From 903b0e83ce5a18e7af5cdb4925cbb08d4da5af82 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 26 Mar 2025 10:50:51 +0000
Subject: [PATCH] Use tmpfiles.d for permissions in /var/lib/keylime and
 /etc/keylime

Resolves: RHEL-77143

Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
 keylime.spec     | 21 ++++++++++-----------
 keylime.tmpfiles | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 11 deletions(-)
 create mode 100644 keylime.tmpfiles

diff --git a/keylime.spec b/keylime.spec
index 9a76760..955464f 100644
--- a/keylime.spec
+++ b/keylime.spec
@@ -14,9 +14,10 @@ Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
 Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
-Source1:        %{srcname}.sysusers
 # The selinux policy for keylime is distributed via this repo: https://github.com/RedHat-SP-Security/keylime-selinux
-Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
+Source1:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
+Source2:        %{srcname}.sysusers
+Source3:        %{srcname}.tmpfiles
 
 # Main program: Apache-2.0
 # Icons: MIT
@@ -65,8 +66,8 @@ Conflicts: keylime < 6.3.0-3
 
 Requires(pre): python3-jinja2
 Requires(pre): shadow-utils
+Requires(pre): tpm2-tss
 Requires: procps-ng
-Requires: tpm2-tss
 Requires: openssl
 
 %if 0%{?with_selinux}
@@ -184,7 +185,7 @@ The keylime tools package includes miscelaneous tools.
 
 
 %prep
-%autosetup -S git -n %{srcname}-%{version} -a2
+%autosetup -S git -n %{srcname}-%{version} -a1
 
 %if 0%{?with_selinux}
 # SELinux policy (originally from selinux-policy-contrib)
@@ -240,15 +241,12 @@ install -Dpm 644 ./services/%{srcname}_registrar.service \
 
 cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
 
-install -p -d %{buildroot}/%{_tmpfilesdir}
-cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
-d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} -
-EOF
-
-install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
+# Install the sysusers + tmpfiles.d configuration.
+install -p -D -m 0644 %{SOURCE2} %{buildroot}/%{_sysusersdir}/%{srcname}.conf
+install -p -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
 
 %pre base
-%sysusers_create_compat %{SOURCE1}
+%sysusers_create_compat %{SOURCE2}
 exit 0
 
 %post base
@@ -371,6 +369,7 @@ fi
 %files base
 %license LICENSE
 %doc README.md
+%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}
 %attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
 %config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
 %config(noreplace) %verify(not md5 size mode mtime) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
diff --git a/keylime.tmpfiles b/keylime.tmpfiles
new file mode 100644
index 0000000..698648e
--- /dev/null
+++ b/keylime.tmpfiles
@@ -0,0 +1,37 @@
+d /run/keylime 0700 keylime keylime -
+
+d /var/lib/keylime/tpm_cert_store 0500 keylime keylime -
+d /var/lib/keylime 0700 keylime keylime -
+
+d /etc/keylime 0500 keylime keylime -
+d /etc/keylime/logging.conf.d 0500 keylime keylime -
+d /etc/keylime/verifier.conf.d 0500 keylime keylime -
+d /etc/keylime/registrar.conf.d 0500 keylime keylime -
+d /etc/keylime/tenant.conf.d 0500 keylime keylime -
+d /etc/keylime/agent.conf.d 0500 keylime keylime -
+
+# TPM certificate store.
+# Files inside /var/lib/keylime/tpm_cert_store/ have
+# 0400 permission and are owned by keylime/keylime,
+# while /var/lib/keylime/tpm_cert_store/ itself has
+# permission 0500, also owned by keylime/keylime.
+Z /var/lib/keylime/tpm_cert_store 0400 keylime keylime -
+z /var/lib/keylime/tpm_cert_store 0500 keylime keylime -
+# Finally, /var/lib/keylime itself has 0700 permission,
+# and is owned by keylime/keylime.
+z /var/lib/keylime 0700 keylime keylime -
+
+# Keylime configuration in /etc/keylime has permission 0400
+# owned by keylime/keylime, while snippet directories and
+# the actual /etc/keylime directory have permission 0500,
+# also owned by keylime/keylime.
+Z /etc/keylime 0400 keylime keylime -
+# Now fix the directories:
+z /etc/keylime/ca.conf.d 0500 keylime keylime -
+z /etc/keylime/logging.conf.d 0500 keylime keylime -
+z /etc/keylime/verifier.conf.d 0500 keylime keylime -
+z /etc/keylime/registrar.conf.d 0500 keylime keylime -
+z /etc/keylime/tenant.conf.d 0500 keylime keylime -
+z /etc/keylime/agent.conf.d 0500 keylime keylime -
+# And finally, /etc/keylime itself.
+z /etc/keylime 0500 keylime keylime -