diff --git a/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch b/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch new file mode 100644 index 0000000..bfc5f3c --- /dev/null +++ b/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch @@ -0,0 +1,30 @@ +From f987783e67829394f4da7fe44d6b30bf22869bba Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 8 Mar 2019 12:44:16 +0100 +Subject: [PATCH] selinux: allow fwupd to communicate with tpm2-abrmd + +In Fedora, we have the following SELinux AVC error: + +Mar 07 09:18:35 river audit[1078]: USER_AVC pid=1078 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.558 spid=8554 tpid=8550 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' + +Allow fwupd to chat with tpm2-abrmd over D-BUS. + +Signed-off-by: Javier Martinez Canillas +--- + selinux/tabrmd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/tabrmd.te b/selinux/tabrmd.te +index 5f04fc4686b..a6326f659c5 100644 +--- a/selinux/tabrmd.te ++++ b/selinux/tabrmd.te +@@ -18,5 +18,6 @@ optional_policy(` + dbus_stub() + dbus_system_domain(tabrmd_t, tabrmd_exec_t) + allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; ++ fwupd_dbus_chat(tabrmd_t) + ') + +-- +2.20.1 + diff --git a/tpm2-abrmd-selinux.spec b/tpm2-abrmd-selinux.spec index 562d202..13f02de 100644 --- a/tpm2-abrmd-selinux.spec +++ b/tpm2-abrmd-selinux.spec @@ -6,13 +6,15 @@ Name: tpm2-abrmd-selinux Version: 2.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: SELinux policies for tpm2-abrmd License: BSD URL: https://github.com/tpm2-software/tpm2-abrmd Source0: https://github.com/tpm2-software/tpm2-abrmd/archive/%{version}/tpm2-abrmd-%{version}.tar.gz +Patch0: selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch + BuildArch: noarch Requires: selinux-policy >= %{selinux_policyver} BuildRequires: git @@ -33,7 +35,7 @@ Requires(post): policycoreutils-python SELinux policy modules for tpm2-abrmd. %prep -%setup -q -n tpm2-abrmd-%{version} +%autosetup -p1 -n tpm2-abrmd-%{version} %build pushd selinux @@ -72,6 +74,10 @@ fi %{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if %changelog +* Fri Mar 08 2019 Javier Martinez Canillas - 2.1.0-2 +- selinux: allow tpm2-abrmd to communicate with fwupd + Resolves: rhbz#1665701 + * Fri Feb 22 2019 Javier Martinez Canillas - 2.1.0-1 - Update to 2.1.0 release - Add selinux-policy-%{selinuxtype} BuildRequires