rpms / keylime

Clone
Source Code
GIT

Blame SPECS/keylime.spec

c9 c9-beta
  1.   c9-beta
  2.   SPECS
  3.   keylime.spec
Blob History Raw
625400 
%global srcname keylime
1b831e 
%global policy_version 1.0.0
625400 
%global with_selinux 1
625400 
%global selinuxtype targeted
625400
625400 
# Package is actually noarch, but it has an optional dependency that is
625400 
# arch-specific.
625400 
%global debug_package %{nil}
625400
625400 
Name:    keylime
1b831e 
Version: 6.5.2
1b831e 
Release: 4%{?dist}
625400 
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
625400
625400 
URL:            https://github.com/keylime/keylime
625400 
Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
625400 
Source1:        %{srcname}.sysusers
1b831e 
Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
1b831e
1b831e 
Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
1b831e 
Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
1b831e 
Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
625400
625400 
License: ASL 2.0 and MIT
625400
625400 
BuildRequires: git-core
625400 
BuildRequires: swig
625400 
BuildRequires: openssl-devel
625400 
BuildRequires: python3-devel
625400 
BuildRequires: python3-dbus
1b831e 
BuildRequires: python3-jinja2
625400 
BuildRequires: python3-setuptools
625400 
BuildRequires: systemd-rpm-macros
625400
625400 
Requires: python3-%{srcname} = %{version}-%{release}
625400 
Requires: %{srcname}-base = %{version}-%{release}
625400 
Requires: %{srcname}-verifier = %{version}-%{release}
625400 
Requires: %{srcname}-registrar = %{version}-%{release}
625400 
Requires: %{srcname}-tenant = %{version}-%{release}
625400
625400 
# Agent.
625400 
Requires: keylime-agent
625400 
Suggests: keylime-agent-rust
625400
625400 
%{?python_enable_dependency_generator}
625400 
%description
625400 
Keylime is a TPM based highly scalable remote boot attestation
625400 
and runtime integrity measurement solution.
625400
625400 
%package base
625400 
Summary: The base package contains the default configuration
625400 
License: MIT
625400
625400
625400 
Requires(pre): shadow-utils
625400 
Requires: procps-ng
625400 
Requires: tpm2-tss
625400
625400 
%if 0%{?with_selinux}
625400 
# This ensures that the *-selinux package and all it’s dependencies are not pulled
625400 
# into containers and other systems that do not use SELinux
1b831e 
Recommends:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
625400 
%endif
625400
625400 
%ifarch %efi
625400 
Requires: efivar-libs
625400 
%endif
625400
625400
625400 
%description base
625400 
The base package contains the Keylime default configuration
625400
625400 
%package -n python3-%{srcname}
625400 
Summary: The Python Keylime module
625400 
License: MIT
625400
625400 
Requires: %{srcname}-base = %{version}-%{release}
625400 
%{?python_provide:%python_provide python3-%{srcname}}
625400
625400 
Requires: python3-tornado
625400 
Requires: python3-sqlalchemy
625400 
Requires: python3-alembic
625400 
Requires: python3-cryptography
625400 
Requires: python3-pyyaml
625400 
Requires: python3-packaging
625400 
Requires: python3-requests
625400 
Requires: python3-gpg
625400 
Requires: python3-lark-parser
625400 
Requires: python3-pyasn1
625400 
Requires: python3-pyasn1-modules
625400 
Requires: tpm2-tools
1b831e 
Requires: openssl
625400
625400 
%description -n python3-%{srcname}
625400 
The python3-keylime module implements the functionality used
625400 
by Keylime components.
625400
625400 
%package verifier
625400 
Summary: The Python Keylime Verifier component
625400 
License: MIT
625400
625400 
Requires: %{srcname}-base = %{version}-%{release}
625400 
Requires: python3-%{srcname} = %{version}-%{release}
625400
625400 
%description verifier
625400 
The Keylime Verifier continuously verifies the integrity state
625400 
of the machine that the agent is running on.
625400
625400 
%package registrar
625400 
Summary: The Keylime Registrar component
625400 
License: MIT
625400
625400 
Requires: %{srcname}-base = %{version}-%{release}
625400 
Requires: python3-%{srcname} = %{version}-%{release}
625400
625400 
%description registrar
625400 
The Keylime Registrar is a database of all agents registered
625400 
with Keylime and hosts the public keys of the TPM vendors.
