From 322da1c8132d3fe454e0bdc4344b3ed9d7672c79 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Mar 2023 09:31:41 +0000
Subject: [PATCH] import tpm2-abrmd-selinux-2.3.1-7.el9

---
 ...faces-for-communication-with-keylime.patch | 68 +++++++++++++++++++
 ...Fix-in-SELinux-interface-file-a-typo.patch | 29 ++++++++
 SPECS/tpm2-abrmd-selinux.spec                 |  8 ++-
 3 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch
 create mode 100644 SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch

diff --git a/SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch b/SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch
new file mode 100644
index 0000000..f1cf60a
--- /dev/null
+++ b/SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch
@@ -0,0 +1,68 @@
+From d319a1a6723ad20766c18964c289d47c06e19182 Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Fri, 19 Aug 2022 14:03:49 +0200
+Subject: [PATCH 1/2] Add new interfaces for communication with keylime
+
+Policy need rules to communicate with keylime.
+
+AVC:
+allow keylime_agent_t tabrmd_t:dbus send_msg;
+allow keylime_agent_t tabrmd_t:unix_stream_socket { getattr getopt read write };
+
+Create new interfaces to allow keylime
+communicate with keylime.
+
+Signed-off-by: Patrik Koncity <pkoncity@redhat.com>
+---
+ selinux/tabrmd.if | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/selinux/tabrmd.if b/selinux/tabrmd.if
+index 3eb6a30..c04eca0 100644
+--- a/selinux/tabrmd.if
++++ b/selinux/tabrmd.if
+@@ -1 +1,41 @@
+ ## <summary></summary>
++
++########################################
++## <summary>
++##      Create and use a unix stream socket
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`tabrmd_create_unix_stream_sockets',`
++        gen_require(`
++                type tabrmd_t;
++        ')
++
++        allow $1 tabrmd_t:unix_stream_socket create_stream_socket_perms;
++')
++
++########################################
++## <summary>
++##      Send messages to and from 
++##      tabrmd over DBUS.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`tabr,d_dbus_chat',`
++        gen_require(`
++                type tabrmd_t;
++                class dbus send_msg;
++        ')
++
++        allow $1 tabrmd_t:dbus send_msg;
++        allow tabrmd_t $1:dbus send_msg;
++')
++
+-- 
+2.39.0
+
diff --git a/SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch b/SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch
new file mode 100644
index 0000000..b3d7ef0
--- /dev/null
+++ b/SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch
@@ -0,0 +1,29 @@
+From 64994388056b9b8c687eef3bc6030f2f40888440 Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Mon, 9 Jan 2023 12:30:42 +0100
+Subject: [PATCH 2/2] Fix in SELinux interface file a typo
+
+In name of interface in SELinux policy is
+typo issue.
+
+Signed-off-by: Patrik Koncity <pkoncity@redhat.com>
+---
+ selinux/tabrmd.if | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selinux/tabrmd.if b/selinux/tabrmd.if
+index c04eca0..81c7853 100644
+--- a/selinux/tabrmd.if
++++ b/selinux/tabrmd.if
+@@ -29,7 +29,7 @@ interface(`tabrmd_create_unix_stream_sockets',`
+ ##      </summary>
+ ## </param>
+ #
+-interface(`tabr,d_dbus_chat',`
++interface(`tabrmd_dbus_chat',`
+         gen_require(`
+                 type tabrmd_t;
+                 class dbus send_msg;
+-- 
+2.39.0
+
diff --git a/SPECS/tpm2-abrmd-selinux.spec b/SPECS/tpm2-abrmd-selinux.spec
index b73c5f4..de9a10a 100644
--- a/SPECS/tpm2-abrmd-selinux.spec
+++ b/SPECS/tpm2-abrmd-selinux.spec
@@ -6,7 +6,7 @@
 
 Name: tpm2-abrmd-selinux
 Version: 2.3.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: SELinux policies for tpm2-abrmd
 
 License: BSD
@@ -14,6 +14,8 @@ URL:     https://github.com/tpm2-software/tpm2-abrmd
 Source0: https://github.com/tpm2-software/tpm2-abrmd/archive/%{version}/tpm2-abrmd-%{version}.tar.gz
 
 Patch0: selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch
+Patch1: 0001-Add-new-interfaces-for-communication-with-keylime.patch
+Patch2: 0002-Fix-in-SELinux-interface-file-a-typo.patch
 
 BuildArch: noarch
 Requires: selinux-policy >= %{selinux_policyver}
@@ -71,6 +73,10 @@ fi
 %{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if
 
 %changelog
+* Fri Jan 6 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.1-7
+- Include interface for Keylime
+  Resolves: rhbz#2157894
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.1-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688