Accepting request 1091251 from home:aplanas:branches:security

- Make systemd skip the ima-policy load, and use only the service

OBS-URL: https://build.opensuse.org/request/show/1091251
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=55

ima-policy.service

@@ -5,7 +5,7 @@ Description=Load the IMA Policy
 Type=oneshot
 RemainAfterExit=yes
 Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy
-Environment=IMA_POLICY=/etc/ima/ima-policy
+Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD
 ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY'
 TimeoutStartSec=0
 

rust-keylime.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jun  7 09:08:22 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Make systemd skip the ima-policy load, and use only the service
+
 -------------------------------------------------------------------
 Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com
 

rust-keylime.spec

@@ -102,6 +102,8 @@ install -d %{buildroot}%{_libexecdir}/keylime
 mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
 
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
+# TODO: for now we make systemd to not load the policy
+mv %{buildroot}%{_sysconfdir}/ima/ima-policy %{buildroot}%{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 # %_check
@@ -146,7 +148,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 %files -n keylime-ima-policy
 %dir %attr(0750,root,root) %{_sysconfdir}/ima
-%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 %{_unitdir}/ima-policy.service
 
 %changelog