625400
625400 
%if 0%{?with_selinux}
625400 
# SELinux subpackage
625400 
%package selinux
625400 
Summary:             keylime SELinux policy
625400 
BuildArch:           noarch
625400 
Requires:            selinux-policy-%{selinuxtype}
625400 
Requires(post):      selinux-policy-%{selinuxtype}
625400 
BuildRequires:       selinux-policy-devel
625400 
%{?selinux_requires}
625400
625400 
%description selinux
625400 
Custom SELinux policy module
625400 
%endif
625400
625400 
%package tenant
625400 
Summary: The Python Keylime Tenant
625400 
License: MIT
625400
625400 
Requires: %{srcname}-base = %{version}-%{release}
625400 
Requires: python3-%{srcname} = %{version}-%{release}
625400
625400
625400 
%description tenant
625400 
The Keylime Tenant can be used to provision a Keylime Agent.
625400
625400 
%prep
1b831e 
%autosetup -S git -n %{srcname}-%{version} -a2
625400
625400 
%if 0%{?with_selinux}
625400 
# SELinux policy (originally from selinux-policy-contrib)
625400 
# this policy module will override the production module
625400 
mkdir selinux
625400
625400 
make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
625400 
bzip2 -9 %{srcname}.pp
625400 
%endif
625400
625400 
%build
625400 
%py3_build
625400
625400 
%install
625400 
%py3_install
625400 
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
625400 
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
625400 
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
625400
1b831e 
mkdir -p --mode=0700 %{buildroot}/%{_sysconfdir}/%{srcname}/
1b831e 
for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
1b831e 
    mkdir -p --mode=0700  %{buildroot}/%{_sysconfdir}/%{srcname}/${comp}.conf.d
1b831e 
    install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
1b831e 
done
1b831e
1b831e 
# Remove agent.
625400 
rm -f %{buildroot}/%{_bindir}/%{srcname}_agent
625400 
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent*
625400 
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.*
625400 
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.*
625400 
rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.*
625400
625400 
# Remove misc progs.
625400 
rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator
625400 
rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt
625400
1b831e 
# Ship some scripts.
1b831e 
mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
1b831e 
for s in create_allowlist.sh \
1b831e 
         create_mb_refstate \
1b831e 
         create_policy \
1b831e 
         ek-openssl-verify; do
1b831e 
    install -Dpm 755 scripts/${s} \
1b831e 
        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
1b831e 
done
625400
625400 
%if 0%{?with_selinux}
625400 
install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
1b831e 
install -D -p -m 0644 keylime-selinux-%{policy_version}/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
