Accepting request 1072170 from home:aplanas:branches:security

- Add keylime-ima-policy subpackage to provide a better IMA policy OBS-URL: https://build.opensuse.org/request/show/1072170 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=43
2023-03-15 16:47:53 +00:00 · 2023-03-15 16:47:53 +00:00 · 8f23d7d2e7
commit 8f23d7d2e7
parent 12219c580f
5 changed files with 1139 additions and 1 deletions
--- a/README.suse
+++ b/README.suse
@ -0,0 +1,55 @@
+# Notes about the IMA policy
+
+This IMA policy is provided as an example that can be later adapted to
+more specific usage.
+
+This was generated from a default tcb IMA policy from a 6.1.12 Linux
+kernel, and extended with SELinux file types to filter out the part of
+the system that we usually do not want to measure.
+
+To use this policy, we need to copy it in "/etc/ima/ima-policy" and
+systemd will load it after the SELinux policy has been loaded.
+
+For this example, we used the initial set of SELinux attributes, that
+group the file types under categories.  From that list we selected
+some of those attribute to deep more into the types that can be relevant for the IMA policy:
+
+  seinfo -a
+
+The current selection cover full or partially the types under those
+attributes:
+
+  base_file_type
+  base_ro_file_type
+  configfile
+  file_type
+  files_unconfined_type
+  init_script_file_type
+  init_sock_file_type
+  lockfile
+  logfile
+  non_auth_file_type
+  non_security_file_type
+  openshift_file_type
+  pidfile
+  pulseaudio_tmpfsfile
+  security_file_type
+  setfiles_domain
+  spoolfile
+  svirt_file_type
+  systemd_unit_file_type
+  tmpfile
+  tmpfsfile
+
+Special mention to non_auth_file_type and non_security_file_type
+(among other liske logfile or tmpfile), that should cover the most
+relevant types of the dynamic part of the system.
+
+The list should also include types from other attributes like
+virt_image_type and others (see the policy file comments from a
+complete list).
+
+Sometimes is important to see what files are labeled under a specific
+type, and for that we can use this:
+
+  semanage fcontext -l | grep $TYPE
--- a/1048
+++ b/1048
--- a/ima-policy.service
+++ b/ima-policy.service
@ -0,0 +1,13 @@
+[Unit]
+Description=Load the IMA Policy
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy
+Environment=IMA_POLICY=/etc/ima/ima-policy
+ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY'
+TimeoutStartSec=0
+
+[Install]
+WantedBy=basic.target
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add keylime-ima-policy subpackage to provide a better IMA policy
+
 -------------------------------------------------------------------
 Thu Mar 02 15:12:27 UTC 2023 - aplanas@suse.com

--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -36,6 +36,8 @@ Source2:        cargo_config
 Source3:        keylime.xml
 Source4:        keylime-user.conf
 Source5:        tmpfiles.keylime
+Source6:        ima-policy
+Source7:        ima-policy.service
 # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
 Patch1:         keylime-agent.conf.diff
 BuildRequires:  cargo-packaging
@ -48,6 +50,7 @@ BuildRequires:  tpm2-0-tss-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
 Requires:       tpm2.0-abrmd
+Recommends:     keylime-ima-policy
 Provides:       user(keylime)
 %sysusers_requires
 # Disable this line if you wish to support all platforms.  In most
@ -59,6 +62,12 @@ Provides:       user(keylime)
 Rust implementation of keylime agent. Keylime is system integrity
 monitoring system.

+%package -n keylime-ima-policy
+Summary:        IMA policy for Keylime agent
+
+%description -n keylime-ima-policy
+Subpackage of %{name} to provide an suggested IMA policy for Keylime agent
+
 %prep
 %autosetup -a1 -p1
 mkdir .cargo
@ -91,6 +100,9 @@ install -d %{buildroot}%{_libexecdir}/keylime
 # Create work directory and the certificate directory
 mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca

+install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
+install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
+
 # %_check
 # %_{cargo_test}

@ -118,7 +130,7 @@ mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
 %dir %attr(0700,keylime,tss) %{_distconfdir}/keylime
-%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/keylime/agent.conf
+%_config_norepl %attr(0600,keylime,tss) %{_distconfdir}/keylime/agent.conf
 %{_unitdir}/keylime_agent.service
 %{_unitdir}/var-lib-keylime-secure.mount
 %dir %{_prefix}/lib/firewalld
@ -131,4 +143,9 @@ mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
 %dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
 %dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca

+%files -n keylime-ima-policy
+%dir %attr(0750,root,root) %{_sysconfdir}/ima
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
+%{_unitdir}/ima-policy.service
+
 %changelog