%global srcname keylime %global with_selinux 1 %global selinuxtype targeted # Package is actually noarch, but it has an optional dependency that is # arch-specific. %global debug_package %{nil} Name: keylime Version: 6.4.3 Release: 1%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz Source1: %{srcname}.sysusers %if 0%{?with_selinux} Source2: %{srcname}.te Source3: %{srcname}.if Source4: %{srcname}.fc %endif License: ASL 2.0 and MIT BuildRequires: git-core BuildRequires: swig BuildRequires: openssl-devel BuildRequires: python3-devel BuildRequires: python3-dbus BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros Requires: python3-%{srcname} = %{version}-%{release} Requires: %{srcname}-base = %{version}-%{release} Requires: %{srcname}-verifier = %{version}-%{release} Requires: %{srcname}-registrar = %{version}-%{release} Requires: %{srcname}-tenant = %{version}-%{release} # Agent. Requires: keylime-agent Suggests: keylime-agent-rust %{?python_enable_dependency_generator} %description Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. %package base Summary: The base package contains the default configuration License: MIT Requires(pre): shadow-utils Requires: procps-ng Requires: tpm2-tss %if 0%{?with_selinux} # This ensures that the *-selinux package and all it’s dependencies are not pulled # into containers and other systems that do not use SELinux Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) %endif %ifarch %efi Requires: efivar-libs %endif %description base The base package contains the Keylime default configuration %package -n python3-%{srcname} Summary: The Python Keylime module License: MIT Requires: %{srcname}-base = %{version}-%{release} %{?python_provide:%python_provide python3-%{srcname}} Requires: python3-tornado Requires: python3-sqlalchemy Requires: python3-alembic Requires: python3-cryptography Requires: python3-pyyaml Requires: python3-packaging Requires: python3-requests Requires: python3-gpg Requires: python3-lark-parser Requires: python3-pyasn1 Requires: python3-pyasn1-modules Requires: tpm2-tools %description -n python3-%{srcname} The python3-keylime module implements the functionality used by Keylime components. %package verifier Summary: The Python Keylime Verifier component License: MIT Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} %description verifier The Keylime Verifier continuously verifies the integrity state of the machine that the agent is running on. %package registrar Summary: The Keylime Registrar component License: MIT Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} %description registrar The Keylime Registrar is a database of all agents registered with Keylime and hosts the public keys of the TPM vendors. %if 0%{?with_selinux} # SELinux subpackage %package selinux Summary: keylime SELinux policy BuildArch: noarch Requires: selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype} BuildRequires: selinux-policy-devel %{?selinux_requires} %description selinux Custom SELinux policy module %endif %package tenant Summary: The Python Keylime Tenant License: MIT Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} %description tenant The Keylime Tenant can be used to provision a Keylime Agent. %prep %autosetup -S git -n %{srcname}-%{version} %if 0%{?with_selinux} # SELinux policy (originally from selinux-policy-contrib) # this policy module will override the production module mkdir selinux cp -p %{SOURCE2} selinux/ cp -p %{SOURCE3} selinux/ cp -p %{SOURCE4} selinux/ make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp bzip2 -9 %{srcname}.pp %endif %build %py3_build %install %py3_install mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname} mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname} # Remove agent and webapp. rm -f %{buildroot}/%{_bindir}/%{srcname}_agent rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.* rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.* rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.* rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/ # Remove misc progs. rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt # Setting up the agent to use keylime:keylime user/group after dropping privileges. sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf # Using sha256 for tpm_hash_alg. sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf %if 0%{?with_selinux} install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if %endif install -Dpm 600 %{srcname}.conf \ %{buildroot}%{_sysconfdir}/%{srcname}.conf install -Dpm 644 ./services/%{srcname}_verifier.service \ %{buildroot}%{_unitdir}/%{srcname}_verifier.service install -Dpm 644 ./services/%{srcname}_registrar.service \ %{buildroot}%{_unitdir}/%{srcname}_registrar.service cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/ install -p -d %{buildroot}/%{_tmpfilesdir} cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} - EOF install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf %pre base %sysusers_create_compat %{SOURCE1} exit 0 %posttrans base [ -f %{_sysconfdir}/%{srcname}.conf ] && \ chmod 600 %{_sysconfdir}/%{srcname}.conf && \ chown %{srcname} %{_sysconfdir}/%{srcname}.conf [ -d %{_sharedstatedir}/%{srcname} ] && \ chown -R %{srcname} %{_sharedstatedir}/%{srcname}/ [ -d %{_localstatedir}/log/%{srcname} ] && \ chown -R %{srcname} %{_localstatedir}/log/%{srcname}/ exit 0 %post verifier %systemd_post %{srcname}_verifier.service %post registrar %systemd_post %{srcname}_registrar.service %preun verifier %systemd_preun %{srcname}_verifier.service %preun registrar %systemd_preun %{srcname}_registrar.service %postun verifier %systemd_postun_with_restart %{srcname}_verifier.service %postun registrar %systemd_postun_with_restart %{srcname}_registrar.service %if 0%{?with_selinux} # SELinux contexts are saved so that only affected files can be # relabeled after the policy module installation %pre selinux %selinux_relabel_pre -s %{selinuxtype} %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 %selinux_relabel_post -s %{selinuxtype} if [ "$1" -le "1" ]; then # First install # The services need to be restarted for the custom label to be # applied in case they where already present in the system, # restart fails silently in case they where not. for svc in agent registrar verifier; do [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \ %systemd_postun_with_restart "%{srcname}_${svc}".service done fi exit 0 %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{srcname} %selinux_relabel_post -s %{selinuxtype} fi %endif %files verifier %license LICENSE %{_bindir}/%{srcname}_verifier %{_bindir}/%{srcname}_ca %{_bindir}/%{srcname}_migrations_apply %{_unitdir}/keylime_verifier.service %files registrar %license LICENSE %{_bindir}/%{srcname}_registrar %{_unitdir}/keylime_registrar.service %if 0%{?with_selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.* %{_datadir}/selinux/devel/include/distributed/%{srcname}.if %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname} %endif %files tenant %license LICENSE %{_bindir}/%{srcname}_tenant %files -n python3-%{srcname} %license LICENSE %{python3_sitelib}/%{srcname}-*.egg-info/ %{python3_sitelib}/%{srcname} %files base %license LICENSE %doc README.md %config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf %attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname} %attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname} %attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname} %{_tmpfilesdir}/%{srcname}.conf %{_sysusersdir}/%{srcname}.conf %files %license LICENSE %changelog * Fri Aug 26 2022 Sergio Correia - 6.4.3-1 - Update to 6.4.3 Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM * Fri Aug 26 2022 Patrik Koncity - 6.4.2-6 - Update keylime SELinux policy - Resolves: rhbz#2121058 * Fri Aug 26 2022 Patrik Koncity - 6.4.2-5 - Update keylime SELinux policy and removed duplicate rules - Resolves: rhbz#2121058 * Fri Aug 26 2022 Patrik Koncity - 6.4.2-4 - Update keylime SELinux policy - Resolves: rhbz#2121058 * Wed Aug 17 2022 Patrik Koncity - 6.4.2-3 - Add keylime-selinux policy as subpackage - See https://fedoraproject.org/wiki/SELinux/IndependentPolicy - Resolves: rhbz#2121058 * Mon Jul 11 2022 Sergio Correia - 6.4.2-2 - Fix efivar-libs dependency Related: rhbz#2082989 * Thu Jul 07 2022 Sergio Correia - 6.4.2-1 - Update to 6.4.2 Related: rhbz#2082989 * Tue Jun 21 2022 Sergio Correia - 6.4.1-1 - Add keylime to RHEL-9 Resolves: rhbz#2082989