From cf318cb07321585130a622b6fc618ca7f029521e Mon Sep 17 00:00:00 2001 From: Troy Dawson Date: Thu, 15 Oct 2020 13:00:12 -0700 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/tpm2-abrmd-selinux#950ec375546628ff75b17b7b1bf3daa726098d99 --- .gitignore | 1 + README.md | 3 + ...fwupd-to-communicate-with-tpm2-abrmd.patch | 31 ++++++ sources | 1 + tpm2-abrmd-selinux.spec | 104 ++++++++++++++++++ 5 files changed, 140 insertions(+) create mode 100644 README.md create mode 100644 selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch create mode 100644 sources create mode 100644 tpm2-abrmd-selinux.spec diff --git a/.gitignore b/.gitignore index e69de29..8ecda15 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/tpm2-abrmd-*.tar.gz diff --git a/README.md b/README.md new file mode 100644 index 0000000..ea01139 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# tpm2-abrmd-selinux + +The tpm2-abrmd-selinux package \ No newline at end of file diff --git a/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch b/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch new file mode 100644 index 0000000..8b956b8 --- /dev/null +++ b/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch @@ -0,0 +1,31 @@ +From 0bb388cc57231cb46f5bfa1a52425588fa149e89 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 12 Feb 2020 13:48:29 +0100 +Subject: [PATCH] selinux: allow fwupd to communicate with tpm2-abrmd + +In Fedora, we have the following SELinux AVC error: + +Mar 07 09:18:35 river audit[1078]: USER_AVC pid=1078 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.558 spid=8554 tpid=8550 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' + +Allow fwupd to chat with tpm2-abrmd over D-BUS. + +Signed-off-by: Javier Martinez Canillas +--- + selinux/tabrmd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/tabrmd.te b/selinux/tabrmd.te +index 59d7e548051..8996a46a0ea 100644 +--- a/selinux/tabrmd.te ++++ b/selinux/tabrmd.te +@@ -21,6 +21,7 @@ optional_policy(` + dbus_stub() + dbus_system_domain(tabrmd_t, tabrmd_exec_t) + allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; ++ fwupd_dbus_chat(tabrmd_t) + ') + + tunable_policy(`tabrmd_connect_all_unreserved',` +-- +2.24.1 + diff --git a/sources b/sources new file mode 100644 index 0000000..6dd440b --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (tpm2-abrmd-2.3.1.tar.gz) = 144ab2b147cd18f892f3c05181efdbed2ac422fe8507eb42871ffe571340b6395431743a4f1995a7ce7a914fd5e7afd2b17328062c893a0403708c2c4d92e0cb diff --git a/tpm2-abrmd-selinux.spec b/tpm2-abrmd-selinux.spec new file mode 100644 index 0000000..b605eca --- /dev/null +++ b/tpm2-abrmd-selinux.spec @@ -0,0 +1,104 @@ +# defining macros needed by SELinux +%global selinuxtype targeted +%global selinux_policyver 3.14.3-22 +%global moduletype contrib +%global modulename tabrmd + +Name: tpm2-abrmd-selinux +Version: 2.3.1 +Release: 2%{?dist} +Summary: SELinux policies for tpm2-abrmd + +License: BSD +URL: https://github.com/tpm2-software/tpm2-abrmd +Source0: https://github.com/tpm2-software/tpm2-abrmd/archive/%{version}/tpm2-abrmd-%{version}.tar.gz + +Patch0: selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch + +BuildArch: noarch +Requires: selinux-policy >= %{selinux_policyver} +BuildRequires: git +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildRequires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): libselinux-utils +Requires(post): policycoreutils +%if 0%{?fedora} +Requires(post): policycoreutils-python-utils +%else +Requires(post): policycoreutils-python +%endif + +%description +SELinux policy modules for tpm2-abrmd. + +%prep +%autosetup -p1 -n tpm2-abrmd-%{version} + +%build +pushd selinux +make %{?_smp_mflags} TARGET="tabrmd" SHARE="%{_datadir}" +popd + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%install +# install policy modules +pushd selinux +install -d %{buildroot}%{_datadir}/selinux/packages +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages +popd + +%check + +%post +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{modulename}.pp.bz2 + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans +%selinux_relabel_post -s %{selinuxtype} + +%files +%license LICENSE +%{_datadir}/selinux/* +%{_datadir}/selinux/packages/%{modulename}.pp.bz2 +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if + +%changelog +* Wed Jul 29 2020 Fedora Release Engineering - 2.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Feb 12 2020 Javier Martinez Canillas - 2.3.1-1 +- Update to 2.3.1 release + +* Fri Jan 31 2020 Fedora Release Engineering - 2.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 2.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Mar 08 2019 Javier Martinez Canillas - 2.1.0-2 +- selinux: allow tpm2-abrmd to communicate with fwupd + Resolves: rhbz#1665701 + +* Fri Feb 22 2019 Javier Martinez Canillas - 2.1.0-1 +- Update to 2.1.0 release +- Add selinux-policy-%{selinuxtype} BuildRequires + +* Sun Feb 03 2019 Fedora Release Engineering - 2.0.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 04 2018 Javier Martinez Canillas - 2.0.0-1 +- Initial import (rhbz#1550595)