From b227f9a5d0f5e45a34398de74c58f8c19cfa213a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 2 Nov 2021 05:33:51 -0400 Subject: [PATCH] import tpm2-abrmd-selinux-2.3.1-6.el9 --- .gitignore | 1 + .tpm2-abrmd-selinux.metadata | 1 + ...fwupd-to-communicate-with-tpm2-abrmd.patch | 31 +++++ SPECS/tpm2-abrmd-selinux.spec | 115 ++++++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 .gitignore create mode 100644 .tpm2-abrmd-selinux.metadata create mode 100644 SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch create mode 100644 SPECS/tpm2-abrmd-selinux.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3ad6f31 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm2-abrmd-2.3.1.tar.gz diff --git a/.tpm2-abrmd-selinux.metadata b/.tpm2-abrmd-selinux.metadata new file mode 100644 index 0000000..29cd5e7 --- /dev/null +++ b/.tpm2-abrmd-selinux.metadata @@ -0,0 +1 @@ +54a4c097520d6726fd19c04131dfafce2c4e6be8 SOURCES/tpm2-abrmd-2.3.1.tar.gz diff --git a/SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch b/SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch new file mode 100644 index 0000000..8b956b8 --- /dev/null +++ b/SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch @@ -0,0 +1,31 @@ +From 0bb388cc57231cb46f5bfa1a52425588fa149e89 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 12 Feb 2020 13:48:29 +0100 +Subject: [PATCH] selinux: allow fwupd to communicate with tpm2-abrmd + +In Fedora, we have the following SELinux AVC error: + +Mar 07 09:18:35 river audit[1078]: USER_AVC pid=1078 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.558 spid=8554 tpid=8550 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' + +Allow fwupd to chat with tpm2-abrmd over D-BUS. + +Signed-off-by: Javier Martinez Canillas +--- + selinux/tabrmd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/tabrmd.te b/selinux/tabrmd.te +index 59d7e548051..8996a46a0ea 100644 +--- a/selinux/tabrmd.te ++++ b/selinux/tabrmd.te +@@ -21,6 +21,7 @@ optional_policy(` + dbus_stub() + dbus_system_domain(tabrmd_t, tabrmd_exec_t) + allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; ++ fwupd_dbus_chat(tabrmd_t) + ') + + tunable_policy(`tabrmd_connect_all_unreserved',` +-- +2.24.1 + diff --git a/SPECS/tpm2-abrmd-selinux.spec b/SPECS/tpm2-abrmd-selinux.spec new file mode 100644 index 0000000..b73c5f4 --- /dev/null +++ b/SPECS/tpm2-abrmd-selinux.spec @@ -0,0 +1,115 @@ +# defining macros needed by SELinux +%global selinuxtype targeted +%global selinux_policyver 3.14.3-22 +%global moduletype contrib +%global modulename tabrmd + +Name: tpm2-abrmd-selinux +Version: 2.3.1 +Release: 6%{?dist} +Summary: SELinux policies for tpm2-abrmd + +License: BSD +URL: https://github.com/tpm2-software/tpm2-abrmd +Source0: https://github.com/tpm2-software/tpm2-abrmd/archive/%{version}/tpm2-abrmd-%{version}.tar.gz + +Patch0: selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch + +BuildArch: noarch +Requires: selinux-policy >= %{selinux_policyver} +BuildRequires: make +BuildRequires: git +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildRequires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): libselinux-utils +Requires(post): policycoreutils +Requires(post): policycoreutils-python-utils + +%description +SELinux policy modules for tpm2-abrmd. + +%prep +%autosetup -p1 -n tpm2-abrmd-%{version} + +%build +pushd selinux +make %{?_smp_mflags} TARGET="tabrmd" SHARE="%{_datadir}" +popd + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%install +# install policy modules +pushd selinux +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages +popd + +%check + +%post +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{modulename}.pp.bz2 + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans +%selinux_relabel_post -s %{selinuxtype} + +%files +%license LICENSE +%{_datadir}/selinux/* +%{_datadir}/selinux/packages/%{modulename}.pp.bz2 +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if + +%changelog +* Tue Aug 10 2021 Mohan Boddu - 2.3.1-6 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 2.3.1-5 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Feb 17 2021 Jerry Snitselaar - 2.3.1-4 +- Fix dependency. +Resolves: rhbz#1929701 + +* Wed Jan 27 2021 Fedora Release Engineering - 2.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 2.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Feb 12 2020 Javier Martinez Canillas - 2.3.1-1 +- Update to 2.3.1 release + +* Fri Jan 31 2020 Fedora Release Engineering - 2.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 2.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Mar 08 2019 Javier Martinez Canillas - 2.1.0-2 +- selinux: allow tpm2-abrmd to communicate with fwupd + Resolves: rhbz#1665701 + +* Fri Feb 22 2019 Javier Martinez Canillas - 2.1.0-1 +- Update to 2.1.0 release +- Add selinux-policy-%{selinuxtype} BuildRequires + +* Sun Feb 03 2019 Fedora Release Engineering - 2.0.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 04 2018 Javier Martinez Canillas - 2.0.0-1 +- Initial import (rhbz#1550595)