From 1f91fc88b86751b4cb451c4994ed0883b26d6cc11f821d0ec68c3e4a6e7fed58 Mon Sep 17 00:00:00 2001
From: Alberto Planas Dominguez <aplanas@suse.com>
Date: Wed, 7 Jun 2023 10:22:53 +0000
Subject: [PATCH] Accepting request 1091251 from home:aplanas:branches:security

- Make systemd skip the ima-policy load, and use only the service

OBS-URL: https://build.opensuse.org/request/show/1091251
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=55
---
 ima-policy.service   | 2 +-
 rust-keylime.changes | 5 +++++
 rust-keylime.spec    | 4 +++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ima-policy.service b/ima-policy.service
index fb141f2..2a838a5 100644
--- a/ima-policy.service
+++ b/ima-policy.service
@@ -5,7 +5,7 @@ Description=Load the IMA Policy
 Type=oneshot
 RemainAfterExit=yes
 Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy
-Environment=IMA_POLICY=/etc/ima/ima-policy
+Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD
 ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY'
 TimeoutStartSec=0
 
diff --git a/rust-keylime.changes b/rust-keylime.changes
index 6ffb1bf..b54a50f 100644
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jun  7 09:08:22 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Make systemd skip the ima-policy load, and use only the service
+
 -------------------------------------------------------------------
 Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com
 
diff --git a/rust-keylime.spec b/rust-keylime.spec
index 68eeb50..158d6da 100644
--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@@ -102,6 +102,8 @@ install -d %{buildroot}%{_libexecdir}/keylime
 mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
 
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
+# TODO: for now we make systemd to not load the policy
+mv %{buildroot}%{_sysconfdir}/ima/ima-policy %{buildroot}%{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 # %_check
@@ -146,7 +148,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 %files -n keylime-ima-policy
 %dir %attr(0750,root,root) %{_sysconfdir}/ima
-%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 %{_unitdir}/ima-policy.service
 
 %changelog