diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fa4c569 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/v6.4.3.tar.gz diff --git a/.keylime.metadata b/.keylime.metadata new file mode 100644 index 0000000..b62d99d --- /dev/null +++ b/.keylime.metadata @@ -0,0 +1 @@ +097e4062bdb09385bf9679f6411a42825e4f6bec SOURCES/v6.4.3.tar.gz diff --git a/SOURCES/keylime.fc b/SOURCES/keylime.fc new file mode 100644 index 0000000..5114c47 --- /dev/null +++ b/SOURCES/keylime.fc @@ -0,0 +1,24 @@ +/usr/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) +/usr/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) +/usr/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) + +/usr/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0) + +/usr/local/bin/keylime_agent -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) +/usr/local/bin/keylime_ima_emulator -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) +/usr/local/bin/keylime_userdata_encrypt -- gen_context(system_u:object_r:keylime_agent_exec_t,s0) + +/usr/local/bin/keylime_ca -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/local/bin/keylime_migrations_apply -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/local/bin/keylime_registrar -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/local/bin/keylime_verifier -- gen_context(system_u:object_r:keylime_server_exec_t,s0) +/usr/local/bin/keylime_tenant -- gen_context(system_u:object_r:keylime_server_exec_t,s0) + +/var/lib/keylime(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0) +/var/lib/keylime-agent(/.*)? gen_context(system_u:object_r:keylime_var_lib_t,s0) + +/var/log/keylime(/.*)? gen_context(system_u:object_r:keylime_log_t,s0) diff --git a/SOURCES/keylime.if b/SOURCES/keylime.if new file mode 100644 index 0000000..1614a33 --- /dev/null +++ b/SOURCES/keylime.if @@ -0,0 +1,37 @@ +## policy for keylime + +######################################## +## +## Add to specified type to keylime_type attribute . +## +## +## +## Type to be used for keylime domains. +## +## +# +interface(`keylime_use_keylime_domain',` + gen_require(` + attribute keylime_domain; + ') + + typeattribute $1 keylime_domain; +') + +######################################## +## +## Mounton keylime lib directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`keylime_mounton_var_lib',` + gen_require(` + type keylime_var_lib_t; + ') + + allow $1 keylime_var_lib_t:dir mounton; +') diff --git a/SOURCES/keylime.sysusers b/SOURCES/keylime.sysusers new file mode 100644 index 0000000..4979d46 --- /dev/null +++ b/SOURCES/keylime.sysusers @@ -0,0 +1,2 @@ +u keylime - "Keylime unprivileged user" /var/lib/keylime /usr/sbin/nologin +m keylime tss diff --git a/SOURCES/keylime.te b/SOURCES/keylime.te new file mode 100644 index 0000000..cd02baf --- /dev/null +++ b/SOURCES/keylime.te @@ -0,0 +1,140 @@ +policy_module(keylime, 1.0.0) + +######################################## +# +# Declarations +# + +attribute keylime_domain; + +type keylime_agent_t; +keylime_use_keylime_domain(keylime_agent_t) +type keylime_agent_exec_t; +init_daemon_domain(keylime_agent_t, keylime_agent_exec_t) + +type keylime_server_t; +keylime_use_keylime_domain(keylime_server_t) +type keylime_server_exec_t; +init_daemon_domain(keylime_server_t, keylime_server_exec_t) + +type keylime_log_t; +logging_log_file(keylime_log_t) + +type keylime_var_lib_t; +files_type(keylime_var_lib_t) + +type keylime_tmp_t; +files_tmp_file(keylime_tmp_t) + +######################################## +# +# keylime domain policy +# + +allow keylime_domain self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t) +manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t) +files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file }) + +manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t) +manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t) +files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file }) + +corecmd_exec_bin(keylime_domain) + +corenet_tcp_bind_generic_node(keylime_domain) +corenet_tcp_bind_all_ports(keylime_domain) +corenet_tcp_connect_all_unreserved_ports(keylime_domain) + +dev_read_sysfs(keylime_domain) + +fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file }) + +init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime") + +miscfiles_read_generic_certs(keylime_domain) + +sysnet_read_config(keylime_domain) + +userdom_exec_user_tmp_files(keylime_domain) +userdom_manage_user_tmp_dirs(keylime_domain) +userdom_manage_user_tmp_files(keylime_domain) + +######################################## +# +# keylime server policy +# + +allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read }; +allow keylime_server_t self:udp_socket create_stream_socket_perms; + +manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t) +manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t) + +fs_rw_inherited_tmpfs_files(keylime_server_t) + +optional_policy(` + gpg_exec(keylime_server_t) +') + +optional_policy(` + kerberos_read_config(keylime_server_t) + kerberos_read_keytab(keylime_server_t) +') + +optional_policy(` + sssd_run_stream_connect(keylime_server_t) +') + + +######################################## +# +# keylime agent policy +# +#work with /var/lib/keylime/secure +allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; +allow keylime_agent_t self:chr_file getattr; + +#FIX ME, add to tabrmd policy interface related with this +allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001 + +dev_rw_tpm(keylime_agent_t) + +exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t) +files_read_var_lib_files(keylime_agent_t) + +fs_dontaudit_search_cgroup_dirs(keylime_agent_t) +fs_getattr_cgroup(keylime_agent_t) +fs_mount_tmpfs(keylime_agent_t) +fs_setattr_tmpfs_dirs(keylime_agent_t) + +init_dontaudit_stream_connect(keylime_agent_t) + +kernel_read_all_proc(keylime_agent_t) + +userdom_dontaudit_search_user_home_dirs(keylime_agent_t) + +auth_read_passwd(keylime_agent_t) + +keylime_mounton_var_lib(keylime_agent_t) + +mount_domtrans(keylime_agent_t) + +selinux_read_policy(keylime_agent_t) + +optional_policy(` + #FIX ME, add to tabrmd policy interface related with this + #https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux + dbus_chat_system_bus(keylime_agent_t) +') + +optional_policy(` + dbus_stream_connect_system_dbusd(keylime_agent_t) + dbus_system_bus_client(keylime_agent_t) +') + +optional_policy(` + systemd_userdbd_stream_connect(keylime_agent_t) + systemd_machined_stream_connect(keylime_agent_t) +') diff --git a/SPECS/keylime.spec b/SPECS/keylime.spec new file mode 100644 index 0000000..f8bfffd --- /dev/null +++ b/SPECS/keylime.spec @@ -0,0 +1,346 @@ +%global srcname keylime +%global with_selinux 1 +%global selinuxtype targeted + +# Package is actually noarch, but it has an optional dependency that is +# arch-specific. +%global debug_package %{nil} + +Name: keylime +Version: 6.4.3 +Release: 1%{?dist} +Summary: Open source TPM software for Bootstrapping and Maintaining Trust + +URL: https://github.com/keylime/keylime +Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz +Source1: %{srcname}.sysusers +%if 0%{?with_selinux} +Source2: %{srcname}.te +Source3: %{srcname}.if +Source4: %{srcname}.fc +%endif + +License: ASL 2.0 and MIT + +BuildRequires: git-core +BuildRequires: swig +BuildRequires: openssl-devel +BuildRequires: python3-devel +BuildRequires: python3-dbus +BuildRequires: python3-setuptools +BuildRequires: systemd-rpm-macros + +Requires: python3-%{srcname} = %{version}-%{release} +Requires: %{srcname}-base = %{version}-%{release} +Requires: %{srcname}-verifier = %{version}-%{release} +Requires: %{srcname}-registrar = %{version}-%{release} +Requires: %{srcname}-tenant = %{version}-%{release} + +# Agent. +Requires: keylime-agent +Suggests: keylime-agent-rust + +%{?python_enable_dependency_generator} +%description +Keylime is a TPM based highly scalable remote boot attestation +and runtime integrity measurement solution. + +%package base +Summary: The base package contains the default configuration +License: MIT + + +Requires(pre): shadow-utils +Requires: procps-ng +Requires: tpm2-tss + +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) +%endif + +%ifarch %efi +Requires: efivar-libs +%endif + + +%description base +The base package contains the Keylime default configuration + +%package -n python3-%{srcname} +Summary: The Python Keylime module +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +%{?python_provide:%python_provide python3-%{srcname}} + +Requires: python3-tornado +Requires: python3-sqlalchemy +Requires: python3-alembic +Requires: python3-cryptography +Requires: python3-pyyaml +Requires: python3-packaging +Requires: python3-requests +Requires: python3-gpg +Requires: python3-lark-parser +Requires: python3-pyasn1 +Requires: python3-pyasn1-modules +Requires: tpm2-tools + +%description -n python3-%{srcname} +The python3-keylime module implements the functionality used +by Keylime components. + +%package verifier +Summary: The Python Keylime Verifier component +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +Requires: python3-%{srcname} = %{version}-%{release} + +%description verifier +The Keylime Verifier continuously verifies the integrity state +of the machine that the agent is running on. + +%package registrar +Summary: The Keylime Registrar component +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +Requires: python3-%{srcname} = %{version}-%{release} + +%description registrar +The Keylime Registrar is a database of all agents registered +with Keylime and hosts the public keys of the TPM vendors. + +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: keylime SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module +%endif + +%package tenant +Summary: The Python Keylime Tenant +License: MIT + +Requires: %{srcname}-base = %{version}-%{release} +Requires: python3-%{srcname} = %{version}-%{release} + + +%description tenant +The Keylime Tenant can be used to provision a Keylime Agent. + +%prep +%autosetup -S git -n %{srcname}-%{version} + +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux +cp -p %{SOURCE2} selinux/ +cp -p %{SOURCE3} selinux/ +cp -p %{SOURCE4} selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp +bzip2 -9 %{srcname}.pp +%endif + +%build +%py3_build + +%install +%py3_install +mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} +mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname} +mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname} + +# Remove agent and webapp. +rm -f %{buildroot}/%{_bindir}/%{srcname}_agent +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/%{srcname}_agent* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/agent.