From 1f91fc88b86751b4cb451c4994ed0883b26d6cc11f821d0ec68c3e4a6e7fed58 Mon Sep 17 00:00:00 2001
From: Alberto Planas Dominguez <aplanas@suse.com>
Date: Wed, 7 Jun 2023 10:22:53 +0000
Subject: [PATCH 1/2] Accepting request 1091251 from
 home:aplanas:branches:security

- Make systemd skip the ima-policy load, and use only the service

OBS-URL: https://build.opensuse.org/request/show/1091251
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=55
---
 ima-policy.service   | 2 +-
 rust-keylime.changes | 5 +++++
 rust-keylime.spec    | 4 +++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ima-policy.service b/ima-policy.service
index fb141f2..2a838a5 100644
--- a/ima-policy.service
+++ b/ima-policy.service
@@ -5,7 +5,7 @@ Description=Load the IMA Policy
 Type=oneshot
 RemainAfterExit=yes
 Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy
-Environment=IMA_POLICY=/etc/ima/ima-policy
+Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD
 ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY'
 TimeoutStartSec=0
 
diff --git a/rust-keylime.changes b/rust-keylime.changes
index 6ffb1bf..b54a50f 100644
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jun  7 09:08:22 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Make systemd skip the ima-policy load, and use only the service
+
 -------------------------------------------------------------------
 Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com
 
diff --git a/rust-keylime.spec b/rust-keylime.spec
index 68eeb50..158d6da 100644
--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@@ -102,6 +102,8 @@ install -d %{buildroot}%{_libexecdir}/keylime
 mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
 
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
+# TODO: for now we make systemd to not load the policy
+mv %{buildroot}%{_sysconfdir}/ima/ima-policy %{buildroot}%{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 # %_check
@@ -146,7 +148,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 %files -n keylime-ima-policy
 %dir %attr(0750,root,root) %{_sysconfdir}/ima
-%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 %{_unitdir}/ima-policy.service
 
 %changelog

From c727b184bcdce1265d3decd7cd08b285491c9083146455a149210ef39e408e88 Mon Sep 17 00:00:00 2001
From: Alberto Planas Dominguez <aplanas@suse.com>
Date: Wed, 7 Jun 2023 12:24:09 +0000
Subject: [PATCH 2/2] Accepting request 1091266 from
 home:aplanas:branches:security

- Recommends the IMA Policy subpackage only if SELinux is configured

OBS-URL: https://build.opensuse.org/request/show/1091266
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=56
---
 rust-keylime.changes | 2 +-
 rust-keylime.spec    | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/rust-keylime.changes b/rust-keylime.changes
index b54a50f..e55a7b8 100644
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@@ -1,7 +1,7 @@
 -------------------------------------------------------------------
 Wed Jun  7 09:08:22 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
 
-- Make systemd skip the ima-policy load, and use only the service
+- Recommends the IMA Policy subpackage only if SELinux is configured
 
 -------------------------------------------------------------------
 Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com
diff --git a/rust-keylime.spec b/rust-keylime.spec
index 158d6da..6e5f2d5 100644
--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@@ -51,7 +51,7 @@ BuildRequires:  tpm2-0-tss-devel
 Requires:       libtss2-tcti-device0
 Requires:       logrotate
 Requires:       tpm2.0-abrmd
-Recommends:     keylime-ima-policy
+Recommends:     (keylime-ima-policy if selinux-policy-targeted)
 Provides:       user(keylime)
 %sysusers_requires
 # Disable this line if you wish to support all platforms.  In most
@@ -102,8 +102,6 @@ install -d %{buildroot}%{_libexecdir}/keylime
 mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
 
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
-# TODO: for now we make systemd to not load the policy
-mv %{buildroot}%{_sysconfdir}/ima/ima-policy %{buildroot}%{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 # %_check
@@ -148,7 +146,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 %files -n keylime-ima-policy
 %dir %attr(0750,root,root) %{_sysconfdir}/ima
-%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy.POST-SYSTEMD
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy
 %{_unitdir}/ima-policy.service
 
 %changelog