From 48eb3dabf7c63669931ab9db7a1129243821650e Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Thu, 10 Apr 2025 12:16:52 +0200
Subject: [PATCH] Related: RHEL-77146, opencryptoki doesn't work in image mode

---
 opencryptoki-3.24.0-sysusers-config.patch |  7 ----
 opencryptoki.spec                         | 39 +++++++----------------
 2 files changed, 11 insertions(+), 35 deletions(-)
 delete mode 100644 opencryptoki-3.24.0-sysusers-config.patch

diff --git a/opencryptoki-3.24.0-sysusers-config.patch b/opencryptoki-3.24.0-sysusers-config.patch
deleted file mode 100644
index 63b7317..0000000
--- a/opencryptoki-3.24.0-sysusers-config.patch
+++ /dev/null
@@ -1,7 +0,0 @@
-diff -Nur opencryptoki-3.24.0.me/opencryptoki.sysusers.conf opencryptoki-3.24.0/opencryptoki.sysusers.conf
---- opencryptoki-3.24.0.me/opencryptoki.sysusers.conf	1970-01-01 01:00:00.000000000 +0100
-+++ opencryptoki-3.24.0/opencryptoki.sysusers.conf	2025-03-12 15:56:16.270318728 +0100
-@@ -0,0 +1,3 @@
-+u pkcsslotd - "Opencryptoki pkcsslotd user"  /run/opencryptoki /sbin/nologin
-+g pkcs11 - -
-+m pkcsslotd pkcs11
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 8d6df8f..d32b386 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,13 +1,14 @@
-%global use_sysusers 1
-
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.24.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+# p11-kit default path
 Source1: opencryptoki.module
+# sysusers.d config file to allow rpm to create users/groups automatically
+Source2: opencryptoki.sysusers.conf
 
 # fix install problem in buildroot
 Patch1: opencryptoki-3.24.0-p11sak.patch
@@ -15,9 +16,6 @@ Patch1: opencryptoki-3.24.0-p11sak.patch
 # tmpfiles.d config files for image mode
 Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
 
-# sysuser config file for image mode
-Patch3: opencryptoki-3.24.0-sysusers-config.patch
-
 # upstream patches
 Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
 Patch101: opencryptoki-3.24.0-resource-leaks.patch
@@ -35,7 +33,9 @@ BuildRequires: bison flex
 BuildRequires: libcap-devel
 BuildRequires: expect
 BuildRequires: make
+# sysusers_create_compat macro
 BuildRequires: systemd-rpm-macros
+%{?sysusers_requires_compat}
 %ifarch s390 s390x
 BuildRequires: libica-devel >= 3.3
 # for /usr/include/libudev.h
@@ -213,9 +213,8 @@ configured with Enterprise PKCS#11 (EP11) firmware.
 %install
 %make_install CHGRP=/bin/true
 
-%if %{use_sysusers}
 # Install sysusers.d config file
-install -p -D -m 0644 %{name}.sysusers.conf %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf
+install -p -D -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf
 
 # Install tmpfiles.d config files
 %ifarch s390 s390x
@@ -233,7 +232,6 @@ install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/
 
 install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/
 install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/
-%endif
 
 
 %pre
@@ -246,11 +244,7 @@ if test $1 -gt 1 && test -f %{cfile} ; then
 fi
 
 %pre libs
-%if ! %{use_sysusers}
-getent group pkcs11 >/dev/null || groupadd -r pkcs11
-getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
-%endif
-exit 0
+%sysusers_create_compat %{SOURCE2}
 
 %post
 # restore the config file from %pre
@@ -326,9 +320,7 @@ fi
 %{_libdir}/pkcs11/PKCS11_API.so
 %{_libdir}/pkcs11/stdll
 %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
-%if %{use_sysusers}
 %{_sysusersdir}/%{name}.sysusers.conf
-%endif
 
 %files devel
 %{_includedir}/%{name}/
@@ -339,9 +331,7 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
-%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-swtok.conf
-%endif
 
 %if 0%{?tmptok}
 %files tpmtok
@@ -349,10 +339,8 @@ fi
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
 %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
-%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-tpmtok.conf
 %endif
-%endif
 
 %files icsftok
 %doc doc/README.icsf_stdll
@@ -361,9 +349,7 @@ fi
 %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
 %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
-%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-icsftok.conf
-%endif
 
 %ifarch s390 s390x
 %files icatok
@@ -371,10 +357,8 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
-%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-icatok.conf
 %endif
-%endif
 
 %ifarch s390 s390x x86_64 ppc64le
 %files ccatok
@@ -386,10 +370,8 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
-%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-ccatok.conf
 %endif
-%endif
 
 %ifarch s390 s390x
 %files ep11tok
@@ -404,13 +386,14 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
-%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-ep11tok.conf
 %endif
-%endif
 
 
 %changelog
+* Wed Apr 09 2025 Than Ngo <than@redhat.com> - 3.24.0-8
+- Related: RHEL-77146, opencryptoki doesn't work in image mode
+
 * Tue Mar 18 2025 Than Ngo <than@redhat.com> - 3.24.0-7
 - Resolves: RHEL-80632, tokens are deleted on reboot
 - Related: RHEL-77146, opencryptoki doesn't work in image mode