625400 
%endif
625400
625400
625400 
install -Dpm 644 ./services/%{srcname}_verifier.service \
625400 
    %{buildroot}%{_unitdir}/%{srcname}_verifier.service
625400
625400 
install -Dpm 644 ./services/%{srcname}_registrar.service \
625400 
    %{buildroot}%{_unitdir}/%{srcname}_registrar.service
625400
1b831e 
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
1b831e 
chmod 400 %{buildroot}%{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
625400
625400 
install -p -d %{buildroot}/%{_tmpfilesdir}
625400 
cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF
625400 
d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} -
625400 
EOF
625400
625400 
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf
625400
625400 
%pre base
625400 
%sysusers_create_compat %{SOURCE1}
625400 
exit 0
625400
625400 
%posttrans base
1b831e 
if [ -d %{_sysconfdir}/%{srcname} ]; then
1b831e 
    chmod 500 %{_sysconfdir}/%{srcname}
1b831e 
    chown -R %{srcname}:%{srcname} %{_sysconfdir}/%{srcname}
1b831e
1b831e 
    for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
1b831e 
        [ -d %{_sysconfdir}/%{srcname}/${comp}.conf.d ] && \
1b831e 
            chmod 500 %{_sysconfdir}/%{srcname}/${comp}.conf.d
1b831e 
    done
1b831e 
fi
1b831e
1b831e
625400 
[ -d %{_sharedstatedir}/%{srcname} ] && \
625400 
    chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
1b831e
1b831e 
[ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
1b831e 
    chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
1b831e 
    chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
1b831e
625400 
[ -d %{_localstatedir}/log/%{srcname} ] && \
625400 
    chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
625400 
exit 0
625400
625400 
%post verifier
625400 
%systemd_post %{srcname}_verifier.service
625400
625400 
%post registrar
625400 
%systemd_post %{srcname}_registrar.service
625400
625400 
%preun verifier
625400 
%systemd_preun %{srcname}_verifier.service
625400
625400 
%preun registrar
625400 
%systemd_preun %{srcname}_registrar.service
625400
625400 
%postun verifier
625400 
%systemd_postun_with_restart %{srcname}_verifier.service
625400
625400 
%postun registrar
625400 
%systemd_postun_with_restart %{srcname}_registrar.service
625400
625400 
%if 0%{?with_selinux}
625400 
# SELinux contexts are saved so that only affected files can be
625400 
# relabeled after the policy module installation
625400 
%pre selinux
625400 
%selinux_relabel_pre -s %{selinuxtype}
625400
625400 
%post selinux
625400 
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
625400 
%selinux_relabel_post -s %{selinuxtype}
625400
625400 
if [ "$1" -le "1" ]; then # First install
625400 
    # The services need to be restarted for the custom label to be
625400 
    # applied in case they where already present in the system,
625400 
    # restart fails silently in case they where not.
625400 
    for svc in agent registrar verifier; do
625400 
        [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
625400 
            %systemd_postun_with_restart "%{srcname}_${svc}".service
625400 
    done
625400 
fi
625400 
exit 0
625400
625400 
%postun selinux
625400 
if [ $1 -eq 0 ]; then
625400 
    %selinux_modules_uninstall -s %{selinuxtype} %{srcname}
625400 
    %selinux_relabel_post -s %{selinuxtype}
625400 
fi
625400 
%endif
625400
625400 
%files verifier
625400 
%license LICENSE
1b831e 
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
1b831e 
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/verifier.conf
625400 
%{_bindir}/%{srcname}_verifier
625400 
%{_bindir}/%{srcname}_ca
625400 
%{_bindir}/%{srcname}_migrations_apply
625400 
%{_unitdir}/keylime_verifier.service
625400
625400 
%files registrar
625400 
%license LICENSE
1b831e 
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/registrar.conf.d
1b831e 
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/registrar.conf
625400 
%{_bindir}/%{srcname}_registrar
625400 
%{_unitdir}/keylime_registrar.service
625400
625400 
%if 0%{?with_selinux}
625400 
%files selinux
625400 
%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
625400 
%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
625400 
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname}
625400 
%endif
625400
625400 
%files tenant
625400 
%license LICENSE
1b831e 
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/tenant.conf.d
1b831e 
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/tenant.conf
625400 
%{_bindir}/%{srcname}_tenant
625400
625400 
%files -n python3-%{srcname}
625400 
%license LICENSE
625400 
%{python3_sitelib}/%{srcname}-*.egg-info/
625400 
%{python3_sitelib}/%{srcname}
1b831e 
%{_datadir}/%{srcname}/scripts/create_mb_refstate
1b831e 
%{_datadir}/%{srcname}/scripts/create_policy
1b831e 
%{_bindir}/keylime_convert_ima_policy
625400
625400 
%files base
625400 
%license LICENSE
625400 
%doc README.md
1b831e 
%attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/{ca,logging}.conf.d
1b831e 
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/ca.conf
1b831e 
%config(noreplace) %attr(400,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}/logging.conf
625400 
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
625400 
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
1b831e 
%attr(700,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}
1b831e 
%attr(500,%{srcname},%{srcname}) %dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
1b831e 
%attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
625400 
%{_tmpfilesdir}/%{srcname}.conf
625400 
%{_sysusersdir}/%{srcname}.conf
1b831e 
%{_datadir}/%{srcname}/scripts/create_allowlist.sh
1b831e 
%{_datadir}/%{srcname}/scripts/ek-openssl-verify
625400
625400 
%files
625400 
%license LICENSE
625400
625400 
%changelog
1b831e 
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
1b831e 
- Backport upstream PR#1240 - logging: remove option to log into separate file
1b831e 
  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
1b831e
1b831e 
* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
1b831e 
- Remove leftover policy file
1b831e 
  Related: rhbz#2152135
1b831e
1b831e 
* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
1b831e 
- Use keylime selinux policy from upstream.
1b831e 
  Resolves: rhbz#2152135
1b831e
1b831e 
* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
1b831e 
- Update to 6.5.2
1b831e 
  Resolves: CVE-2022-3500
1b831e 
  Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
1b831e 
  Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
1b831e 
  Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
1b831e
1b831e 
* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
1b831e 
- Update to 6.5.0
1b831e 
  Resolves: rhbz#2120686 - Keylime configuration is too complex
1b831e
625400 
* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
625400 
- Update to 6.4.3
625400 
  Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
625400
625400 
* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-6
625400 
- Update keylime SELinux policy
625400 
- Resolves: rhbz#2121058
625400
625400 
* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-5
625400 
- Update keylime SELinux policy and removed duplicate rules
625400 
- Resolves: rhbz#2121058
625400
625400 
* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-4
625400 
- Update keylime SELinux policy
625400 
- Resolves: rhbz#2121058
625400
625400 
* Wed Aug 17 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-3
625400 
- Add keylime-selinux policy as subpackage
625400 
- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
625400 
- Resolves: rhbz#2121058
625400
625400 
* Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
625400 
- Fix efivar-libs dependency
625400 
  Related: rhbz#2082989
625400
625400 
* Thu Jul 07 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
625400 
- Update to 6.4.2
625400 
  Related: rhbz#2082989
625400
625400 
* Tue Jun 21 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-1
625400 
- Add keylime to RHEL-9
625400 
  Resolves: rhbz#2082989

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation