+
+########################################
+#
+# keylime server policy
+#
+
+allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
+allow keylime_server_t self:udp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
+manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
+
+fs_rw_inherited_tmpfs_files(keylime_server_t)
+
+optional_policy(`
+        gpg_exec(keylime_server_t)
+')
+
+optional_policy(`
+        kerberos_read_config(keylime_server_t)
+        kerberos_read_keytab(keylime_server_t)
+')
+
+optional_policy(`
+        sssd_run_stream_connect(keylime_server_t)
+')
+
+
+########################################
+#
+# keylime agent policy
+#
+#work with /var/lib/keylime/secure
+allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
+allow keylime_agent_t self:chr_file getattr;
+
+#FIX ME, add to tabrmd policy interface related with this
+allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
+
+dev_rw_tpm(keylime_agent_t)
+
+exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
+files_read_var_lib_files(keylime_agent_t)
+
+fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
+fs_getattr_cgroup(keylime_agent_t)
+fs_mount_tmpfs(keylime_agent_t)
+fs_setattr_tmpfs_dirs(keylime_agent_t)
+
+init_dontaudit_stream_connect(keylime_agent_t)
+
+kernel_read_all_proc(keylime_agent_t)
+
+userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
+
+auth_read_passwd(keylime_agent_t)
+
+keylime_mounton_var_lib(keylime_agent_t)
+
+mount_domtrans(keylime_agent_t)
+
+selinux_read_policy(keylime_agent_t)
+
+optional_policy(`
+        #FIX ME, add to tabrmd policy interface related with this
+        #https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
+        dbus_chat_system_bus(keylime_agent_t)
+')
+
+optional_policy(`
+        dbus_stream_connect_system_dbusd(keylime_agent_t)
+        dbus_system_bus_client(keylime_agent_t)
+')
+
+optional_policy(`
+        systemd_userdbd_stream_connect(keylime_agent_t)
+        systemd_machined_stream_connect(keylime_agent_t)
+')
--- a/SPECS/keylime.spec
+++ b/SPECS/keylime.spec
@ -0,0 +1,346 @@
+%global srcname keylime
+%global with_selinux 1
+%global selinuxtype targeted
+
+# Package is actually noarch, but it has an optional dependency that is
+# arch-specific.
+%global debug_package %{nil}
+
+Name:    keylime
+Version: 6.4.3
+Release: 1%{?dist}
+Summary: Open source TPM software for Bootstrapping and Maintaining Trust
+
+URL:            https://github.com/keylime/keylime
+Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
+Source1:        %{srcname}.sysusers
+%if 0%{?with_selinux}
+Source2:        %{srcname}.te
+Source3:        %{srcname}.if
+Source4:        %{srcname}.fc
+%endif
+
+License: ASL 2.0 and MIT
+
+BuildRequires: git-core
+BuildRequires: swig
+BuildRequires: openssl-devel
+BuildRequires: python3-devel
+BuildRequires: python3-dbus
+BuildRequires: python3-setuptools
+BuildRequires: systemd-rpm-macros
+
+Requires: python3-%{srcname} = %{version}-%{release}
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: %{srcname}-verifier = %{version}-%{release}
+Requires: %{srcname}-registrar = %{version}-%{release}
+Requires: %{srcname}-tenant = %{version}-%{release}
+
+# Agent.
+Requires: keylime-agent
+Suggests: keylime-agent-rust
+
+%{?python_enable_dependency_generator}
+%description
+Keylime is a TPM based highly scalable remote boot attestation
+and runtime integrity measurement solution.
+
+%package base
+Summary: The base package contains the default configuration
+License: MIT
+
+
+Requires(pre): shadow-utils
+Requires: procps-ng
+Requires: tpm2-tss
+
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
+%ifarch %efi
+Requires: efivar-libs
+%endif
+
+
+%description base
+The base package contains the Keylime default configuration
+
+%package -n python3-%{srcname}
+Summary: The Python Keylime module
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+%{?python_provide:%python_provide python3-%{srcname}}
+
+Requires: python3-tornado
+Requires: python3-sqlalchemy
+Requires: python3-alembic
+Requires: python3-cryptography
+Requires: python3-pyyaml
+Requires: python3-packaging
+Requires: python3-requests
+Requires: python3-gpg
+Requires: python3-lark-parser
+Requires: python3-pyasn1
+Requires: python3-pyasn1-modules
+Requires: tpm2-tools
+
+%description -n python3-%{srcname}
+The python3-keylime module implements the functionality used
+by Keylime components.
+
+%package verifier
+Summary: The Python Keylime Verifier component
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+%description verifier
+The Keylime Verifier continuously verifies the integrity state
+of the machine that the agent is running on.