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/agent.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/%{srcname}_agent.* + +rm -f %{buildroot}/%{_bindir}/%{srcname}_webapp +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tenant_webapp.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/__pycache__/webapp.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/cmd/webapp.* +rm -f %{buildroot}%{python3_sitelib}/%{srcname}/tenant_webapp.* +rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/static/ + +# Remove misc progs. +rm -f %{buildroot}/%{_bindir}/%{srcname}_ima_emulator +rm -f %{buildroot}/%{_bindir}/%{srcname}_userdata_encrypt + +# Setting up the agent to use keylime:keylime user/group after dropping privileges. +sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf + +# Using sha256 for tpm_hash_alg. +sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf + +%if 0%{?with_selinux} +install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 +install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +%endif + +install -Dpm 600 %{srcname}.conf \ + %{buildroot}%{_sysconfdir}/%{srcname}.conf + +install -Dpm 644 ./services/%{srcname}_verifier.service \ + %{buildroot}%{_unitdir}/%{srcname}_verifier.service + +install -Dpm 644 ./services/%{srcname}_registrar.service \ + %{buildroot}%{_unitdir}/%{srcname}_registrar.service + +cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/ + +install -p -d %{buildroot}/%{_tmpfilesdir} +cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF +d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} - +EOF + +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf + +%pre base +%sysusers_create_compat %{SOURCE1} +exit 0 + +%posttrans base +[ -f %{_sysconfdir}/%{srcname}.conf ] && \ + chmod 600 %{_sysconfdir}/%{srcname}.conf && \ + chown %{srcname} %{_sysconfdir}/%{srcname}.conf +[ -d %{_sharedstatedir}/%{srcname} ] && \ + chown -R %{srcname} %{_sharedstatedir}/%{srcname}/ +[ -d %{_localstatedir}/log/%{srcname} ] && \ + chown -R %{srcname} %{_localstatedir}/log/%{srcname}/ +exit 0 + +%post verifier +%systemd_post %{srcname}_verifier.service + +%post registrar +%systemd_post %{srcname}_registrar.service + +%preun verifier +%systemd_preun %{srcname}_verifier.service + +%preun registrar +%systemd_preun %{srcname}_registrar.service + +%postun verifier +%systemd_postun_with_restart %{srcname}_verifier.service + +%postun registrar +%systemd_postun_with_restart %{srcname}_registrar.service + +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # The services need to be restarted for the custom label to be + # applied in case they where already present in the system, + # restart fails silently in case they where not. + for svc in agent registrar verifier; do + [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \ + %systemd_postun_with_restart "%{srcname}_${svc}".service + done +fi +exit 0 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{srcname} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + +%files verifier +%license LICENSE +%{_bindir}/%{srcname}_verifier +%{_bindir}/%{srcname}_ca +%{_bindir}/%{srcname}_migrations_apply +%{_unitdir}/keylime_verifier.service + +%files registrar +%license LICENSE +%{_bindir}/%{srcname}_registrar +%{_unitdir}/keylime_registrar.service + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{srcname}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname} +%endif + +%files tenant +%license LICENSE +%{_bindir}/%{srcname}_tenant + +%files -n python3-%{srcname} +%license LICENSE +%{python3_sitelib}/%{srcname}-*.egg-info/ +%{python3_sitelib}/%{srcname} + +%files base +%license LICENSE +%doc README.md +%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf +%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname} +%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname} +%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname} +%{_tmpfilesdir}/%{srcname}.conf +%{_sysusersdir}/%{srcname}.conf + +%files +%license LICENSE + +%changelog +* Fri Aug 26 2022 Sergio Correia - 6.4.3-1 +- Update to 6.4.3 + Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM + +* Fri Aug 26 2022 Patrik Koncity - 6.4.2-6 +- Update keylime SELinux policy +- Resolves: rhbz#2121058 + +* Fri Aug 26 2022 Patrik Koncity - 6.4.2-5 +- Update keylime SELinux policy and removed duplicate rules +- Resolves: rhbz#2121058 + +* Fri Aug 26 2022 Patrik Koncity - 6.4.2-4 +- Update keylime SELinux policy +- Resolves: rhbz#2121058 + +* Wed Aug 17 2022 Patrik Koncity - 6.4.2-3 +- Add keylime-selinux policy as subpackage +- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy +- Resolves: rhbz#2121058 + +* Mon Jul 11 2022 Sergio Correia - 6.4.2-2 +- Fix efivar-libs dependency + Related: rhbz#2082989 + +* Thu Jul 07 2022 Sergio Correia - 6.4.2-1 +- Update to 6.4.2 + Related: rhbz#2082989 + +* Tue Jun 21 2022 Sergio Correia - 6.4.1-1 +- Add keylime to RHEL-9 + Resolves: rhbz#2082989