Use tmpfiles.d for permissions in /var/lib/keylime and /etc/keylime
Resolves: RHEL-77143 Signed-off-by: Sergio Correia <scorreia@redhat.com>
This commit is contained in:
Sergio Correia
parent
2d4c1fd43c
commit
903b0e83ce
21
keylime.spec
21
keylime.spec
@ -14,9 +14,10 @@ Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
||||
|
||||
URL: https://github.com/keylime/keylime
|
||||
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
|
||||
Source1: %{srcname}.sysusers
|
||||
# The selinux policy for keylime is distributed via this repo: https://github.com/RedHat-SP-Security/keylime-selinux
|
||||
Source2: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
|
||||
Source1: https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
|
||||
Source2: %{srcname}.sysusers
|
||||
Source3: %{srcname}.tmpfiles
|
||||
|
||||
# Main program: Apache-2.0
|
||||
# Icons: MIT
|
||||
@ -65,8 +66,8 @@ Conflicts: keylime < 6.3.0-3
|
||||
|
||||
Requires(pre): python3-jinja2
|
||||
Requires(pre): shadow-utils
|
||||
Requires(pre): tpm2-tss
|
||||
Requires: procps-ng
|
||||
Requires: tpm2-tss
|
||||
Requires: openssl
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
@ -184,7 +185,7 @@ The keylime tools package includes miscelaneous tools.
|
||||
|
||||
|
||||
%prep
|
||||
%autosetup -S git -n %{srcname}-%{version} -a2
|
||||
%autosetup -S git -n %{srcname}-%{version} -a1
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
# SELinux policy (originally from selinux-policy-contrib)
|
||||
@ -240,15 +241,12 @@ install -Dpm 644 ./services/%{srcname}_registrar.service \
|
||||
|
||||
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
|
||||
|
||||
install -p -d %{buildroot}/%{_tmpfilesdir}
|
||||
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
|
||||
d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} -
|
||||
EOF
|
||||
|
||||
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
|
||||
# Install the sysusers + tmpfiles.d configuration.
|
||||
install -p -D -m 0644 %{SOURCE2} %{buildroot}/%{_sysusersdir}/%{srcname}.conf
|
||||
install -p -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
|
||||
|
||||
%pre base
|
||||
%sysusers_create_compat %{SOURCE1}
|
||||
%sysusers_create_compat %{SOURCE2}
|
||||
exit 0
|
||||
|
||||
%post base
|
||||
@ -371,6 +369,7 @@ fi
|
||||
%files base
|
||||
%license LICENSE
|
||||
%doc README.md
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}
|
||||
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
|
||||
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
|
||||
%config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
|
||||
|
||||
37
keylime.tmpfiles
Normal file
37
keylime.tmpfiles
Normal file
@ -0,0 +1,37 @@
|
||||
d /run/keylime 0700 keylime keylime -
|
||||
|
||||
d /var/lib/keylime/tpm_cert_store 0500 keylime keylime -
|
||||
d /var/lib/keylime 0700 keylime keylime -
|
||||
|
||||
d /etc/keylime 0500 keylime keylime -
|
||||
d /etc/keylime/logging.conf.d 0500 keylime keylime -
|
||||
d /etc/keylime/verifier.conf.d 0500 keylime keylime -
|
||||
d /etc/keylime/registrar.conf.d 0500 keylime keylime -
|
||||
d /etc/keylime/tenant.conf.d 0500 keylime keylime -
|
||||
d /etc/keylime/agent.conf.d 0500 keylime keylime -
|
||||
|
||||
# TPM certificate store.
|
||||
# Files inside /var/lib/keylime/tpm_cert_store/ have
|
||||
# 0400 permission and are owned by keylime/keylime,
|
||||
# while /var/lib/keylime/tpm_cert_store/ itself has
|
||||
# permission 0500, also owned by keylime/keylime.
|
||||
Z /var/lib/keylime/tpm_cert_store 0400 keylime keylime -
|
||||
z /var/lib/keylime/tpm_cert_store 0500 keylime keylime -
|
||||
# Finally, /var/lib/keylime itself has 0700 permission,
|
||||
# and is owned by keylime/keylime.
|
||||
z /var/lib/keylime 0700 keylime keylime -
|
||||
|
||||
# Keylime configuration in /etc/keylime has permission 0400
|
||||
# owned by keylime/keylime, while snippet directories and
|
||||
# the actual /etc/keylime directory have permission 0500,
|
||||
# also owned by keylime/keylime.
|
||||
Z /etc/keylime 0400 keylime keylime -
|
||||
# Now fix the directories:
|
||||
z /etc/keylime/ca.conf.d 0500 keylime keylime -
|
||||
z /etc/keylime/logging.conf.d 0500 keylime keylime -
|
||||
z /etc/keylime/verifier.conf.d 0500 keylime keylime -
|
||||
z /etc/keylime/registrar.conf.d 0500 keylime keylime -
|
||||
z /etc/keylime/tenant.conf.d 0500 keylime keylime -
|
||||
z /etc/keylime/agent.conf.d 0500 keylime keylime -
|
||||
# And finally, /etc/keylime itself.
|
||||
z /etc/keylime 0500 keylime keylime -
|
||||
Loading…
Reference in New Issue
Block a user