diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ce91047 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/tpm2-abrmd-2.3.1.tar.gz diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch b/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch new file mode 100644 index 0000000..8b956b8 --- /dev/null +++ b/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch @@ -0,0 +1,31 @@ +From 0bb388cc57231cb46f5bfa1a52425588fa149e89 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 12 Feb 2020 13:48:29 +0100 +Subject: [PATCH] selinux: allow fwupd to communicate with tpm2-abrmd + +In Fedora, we have the following SELinux AVC error: + +Mar 07 09:18:35 river audit[1078]: USER_AVC pid=1078 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.558 spid=8554 tpid=8550 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' + +Allow fwupd to chat with tpm2-abrmd over D-BUS. + +Signed-off-by: Javier Martinez Canillas +--- + selinux/tabrmd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/tabrmd.te b/selinux/tabrmd.te +index 59d7e548051..8996a46a0ea 100644 +--- a/selinux/tabrmd.te ++++ b/selinux/tabrmd.te +@@ -21,6 +21,7 @@ optional_policy(` + dbus_stub() + dbus_system_domain(tabrmd_t, tabrmd_exec_t) + allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; ++ fwupd_dbus_chat(tabrmd_t) + ') + + tunable_policy(`tabrmd_connect_all_unreserved',` +-- +2.24.1 + diff --git a/sources b/sources new file mode 100644 index 0000000..75d8dc5 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (tpm2-abrmd-2.3.1.tar.gz) = 5025cee38288e6b3ec31d275e989ec923a2f685733a392c00272de442cccb535c147612366ec18522e6ccda1e2f095907954f3cf7f239e00c656992a755217d4 diff --git a/tpm2-abrmd-selinux.spec b/tpm2-abrmd-selinux.spec new file mode 100644 index 0000000..01c0502 --- /dev/null +++ b/tpm2-abrmd-selinux.spec @@ -0,0 +1,85 @@ +# defining macros needed by SELinux +%global selinuxtype targeted +%global selinux_policyver 3.14.1 +%global moduletype contrib +%global modulename tabrmd + +Name: tpm2-abrmd-selinux +Version: 2.3.1 +Release: 1%{?dist} +Summary: SELinux policies for tpm2-abrmd + +License: BSD +URL: https://github.com/tpm2-software/tpm2-abrmd +Source0: https://github.com/tpm2-software/tpm2-abrmd/archive/%{version}/tpm2-abrmd-%{version}.tar.gz +Patch0: selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch + +BuildArch: noarch +Requires: selinux-policy >= %{selinux_policyver} +Requires: selinux-policy-%{selinuxtype} >= %{selinux_policyver} +BuildRequires: git +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires(pre): libselinux-utils +Requires(post): policycoreutils +Requires(post): policycoreutils-python-utils + +%description +SELinux policy modules for tpm2-abrmd. + +%prep +%autosetup -p1 -n tpm2-abrmd-%{version} + +%build +pushd selinux +make %{?_smp_mflags} TARGET="tabrmd" SHARE="%{_datadir}" +popd + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%install +# install policy modules +pushd selinux +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages +popd + +%check + +%post +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{modulename}.pp.bz2 + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans +%selinux_relabel_post -s %{selinuxtype} + +%files +%license LICENSE +%{_datadir}/selinux/* +%{_datadir}/selinux/packages/%{modulename}.pp.bz2 +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if + +%changelog +* Mon Nov 16 2020 Jerry Snitselaar - 2.3.3-1 +- Rebase to 2.3.1 release +resolves: rhbz#1898384 + +* Tue May 14 2019 Jerry Snitselaar - 2.0.0-3 +- Fix Requires issue. +- Add initial CI gating support. +resolves: rhbz#1642000, rhbz#1682415 + +* Tue Sep 11 2018 Jerry Snitselaar - 2.0.0-2 +- Fix dependency +resolves: rhbz#1628771 + +* Wed Jul 04 2018 Javier Martinez Canillas - 2.0.0-1 +- Initial import (rhbz#1550595)