+
+%package registrar
+Summary: The Keylime Registrar component
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+%description registrar
+The Keylime Registrar is a database of all agents registered
+with Keylime and hosts the public keys of the TPM vendors.
+
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:             keylime SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+%endif
+
+%package tenant
+Summary: The Python Keylime Tenant
+License: MIT
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+
+%description tenant
+The Keylime Tenant can be used to provision a Keylime Agent.
+
+%prep
+%autosetup -S git -n %{srcname}-%{version}
+
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+cp -p %{SOURCE2} selinux/
+cp -p %{SOURCE3} selinux/
+cp -p %{SOURCE4} selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
+bzip2 -9 %{srcname}.pp
+%endif
+
+%build
+%py3_build
+
+%install
+%py3_install
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
+mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
+mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
+
+# Remove agent and webapp.
+rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
+
+rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.*
+rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.*
+rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/
+
+# Remove misc progs.
+rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
+rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
+
+# Setting up the agent to use keylime:keylime user/group after dropping privileges.
+sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf
+
+# Using sha256 for tpm_hash_alg.
+sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf
+
+%if 0%{?with_selinux}
+install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%endif
+
+install -Dpm 600 %{srcname}.conf \
+    %{buildroot}%{_sysconfdir}/%{srcname}.conf
+
+install -Dpm 644 ./services/%{srcname}_verifier.service \
+    %{buildroot}%{_unitdir}/%{srcname}_verifier.service
+
+install -Dpm 644 ./services/%{srcname}_registrar.service \
+    %{buildroot}%{_unitdir}/%{srcname}_registrar.service
+
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
+
+install -p -d %{buildroot}/%{_tmpfilesdir}
+cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
+d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} -
+EOF
+
+install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
+
+%pre base
+%sysusers_create_compat %{SOURCE1}
+exit 0
+
+%posttrans base
+[ -f %{_sysconfdir}/%{srcname}.conf ] && \
+    chmod 600 %{_sysconfdir}/%{srcname}.conf && \
+    chown %{srcname} %{_sysconfdir}/%{srcname}.conf
+[ -d %{_sharedstatedir}/%{srcname} ] && \
+    chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
+[ -d %{_localstatedir}/log/%{srcname} ] && \
+    chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
+exit 0
+
+%post verifier
+%systemd_post %{srcname}_verifier.service
+
+%post registrar
+%systemd_post %{srcname}_registrar.service
+
+%preun verifier
+%systemd_preun %{srcname}_verifier.service
+
+%preun registrar
+%systemd_preun %{srcname}_registrar.service
+
+%postun verifier
+%systemd_postun_with_restart %{srcname}_verifier.service
+
+%postun registrar
+%systemd_postun_with_restart %{srcname}_registrar.service
+
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+    # The services need to be restarted for the custom label to be
+    # applied in case they where already present in the system,
+    # restart fails silently in case they where not.
+    for svc in agent registrar verifier; do
+        [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
+            %systemd_postun_with_restart "%{srcname}_${svc}".service
+    done
+fi
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{srcname}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
+%files verifier
+%license LICENSE
+%{_bindir}/%{srcname}_verifier
+%{_bindir}/%{srcname}_ca
+%{_bindir}/%{srcname}_migrations_apply
+%{_unitdir}/keylime_verifier.service
+
+%files registrar
+%license LICENSE
+%{_bindir}/%{srcname}_registrar
+%{_unitdir}/keylime_registrar.service
+
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname}
+%endif
+
+%files tenant
+%license LICENSE
+%{_bindir}/%{srcname}_tenant
+
+%files -n python3-%{srcname}
+%license LICENSE
+%{python3_sitelib}/%{srcname}-*.egg-info/
+%{python3_sitelib}/%{srcname}
+
+%files base
+%license LICENSE
+%doc README.md
+%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
+%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
+%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
+%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
+%{_tmpfilesdir}/%{srcname}.conf
+%{_sysusersdir}/%{srcname}.conf
+
+%files
+%license LICENSE
+
+%changelog
+* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
+- Update to 6.4.3
+  Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
+
+* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-6
+- Update keylime SELinux policy
+- Resolves: rhbz#2121058
+
+* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-5
+- Update keylime SELinux policy and removed duplicate rules
+- Resolves: rhbz#2121058
+
+* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-4
+- Update keylime SELinux policy
+- Resolves: rhbz#2121058
+
+* Wed Aug 17 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-3
+- Add keylime-selinux policy as subpackage
+- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+- Resolves: rhbz#2121058
+
+* Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
+- Fix efivar-libs dependency
+  Related: rhbz#2082989
+
+* Thu Jul 07 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
+- Update to 6.4.2
+  Related: rhbz#2082989
+
+* Tue Jun 21 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-1
+- Add keylime to RHEL-9
+  Resolves: rhbz#2082989
				`@ -0,0 +1 @@`
				`097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz`