From e4c8388ef3eb6b00a2f071b4b1e4ea4e89e724b8d3db4362a2a3c43d73f7d1d7 Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Mon, 2 Sep 2024 12:27:20 +0000 Subject: [PATCH] Accepting request 1198288 from home:aplanas:branches:security - Update vendored crates (bsc#1229952, bsc#1230029) * rustix 0.37.25 * rustix 0.38.34 * shlex 1.3.0 - Update to version 0.2.6+13: * Enable test functional/iak-idevid-persisted-and-protected * build(deps): bump uuid from 1.7.0 to 1.10.0 * build(deps): bump openssl from 0.10.64 to 0.10.66 * keylime-agent/src/revocation: Fix comment indentation * keylime/crypto: Fix indentation of documentation comment * build(deps): bump thiserror from 1.0.59 to 1.0.63 * build(deps): bump serde_json from 1.0.116 to 1.0.120 * dependabot: Extend to also monitor workflow actions * ci: Disable Packit CI on CentOS Stream 9 * ci: use CODECOV_TOKEN when submitting coverage data * revocation: Use into() for unfallible transformation * secure_mount: Fix possible infinite loop * error: Rename enum variants to avoid clippy warning OBS-URL: https://build.opensuse.org/request/show/1198288 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=74 --- .gitattributes | 23 + .gitignore | 1 + README.suse | 55 ++ _constraints | 7 + _service | 29 + _servicedata | 4 + cargo_config | 5 + ima-policy | 1048 +++++++++++++++++++++++++++++++++ ima-policy.service | 13 + keylime-agent.conf.diff | 42 ++ keylime-user.conf | 2 + keylime.xml | 10 + rust-keylime-0.2.6+13.obscpio | 3 + rust-keylime-0.2.6+13.tar.zst | 3 + rust-keylime-0.2.6~0.tar.zst | 3 + rust-keylime.changes | 743 +++++++++++++++++++++++ rust-keylime.obsinfo | 4 + rust-keylime.spec | 152 +++++ tmpfiles.keylime | 1 + vendor.tar.xz | 3 + 20 files changed, 2151 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.suse create mode 100644 _constraints create mode 100644 _service create mode 100644 _servicedata create mode 100644 cargo_config create mode 100644 ima-policy create mode 100644 ima-policy.service create mode 100644 keylime-agent.conf.diff create mode 100644 keylime-user.conf create mode 100644 keylime.xml create mode 100644 rust-keylime-0.2.6+13.obscpio create mode 100644 rust-keylime-0.2.6+13.tar.zst create mode 100644 rust-keylime-0.2.6~0.tar.zst create mode 100644 rust-keylime.changes create mode 100644 rust-keylime.obsinfo create mode 100644 rust-keylime.spec create mode 100644 tmpfiles.keylime create mode 100644 vendor.tar.xz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.suse b/README.suse new file mode 100644 index 0000000..ffabdf6 --- /dev/null +++ b/README.suse @@ -0,0 +1,55 @@ +# Notes about the IMA policy + +This IMA policy is provided as an example that can be later adapted to +more specific usage. + +This was generated from a default tcb IMA policy from a 6.1.12 Linux +kernel, and extended with SELinux file types to filter out the part of +the system that we usually do not want to measure. + +To use this policy, we need to copy it in "/etc/ima/ima-policy" and +systemd will load it after the SELinux policy has been loaded. + +For this example, we used the initial set of SELinux attributes, that +group the file types under categories. From that list we selected +some of those attribute to deep more into the types that can be relevant for the IMA policy: + + seinfo -a + +The current selection cover full or partially the types under those +attributes: + + base_file_type + base_ro_file_type + configfile + file_type + files_unconfined_type + init_script_file_type + init_sock_file_type + lockfile + logfile + non_auth_file_type + non_security_file_type + openshift_file_type + pidfile + pulseaudio_tmpfsfile + security_file_type + setfiles_domain + spoolfile + svirt_file_type + systemd_unit_file_type + tmpfile + tmpfsfile + +Special mention to non_auth_file_type and non_security_file_type +(among other liske logfile or tmpfile), that should cover the most +relevant types of the dynamic part of the system. + +The list should also include types from other attributes like +virt_image_type and others (see the policy file comments from a +complete list). + +Sometimes is important to see what files are labeled under a specific +type, and for that we can use this: + + semanage fcontext -l | grep $TYPE diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..4988ecd --- /dev/null +++ b/_constraints @@ -0,0 +1,7 @@ + + + + 10 + + + diff --git a/_service b/_service new file mode 100644 index 0000000..9f76803 --- /dev/null +++ b/_service @@ -0,0 +1,29 @@ + + + https://github.com/keylime/rust-keylime.git + + @PARENT_TAG@+@TAG_OFFSET@ + git + v0.2.6 + master + * + v(\d+\.\d+\.\d+) + \1 + enable + aplanas@suse.com + + + + *.tar + zst + + + + + + + + + rust-keylime + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..0f5029f --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/keylime/rust-keylime.git + 57992463535d15951ebaca77d1be4217ffaf74d6 \ No newline at end of file diff --git a/cargo_config b/cargo_config new file mode 100644 index 0000000..97852b5 --- /dev/null +++ b/cargo_config @@ -0,0 +1,5 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/ima-policy b/ima-policy new file mode 100644 index 0000000..ef28f85 --- /dev/null +++ b/ima-policy @@ -0,0 +1,1048 @@ +# Generated from a default tcb IMA policy under 6.1.12-11-default + +# PROC_SUPER_MAGIC +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_measure fsmagic=0x1021994 +# RAMFS_MAGIC (missing) +# DEVPTS_SUPER_MAGIC +dont_measure fsmagic=0x1cd1 +# BINFMTFS_MAGIC +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_measure fsmagic=0x73636673 +# SELINUX_MAGIC +dont_measure fsmagic=0xf97cff8c +# SMACK_MAGIC (new) +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC (new) +dont_measure fsmagic=0x63677270 +# NSFS_MAGIC +dont_measure fsmagic=0x6e736673 +# EFIVARFS_MAGIC (new) +dont_measure fsmagic=0xde5e81e4 + +# base_file_type, base_ro_file_type +dont_measure obj_type=etc_runtime_t +dont_measure obj_type=system_conf_t +dont_measure obj_type=system_db_t +dont_measure obj_type=tmp_t +dont_measure obj_type=var_lib_t +dont_measure obj_type=var_lock_t +dont_measure obj_type=var_run_t +dont_measure obj_type=var_spool_t + +# for i in $(seinfo -alockfile -x | grep _t | tr '[:space:]' " "); do echo "dont_measure obj_type=$i"; done +dont_measure obj_type=alsa_lock_t +dont_measure obj_type=apcupsd_lock_t +dont_measure obj_type=apmd_lock_t +dont_measure obj_type=automount_lock_t +dont_measure obj_type=bluetooth_lock_t +dont_measure obj_type=condor_var_lock_t +dont_measure obj_type=conntrackd_var_lock_t +dont_measure obj_type=container_lock_t +dont_measure obj_type=cpuplug_lock_t +dont_measure obj_type=cupsd_lock_t +dont_measure obj_type=denyhosts_var_lock_t +dont_measure obj_type=dirsrv_var_lock_t +dont_measure obj_type=dirsrvadmin_lock_t +dont_measure obj_type=drbd_lock_t +dont_measure obj_type=fenced_lock_t +dont_measure obj_type=ftpd_lock_t +dont_measure obj_type=getty_lock_t +dont_measure obj_type=httpd_lock_t +dont_measure obj_type=ipmievd_lock_t +dont_measure obj_type=ipsec_mgmt_lock_t +dont_measure obj_type=iptables_lock_t +dont_measure obj_type=iscsi_lock_t +dont_measure obj_type=kdump_lock_t +dont_measure obj_type=krb5kdc_lock_t +dont_measure obj_type=likewise_pstore_lock_t +dont_measure obj_type=local_login_lock_t +dont_measure obj_type=lockdev_lock_t +dont_measure obj_type=logrotate_lock_t +dont_measure obj_type=logwatch_lock_t +dont_measure obj_type=lvm_lock_t +dont_measure obj_type=mailman_lock_t +dont_measure obj_type=mandb_lock_t +dont_measure obj_type=mrtg_lock_t +dont_measure obj_type=pkcs_slotd_lock_t +dont_measure obj_type=pki_ra_lock_t +dont_measure obj_type=pki_tomcat_lock_t +dont_measure obj_type=pki_tps_lock_t +dont_measure obj_type=postgresql_lock_t +dont_measure obj_type=pppd_lock_t +dont_measure obj_type=rabbitmq_var_lock_t +dont_measure obj_type=rhsmcertd_lock_t +dont_measure obj_type=ricci_modstorage_lock_t +dont_measure obj_type=rpcd_lock_t +dont_measure obj_type=rtas_errd_var_lock_t +dont_measure obj_type=semanage_read_lock_t +dont_measure obj_type=semanage_trans_lock_t +dont_measure obj_type=shorewall_lock_t +dont_measure obj_type=slapd_lock_t +dont_measure obj_type=swift_lock_t +dont_measure obj_type=system_cronjob_lock_t +dont_measure obj_type=uucpd_lock_t +dont_measure obj_type=var_lock_t +dont_measure obj_type=virt_lock_t +dont_measure obj_type=xdm_lock_t + +# for i in $(seinfo -alogfile -x | grep _t | tr '[:space:]' " "); do echo "dont_measure obj_type=$i"; done +dont_measure obj_type=NetworkManager_log_t +dont_measure obj_type=abrt_var_log_t +dont_measure obj_type=acct_data_t +dont_measure obj_type=afs_logfile_t +dont_measure obj_type=aide_log_t +dont_measure obj_type=amanda_log_t +dont_measure obj_type=antivirus_log_t +dont_measure obj_type=apcupsd_log_t +dont_measure obj_type=apmd_log_t +dont_measure obj_type=asterisk_log_t +dont_measure obj_type=auth_cache_t +dont_measure obj_type=bacula_log_t +dont_measure obj_type=bitlbee_log_t +dont_measure obj_type=boinc_log_t +dont_measure obj_type=brltty_log_t +dont_measure obj_type=calamaris_log_t +dont_measure obj_type=callweaver_log_t +dont_measure obj_type=canna_log_t +dont_measure obj_type=ccs_var_lib_t +dont_measure obj_type=ccs_var_log_t +dont_measure obj_type=certmaster_var_log_t +dont_measure obj_type=cfengine_log_t +dont_measure obj_type=cgred_log_t +dont_measure obj_type=checkpc_log_t +dont_measure obj_type=chronyd_var_log_t +dont_measure obj_type=cinder_log_t +dont_measure obj_type=cloud_log_t +dont_measure obj_type=cluster_var_log_t +dont_measure obj_type=cobbler_var_log_t +dont_measure obj_type=collectd_log_t +dont_measure obj_type=condor_log_t +dont_measure obj_type=conman_log_t +dont_measure obj_type=conntrackd_log_t +dont_measure obj_type=consolekit_log_t +dont_measure obj_type=container_file_t +dont_measure obj_type=container_log_t +dont_measure obj_type=couchdb_log_t +dont_measure obj_type=cron_log_t +dont_measure obj_type=ctdbd_log_t +dont_measure obj_type=cupsd_log_t +dont_measure obj_type=cyphesis_log_t +dont_measure obj_type=ddclient_log_t +dont_measure obj_type=deltacloudd_log_t +dont_measure obj_type=denyhosts_var_log_t +dont_measure obj_type=devicekit_var_log_t +dont_measure obj_type=dirsrv_snmp_var_log_t +dont_measure obj_type=dirsrv_var_log_t +dont_measure obj_type=dlm_controld_var_log_t +dont_measure obj_type=dnsmasq_var_log_t +dont_measure obj_type=dovecot_var_log_t +dont_measure obj_type=dspam_log_t +dont_measure obj_type=evtchnd_var_log_t +dont_measure obj_type=exim_log_t +dont_measure obj_type=fail2ban_log_t +dont_measure obj_type=faillog_t +dont_measure obj_type=fenced_var_log_t +dont_measure obj_type=fetchmail_log_t +dont_measure obj_type=fingerd_log_t +dont_measure obj_type=firewalld_var_log_t +dont_measure obj_type=foghorn_var_log_t +dont_measure obj_type=fsadm_log_t +dont_measure obj_type=getty_log_t +dont_measure obj_type=gfs_controld_var_log_t +dont_measure obj_type=glance_log_t +dont_measure obj_type=glusterd_log_t +dont_measure obj_type=groupd_var_log_t +dont_measure obj_type=haproxy_var_log_t +dont_measure obj_type=httpd_log_t +dont_measure obj_type=ibacm_log_t +dont_measure obj_type=icecast_log_t +dont_measure obj_type=inetd_log_t +dont_measure obj_type=initrc_var_log_t +dont_measure obj_type=innd_log_t +dont_measure obj_type=ipsec_log_t +dont_measure obj_type=iscsi_log_t +dont_measure obj_type=iwhd_log_t +dont_measure obj_type=jetty_log_t +dont_measure obj_type=jockey_var_log_t +dont_measure obj_type=kadmind_log_t +dont_measure obj_type=keystone_log_t +dont_measure obj_type=kismet_log_t +dont_measure obj_type=krb5kdc_log_t +dont_measure obj_type=ksmtuned_log_t +dont_measure obj_type=ktalkd_log_t +dont_measure obj_type=lastlog_t +dont_measure obj_type=mailman_log_t +dont_measure obj_type=mcelog_log_t +dont_measure obj_type=mdadm_log_t +dont_measure obj_type=minidlna_log_t +dont_measure obj_type=mirrormanager_log_t +dont_measure obj_type=mongod_log_t +dont_measure obj_type=motion_log_t +dont_measure obj_type=mpd_log_t +dont_measure obj_type=mrtg_log_t +dont_measure obj_type=munin_log_t +dont_measure obj_type=mysqld_log_t +dont_measure obj_type=mythtv_var_log_t +dont_measure obj_type=naemon_log_t +dont_measure obj_type=nagios_log_t +dont_measure obj_type=named_log_t +dont_measure obj_type=neutron_log_t +dont_measure obj_type=nova_log_t +dont_measure obj_type=nscd_log_t +dont_measure obj_type=nsd_log_t +dont_measure obj_type=ntpd_log_t +dont_measure obj_type=numad_var_log_t +dont_measure obj_type=openhpid_log_t +dont_measure obj_type=openshift_log_t +dont_measure obj_type=opensm_log_t +dont_measure obj_type=openvpn_status_t +dont_measure obj_type=openvpn_var_log_t +dont_measure obj_type=openvswitch_log_t +dont_measure obj_type=openwsman_log_t +dont_measure obj_type=osad_log_t +dont_measure obj_type=passenger_log_t +dont_measure obj_type=pcp_log_t +dont_measure obj_type=piranha_log_t +dont_measure obj_type=pkcs_slotd_log_t +dont_measure obj_type=pki_log_t +dont_measure obj_type=pki_ra_log_t +dont_measure obj_type=pki_tomcat_log_t +dont_measure obj_type=pki_tps_log_t +dont_measure obj_type=plymouthd_var_log_t +dont_measure obj_type=polipo_log_t +dont_measure obj_type=postgresql_log_t +dont_measure obj_type=pppd_log_t +dont_measure obj_type=pptp_log_t +dont_measure obj_type=prelink_log_t +dont_measure obj_type=prelude_log_t +dont_measure obj_type=privoxy_log_t +dont_measure obj_type=procmail_log_t +dont_measure obj_type=prosody_log_t +dont_measure obj_type=psad_var_log_t +dont_measure obj_type=puppet_log_t +dont_measure obj_type=pyicqt_log_t +dont_measure obj_type=qdiskd_var_log_t +dont_measure obj_type=rabbitmq_var_log_t +dont_measure obj_type=radiusd_log_t +dont_measure obj_type=redis_log_t +dont_measure obj_type=rhev_agentd_log_t +dont_measure obj_type=rhsmcertd_log_t +dont_measure obj_type=ricci_modcluster_var_log_t +dont_measure obj_type=ricci_var_log_t +dont_measure obj_type=rpm_log_t +dont_measure obj_type=rsync_log_t +dont_measure obj_type=rtas_errd_log_t +dont_measure obj_type=samba_log_t +dont_measure obj_type=sanlock_log_t +dont_measure obj_type=sectool_var_log_t +dont_measure obj_type=sendmail_log_t +dont_measure obj_type=sensord_log_t +dont_measure obj_type=setroubleshoot_var_log_t +dont_measure obj_type=shorewall_log_t +dont_measure obj_type=slapd_log_t +dont_measure obj_type=slpd_log_t +dont_measure obj_type=smsd_log_t +dont_measure obj_type=snapperd_log_t +dont_measure obj_type=snmpd_log_t +dont_measure obj_type=snort_log_t +dont_measure obj_type=spamd_log_t +dont_measure obj_type=speech_dispatcher_log_t +dont_measure obj_type=squid_log_t +dont_measure obj_type=sssd_var_log_t +dont_measure obj_type=stapserver_log_t +dont_measure obj_type=stunnel_log_t +dont_measure obj_type=sudo_log_t +dont_measure obj_type=svnserve_log_t +dont_measure obj_type=sysstat_log_t +dont_measure obj_type=thin_aeolus_configserver_log_t +dont_measure obj_type=thin_log_t +dont_measure obj_type=tomcat_log_t +dont_measure obj_type=tor_var_log_t +dont_measure obj_type=tuned_log_t +dont_measure obj_type=ulogd_var_log_t +dont_measure obj_type=uucpd_log_t +dont_measure obj_type=var_log_t +dont_measure obj_type=varnishlog_log_t +dont_measure obj_type=vdagent_log_t +dont_measure obj_type=virt_log_t +dont_measure obj_type=virt_qemu_ga_log_t +dont_measure obj_type=vmware_log_t +dont_measure obj_type=watchdog_log_t +dont_measure obj_type=winbind_log_t +dont_measure obj_type=wtmp_t +dont_measure obj_type=xdm_log_t +dont_measure obj_type=xend_var_log_t +dont_measure obj_type=xenstored_var_log_t +dont_measure obj_type=xferlog_t +dont_measure obj_type=xserver_log_t +dont_measure obj_type=zabbix_log_t +dont_measure obj_type=zarafa_deliver_log_t +dont_measure obj_type=zarafa_gateway_log_t +dont_measure obj_type=zarafa_ical_log_t +dont_measure obj_type=zarafa_indexer_log_t +dont_measure obj_type=zarafa_monitor_log_t +dont_measure obj_type=zarafa_server_log_t +dont_measure obj_type=zarafa_spooler_log_t +dont_measure obj_type=zebra_log_t +dont_measure obj_type=zoneminder_log_t + +# for i in $(seinfo -apidfile -x | grep _t | tr '[:space:]' " "); do echo "dont_measure obj_type=$i"; done +dont_measure obj_type=NetworkManager_dispatcher_console_var_run_t +dont_measure obj_type=NetworkManager_var_run_t +dont_measure obj_type=abrt_var_run_t +dont_measure obj_type=aiccu_var_run_t +dont_measure obj_type=ajaxterm_var_run_t +dont_measure obj_type=alsa_var_run_t +dont_measure obj_type=antivirus_var_run_t +dont_measure obj_type=apcupsd_var_run_t +dont_measure obj_type=apmd_var_run_t +dont_measure obj_type=arpwatch_var_run_t +dont_measure obj_type=asterisk_var_run_t +dont_measure obj_type=audisp_var_run_t +dont_measure obj_type=auditd_var_run_t +dont_measure obj_type=automount_var_run_t +dont_measure obj_type=avahi_var_run_t +dont_measure obj_type=bacula_var_run_t +dont_measure obj_type=bcfg2_var_run_t +dont_measure obj_type=bitlbee_var_run_t +dont_measure obj_type=blkmapd_var_run_t +dont_measure obj_type=blktap_var_run_t +dont_measure obj_type=blueman_var_run_t +dont_measure obj_type=bluetooth_var_run_t +dont_measure obj_type=boltd_var_run_t +dont_measure obj_type=bootloader_var_run_t +dont_measure obj_type=brltty_var_run_t +dont_measure obj_type=bumblebee_var_run_t +dont_measure obj_type=cachefilesd_var_run_t +dont_measure obj_type=callweaver_var_run_t +dont_measure obj_type=canna_var_run_t +dont_measure obj_type=cardmgr_var_run_t +dont_measure obj_type=ccs_var_run_t +dont_measure obj_type=certmaster_var_run_t +dont_measure obj_type=certmonger_var_run_t +dont_measure obj_type=cgred_var_run_t +dont_measure obj_type=chronyd_var_run_t +dont_measure obj_type=cinder_var_run_t +dont_measure obj_type=clogd_var_run_t +dont_measure obj_type=cluster_var_run_t +dont_measure obj_type=clvmd_var_run_t +dont_measure obj_type=cmirrord_var_run_t +dont_measure obj_type=collectd_var_run_t +dont_measure obj_type=comsat_var_run_t +dont_measure obj_type=condor_var_run_t +dont_measure obj_type=conman_var_run_t +dont_measure obj_type=conntrackd_var_run_t +dont_measure obj_type=consolekit_var_run_t +dont_measure obj_type=container_kvm_var_run_t +dont_measure obj_type=container_plugin_var_run_t +dont_measure obj_type=container_var_run_t +dont_measure obj_type=couchdb_var_run_t +dont_measure obj_type=courier_var_run_t +dont_measure obj_type=cpuplug_var_run_t +dont_measure obj_type=cpuspeed_var_run_t +dont_measure obj_type=cron_var_run_t +dont_measure obj_type=crond_var_run_t +dont_measure obj_type=ctdbd_var_run_t +dont_measure obj_type=cupsd_config_var_run_t +dont_measure obj_type=cupsd_lpd_var_run_t +dont_measure obj_type=cupsd_var_run_t +dont_measure obj_type=cvs_var_run_t +dont_measure obj_type=cyphesis_var_run_t +dont_measure obj_type=cyrus_var_run_t +dont_measure obj_type=dbskkd_var_run_t +dont_measure obj_type=dcc_var_run_t +dont_measure obj_type=dccd_var_run_t +dont_measure obj_type=dccifd_var_run_t +dont_measure obj_type=dccm_var_run_t +dont_measure obj_type=dcerpcd_var_run_t +dont_measure obj_type=ddclient_var_run_t +dont_measure obj_type=deltacloudd_var_run_t +dont_measure obj_type=devicekit_var_run_t +dont_measure obj_type=dhcpc_var_run_t +dont_measure obj_type=dhcpd_var_run_t +dont_measure obj_type=dictd_var_run_t +dont_measure obj_type=dirsrv_snmp_var_run_t +dont_measure obj_type=dirsrv_var_run_t +dont_measure obj_type=dkim_milter_data_t +dont_measure obj_type=dlm_controld_var_run_t +dont_measure obj_type=dnsmasq_var_run_t +dont_measure obj_type=dnssec_trigger_var_run_t +dont_measure obj_type=dovecot_var_run_t +dont_measure obj_type=drbd_var_run_t +dont_measure obj_type=dspam_var_run_t +dont_measure obj_type=entropyd_var_run_t +dont_measure obj_type=eventlogd_var_run_t +dont_measure obj_type=evtchnd_var_run_t +dont_measure obj_type=exim_var_run_t +dont_measure obj_type=fail2ban_var_run_t +dont_measure obj_type=fcoemon_var_run_t +dont_measure obj_type=fenced_var_run_t +dont_measure obj_type=fetchmail_var_run_t +dont_measure obj_type=fingerd_var_run_t +dont_measure obj_type=firewalld_var_run_t +dont_measure obj_type=foghorn_var_run_t +dont_measure obj_type=freeipmi_bmc_watchdog_var_run_t +dont_measure obj_type=freeipmi_ipmidetectd_var_run_t +dont_measure obj_type=freeipmi_ipmiseld_var_run_t +dont_measure obj_type=fsadm_var_run_t +dont_measure obj_type=fsdaemon_var_run_t +dont_measure obj_type=ftpd_var_run_t +dont_measure obj_type=games_srv_var_run_t +dont_measure obj_type=gdomap_var_run_t +dont_measure obj_type=getty_var_run_t +dont_measure obj_type=gfs_controld_var_run_t +dont_measure obj_type=glance_var_run_t +dont_measure obj_type=glusterd_var_run_t +dont_measure obj_type=gpm_var_run_t +dont_measure obj_type=gpsd_var_run_t +dont_measure obj_type=greylist_milter_data_t +dont_measure obj_type=groupd_var_run_t +dont_measure obj_type=gssproxy_var_run_t +dont_measure obj_type=haproxy_var_run_t +dont_measure obj_type=hostapd_var_run_t +dont_measure obj_type=httpd_var_run_t +dont_measure obj_type=hwloc_var_run_t +dont_measure obj_type=ibacm_var_run_t +dont_measure obj_type=icecast_var_run_t +dont_measure obj_type=ifconfig_var_run_t +dont_measure obj_type=inetd_child_var_run_t +dont_measure obj_type=inetd_var_run_t +dont_measure obj_type=init_var_run_t +dont_measure obj_type=initrc_var_run_t +dont_measure obj_type=innd_var_run_t +dont_measure obj_type=install_var_run_t +dont_measure obj_type=ipmievd_var_run_t +dont_measure obj_type=ipsec_mgmt_var_run_t +dont_measure obj_type=ipsec_var_run_t +dont_measure obj_type=iptables_var_lib_t +dont_measure obj_type=iptables_var_run_t +dont_measure obj_type=irqbalance_var_run_t +dont_measure obj_type=iscsi_var_run_t +dont_measure obj_type=isnsd_var_run_t +dont_measure obj_type=iwhd_var_run_t +dont_measure obj_type=jetty_var_run_t +dont_measure obj_type=kadmind_var_run_t +dont_measure obj_type=keepalived_var_run_t +dont_measure obj_type=keystone_var_run_t +dont_measure obj_type=kismet_var_run_t +dont_measure obj_type=klogd_var_run_t +dont_measure obj_type=kmod_var_run_t +dont_measure obj_type=krb5kdc_var_run_t +dont_measure obj_type=ksmtuned_var_run_t +dont_measure obj_type=l2tpd_var_run_t +dont_measure obj_type=lircd_var_run_t +dont_measure obj_type=lldpad_var_run_t +dont_measure obj_type=locate_var_run_t +dont_measure obj_type=logwatch_var_run_t +dont_measure obj_type=lpd_var_run_t +dont_measure obj_type=lsassd_var_run_t +dont_measure obj_type=lsmd_var_run_t +dont_measure obj_type=lttng_sessiond_var_run_t +dont_measure obj_type=lvm_var_run_t +dont_measure obj_type=lwiod_var_run_t +dont_measure obj_type=lwregd_var_run_t +dont_measure obj_type=lwsmd_var_run_t +dont_measure obj_type=mailman_var_run_t +dont_measure obj_type=mcelog_var_run_t +dont_measure obj_type=mdadm_var_run_t +dont_measure obj_type=memcached_var_run_t +dont_measure obj_type=minidlna_var_run_t +dont_measure obj_type=minissdpd_var_run_t +dont_measure obj_type=mirrormanager_var_run_t +dont_measure obj_type=mock_var_run_t +dont_measure obj_type=mon_statd_var_run_t +dont_measure obj_type=mongod_var_run_t +dont_measure obj_type=motion_var_run_t +dont_measure obj_type=mount_var_run_t +dont_measure obj_type=mpd_var_run_t +dont_measure obj_type=mrtg_var_run_t +dont_measure obj_type=mscan_var_run_t +dont_measure obj_type=munin_var_run_t +dont_measure obj_type=mysqld_var_run_t +dont_measure obj_type=mysqlmanagerd_var_run_t +dont_measure obj_type=naemon_var_run_t +dont_measure obj_type=nagios_var_run_t +dont_measure obj_type=named_var_run_t +dont_measure obj_type=netlogond_var_run_t +dont_measure obj_type=neutron_var_run_t +dont_measure obj_type=ninfod_run_t +dont_measure obj_type=nmbd_var_run_t +dont_measure obj_type=nova_var_run_t +dont_measure obj_type=nrpe_var_run_t +dont_measure obj_type=nscd_var_run_t +dont_measure obj_type=nsd_var_run_t +dont_measure obj_type=nslcd_var_run_t +dont_measure obj_type=ntop_var_run_t +dont_measure obj_type=ntpd_var_run_t +dont_measure obj_type=numad_var_run_t +dont_measure obj_type=nut_var_run_t +dont_measure obj_type=nx_server_var_run_t +dont_measure obj_type=oddjob_var_run_t +dont_measure obj_type=opafm_var_run_t +dont_measure obj_type=openct_var_run_t +dont_measure obj_type=opendnssec_var_run_t +dont_measure obj_type=openhpid_var_run_t +dont_measure obj_type=openshift_var_run_t +dont_measure obj_type=openvpn_var_run_t +dont_measure obj_type=openvswitch_var_run_t +dont_measure obj_type=openwsman_run_t +dont_measure obj_type=osad_var_run_t +dont_measure obj_type=pads_var_run_t +dont_measure obj_type=pam_var_console_t +dont_measure obj_type=pam_var_run_t +dont_measure obj_type=passenger_var_run_t +dont_measure obj_type=pcp_var_run_t +dont_measure obj_type=pcscd_var_run_t +dont_measure obj_type=pdns_var_run_t +dont_measure obj_type=pegasus_openlmi_storage_var_run_t +dont_measure obj_type=pegasus_var_run_t +dont_measure obj_type=pesign_var_run_t +dont_measure obj_type=piranha_fos_var_run_t +dont_measure obj_type=piranha_lvs_var_run_t +dont_measure obj_type=piranha_pulse_var_run_t +dont_measure obj_type=piranha_web_var_run_t +dont_measure obj_type=pkcs11proxyd_var_run_t +dont_measure obj_type=pkcs_slotd_var_run_t +dont_measure obj_type=pki_ra_var_run_t +dont_measure obj_type=pki_tomcat_var_run_t +dont_measure obj_type=pki_tps_var_run_t +dont_measure obj_type=plymouthd_var_run_t +dont_measure obj_type=policykit_var_run_t +dont_measure obj_type=polipo_pid_t +dont_measure obj_type=portmap_var_run_t +dont_measure obj_type=portreserve_var_run_t +dont_measure obj_type=postfix_var_run_t +dont_measure obj_type=postgresql_var_run_t +dont_measure obj_type=postgrey_var_run_t +dont_measure obj_type=pppd_var_run_t +dont_measure obj_type=pptp_var_run_t +dont_measure obj_type=prelude_audisp_var_run_t +dont_measure obj_type=prelude_lml_var_run_t +dont_measure obj_type=prelude_var_run_t +dont_measure obj_type=privoxy_var_run_t +dont_measure obj_type=prosody_var_run_t +dont_measure obj_type=psad_var_run_t +dont_measure obj_type=ptal_var_run_t +dont_measure obj_type=pulseaudio_var_run_t +dont_measure obj_type=puppet_var_run_t +dont_measure obj_type=pwauth_var_run_t +dont_measure obj_type=pyicqt_var_run_t +dont_measure obj_type=qdiskd_var_run_t +dont_measure obj_type=qemu_var_run_t +dont_measure obj_type=qpidd_var_run_t +dont_measure obj_type=quota_nld_var_run_t +dont_measure obj_type=rabbitmq_var_run_t +dont_measure obj_type=radiusd_var_run_t +dont_measure obj_type=radvd_var_run_t +dont_measure obj_type=readahead_var_run_t +dont_measure obj_type=redis_var_run_t +dont_measure obj_type=regex_milter_data_t +dont_measure obj_type=restorecond_var_run_t +dont_measure obj_type=rhev_agentd_var_run_t +dont_measure obj_type=rhnsd_var_run_t +dont_measure obj_type=rhsmcertd_var_run_t +dont_measure obj_type=ricci_modcluster_var_run_t +dont_measure obj_type=ricci_var_run_t +dont_measure obj_type=rlogind_var_run_t +dont_measure obj_type=rngd_var_run_t +dont_measure obj_type=roundup_var_run_t +dont_measure obj_type=rpcbind_var_run_t +dont_measure obj_type=rpcd_var_run_t +dont_measure obj_type=rpm_var_run_t +dont_measure obj_type=rsync_var_run_t +dont_measure obj_type=rtas_errd_var_run_t +dont_measure obj_type=sanlock_var_run_t +dont_measure obj_type=saslauthd_var_run_t +dont_measure obj_type=sbd_var_run_t +dont_measure obj_type=sblim_var_run_t +dont_measure obj_type=screen_var_run_t +dont_measure obj_type=sendmail_var_run_t +dont_measure obj_type=sensord_var_run_t +dont_measure obj_type=setrans_var_run_t +dont_measure obj_type=setroubleshoot_var_run_t +dont_measure obj_type=slapd_var_run_t +dont_measure obj_type=slpd_var_run_t +dont_measure obj_type=smbd_var_run_t +dont_measure obj_type=smokeping_var_run_t +dont_measure obj_type=smsd_var_run_t +dont_measure obj_type=snmpd_var_run_t +dont_measure obj_type=snort_var_run_t +dont_measure obj_type=sosreport_var_run_t +dont_measure obj_type=soundd_var_run_t +dont_measure obj_type=spamass_milter_data_t +dont_measure obj_type=spamd_var_run_t +dont_measure obj_type=spc_var_run_t +dont_measure obj_type=squid_var_run_t +dont_measure obj_type=srvsvcd_var_run_t +dont_measure obj_type=sshd_var_run_t +dont_measure obj_type=sslh_var_run_t +dont_measure obj_type=sssd_public_t +dont_measure obj_type=sssd_var_run_t +dont_measure obj_type=stapserver_var_run_t +dont_measure obj_type=stunnel_var_run_t +dont_measure obj_type=svnserve_var_run_t +dont_measure obj_type=swat_var_run_t +dont_measure obj_type=swift_var_run_t +dont_measure obj_type=syslogd_var_run_t +dont_measure obj_type=system_cronjob_var_run_t +dont_measure obj_type=system_dbusd_var_run_t +dont_measure obj_type=systemd_bootchart_var_run_t +dont_measure obj_type=systemd_importd_var_run_t +dont_measure obj_type=systemd_logind_inhibit_var_run_t +dont_measure obj_type=systemd_logind_sessions_t +dont_measure obj_type=systemd_logind_var_run_t +dont_measure obj_type=systemd_machined_var_run_t +dont_measure obj_type=systemd_networkd_var_run_t +dont_measure obj_type=systemd_passwd_var_run_t +dont_measure obj_type=systemd_resolved_var_run_t +dont_measure obj_type=systemd_timedated_var_run_t +dont_measure obj_type=systemd_userdbd_runtime_t +dont_measure obj_type=tangd_cache_t +dont_measure obj_type=targetclid_var_run_t +dont_measure obj_type=telnetd_var_run_t +dont_measure obj_type=tftpd_var_run_t +dont_measure obj_type=tgtd_var_run_t +dont_measure obj_type=thin_aeolus_configserver_var_run_t +dont_measure obj_type=thin_var_run_t +dont_measure obj_type=timemaster_var_run_t +dont_measure obj_type=tlp_var_run_t +dont_measure obj_type=tomcat_var_run_t +dont_measure obj_type=tor_var_run_t +dont_measure obj_type=tuned_var_run_t +dont_measure obj_type=udev_var_run_t +dont_measure obj_type=uml_switch_var_run_t +dont_measure obj_type=usbmuxd_var_run_t +dont_measure obj_type=useradd_var_run_t +dont_measure obj_type=uucpd_var_run_t +dont_measure obj_type=uuidd_var_run_t +dont_measure obj_type=var_run_t +dont_measure obj_type=varnishd_var_run_t +dont_measure obj_type=varnishlog_var_run_t +dont_measure obj_type=vdagent_var_run_t +dont_measure obj_type=vhostmd_var_run_t +dont_measure obj_type=virt_common_var_run_t +dont_measure obj_type=virt_lxc_var_run_t +dont_measure obj_type=virt_qemu_ga_var_run_t +dont_measure obj_type=virt_var_run_t +dont_measure obj_type=virtlogd_var_run_t +dont_measure obj_type=vmware_host_pid_t +dont_measure obj_type=vmware_pid_t +dont_measure obj_type=vnstatd_var_run_t +dont_measure obj_type=vpnc_var_run_t +dont_measure obj_type=watchdog_var_run_t +dont_measure obj_type=wdmd_var_run_t +dont_measure obj_type=wicked_var_run_t +dont_measure obj_type=winbind_rpcd_var_run_t +dont_measure obj_type=winbind_var_run_t +dont_measure obj_type=xdm_var_run_t +dont_measure obj_type=xenconsoled_var_run_t +dont_measure obj_type=xend_var_run_t +dont_measure obj_type=xenstored_var_run_t +dont_measure obj_type=xserver_var_run_t +dont_measure obj_type=ypbind_var_run_t +dont_measure obj_type=yppasswdd_var_run_t +dont_measure obj_type=ypserv_var_run_t +dont_measure obj_type=ypxfr_var_run_t +dont_measure obj_type=zabbix_var_run_t +dont_measure obj_type=zarafa_deliver_var_run_t +dont_measure obj_type=zarafa_gateway_var_run_t +dont_measure obj_type=zarafa_ical_var_run_t +dont_measure obj_type=zarafa_indexer_var_run_t +dont_measure obj_type=zarafa_monitor_var_run_t +dont_measure obj_type=zarafa_server_var_run_t +dont_measure obj_type=zarafa_spooler_var_run_t +dont_measure obj_type=zebra_var_run_t +dont_measure obj_type=zoneminder_var_run_t + +# for i in $(seinfo -aspoolfile -x | grep _t | tr '[:space:]' " "); do echo "dont_measure obj_type=$i"; done +dont_measure obj_type=abrt_retrace_spool_t +dont_measure obj_type=asterisk_spool_t +dont_measure obj_type=audit_spool_t +dont_measure obj_type=courier_spool_t +dont_measure obj_type=cron_spool_t +dont_measure obj_type=dovecot_spool_t +dont_measure obj_type=exim_spool_t +dont_measure obj_type=mail_spool_t +dont_measure obj_type=mqueue_spool_t +dont_measure obj_type=nagios_spool_t +dont_measure obj_type=news_spool_t +dont_measure obj_type=plymouthd_spool_t +dont_measure obj_type=postfix_spool_bounce_t +dont_measure obj_type=postfix_spool_t +dont_measure obj_type=postgrey_spool_t +dont_measure obj_type=prelude_spool_t +dont_measure obj_type=print_spool_t +dont_measure obj_type=pyicqt_var_spool_t +dont_measure obj_type=qmail_spool_t +dont_measure obj_type=rwho_spool_t +dont_measure obj_type=spamd_spool_t +dont_measure obj_type=squirrelmail_spool_t +dont_measure obj_type=system_cron_spool_t +dont_measure obj_type=user_cron_spool_t +dont_measure obj_type=uucpd_spool_t +dont_measure obj_type=var_spool_t +dont_measure obj_type=xdm_spool_t + +# for i in $(seinfo -atmpfile -x | grep _t | tr '[:space:]' " "); do echo "dont_measure obj_type=$i"; done +dont_measure obj_type=NetworkManager_tmp_t +dont_measure obj_type=abrt_tmp_t +dont_measure obj_type=abrt_upload_watch_tmp_t +dont_measure obj_type=abrt_var_cache_t +dont_measure obj_type=admin_crontab_tmp_t +dont_measure obj_type=alsa_tmp_t +dont_measure obj_type=amanda_tmp_t +dont_measure obj_type=antivirus_tmp_t +dont_measure obj_type=apcupsd_tmp_t +dont_measure obj_type=apmd_tmp_t +dont_measure obj_type=arpwatch_tmp_t +dont_measure obj_type=asterisk_tmp_t +dont_measure obj_type=auditadm_sudo_tmp_t +dont_measure obj_type=auditd_tmp_t +dont_measure obj_type=automount_tmp_t +dont_measure obj_type=awstats_tmp_t +dont_measure obj_type=bacula_tmp_t +dont_measure obj_type=bitlbee_tmp_t +dont_measure obj_type=blueman_tmp_t +dont_measure obj_type=bluetooth_helper_tmp_t +dont_measure obj_type=bluetooth_helper_tmpfs_t +dont_measure obj_type=bluetooth_tmp_t +dont_measure obj_type=boinc_project_tmp_t +dont_measure obj_type=boinc_tmp_t +dont_measure obj_type=bootloader_tmp_t +dont_measure obj_type=bugzilla_tmp_t +dont_measure obj_type=cardmgr_dev_t +dont_measure obj_type=ccs_tmp_t +dont_measure obj_type=cdcc_tmp_t +dont_measure obj_type=certmonger_tmp_t +dont_measure obj_type=chrome_sandbox_tmp_t +dont_measure obj_type=chronyd_tmp_t +dont_measure obj_type=cinder_api_tmp_t +dont_measure obj_type=cinder_backup_tmp_t +dont_measure obj_type=cinder_scheduler_tmp_t +dont_measure obj_type=cinder_volume_tmp_t +dont_measure obj_type=cloud_init_tmp_t +dont_measure obj_type=cluster_tmp_t +dont_measure obj_type=cobbler_tmp_t +dont_measure obj_type=collectd_script_tmp_t +dont_measure obj_type=colord_tmp_t +dont_measure obj_type=comsat_tmp_t +dont_measure obj_type=condor_master_tmp_t +dont_measure obj_type=condor_schedd_tmp_t +dont_measure obj_type=condor_startd_tmp_t +dont_measure obj_type=conman_tmp_t +dont_measure obj_type=container_runtime_tmp_t +dont_measure obj_type=couchdb_tmp_t +dont_measure obj_type=crack_tmp_t +dont_measure obj_type=crond_tmp_t +dont_measure obj_type=crontab_tmp_t +dont_measure obj_type=ctdbd_tmp_t +dont_measure obj_type=cups_pdf_tmp_t +dont_measure obj_type=cupsd_lpd_tmp_t +dont_measure obj_type=cupsd_tmp_t +dont_measure obj_type=cvs_tmp_t +dont_measure obj_type=cyphesis_tmp_t +dont_measure obj_type=cyrus_tmp_t +dont_measure obj_type=dbadm_sudo_tmp_t +dont_measure obj_type=dbskkd_tmp_t +dont_measure obj_type=dcc_client_tmp_t +dont_measure obj_type=dcc_dbclean_tmp_t +dont_measure obj_type=dccd_tmp_t +dont_measure obj_type=dccifd_tmp_t +dont_measure obj_type=dccm_tmp_t +dont_measure obj_type=ddclient_tmp_t +dont_measure obj_type=deltacloudd_tmp_t +dont_measure obj_type=devicekit_tmp_t +dont_measure obj_type=dhcpc_tmp_t +dont_measure obj_type=dhcpd_tmp_t +dont_measure obj_type=dirsrv_tmp_t +dont_measure obj_type=dirsrvadmin_tmp_t +dont_measure obj_type=disk_munin_plugin_tmp_t +dont_measure obj_type=dkim_milter_tmp_t +dont_measure obj_type=dnsmasq_tmp_t +dont_measure obj_type=dnssec_trigger_tmp_t +dont_measure obj_type=dovecot_auth_tmp_t +dont_measure obj_type=dovecot_deliver_tmp_t +dont_measure obj_type=dovecot_tmp_t +dont_measure obj_type=drbd_tmp_t +dont_measure obj_type=exim_tmp_t +dont_measure obj_type=fail2ban_tmp_t +dont_measure obj_type=fenced_tmp_t +dont_measure obj_type=firewalld_tmp_t +dont_measure obj_type=firewallgui_tmp_t +dont_measure obj_type=fprintd_tmp_t +dont_measure obj_type=fsadm_tmp_t +dont_measure obj_type=fsdaemon_tmp_t +dont_measure obj_type=ftpd_tmp_t +dont_measure obj_type=ftpdctl_tmp_t +dont_measure obj_type=games_tmp_t +dont_measure obj_type=games_tmpfs_t +dont_measure obj_type=gconf_tmp_t +dont_measure obj_type=geoclue_tmp_t +dont_measure obj_type=getty_tmp_t +dont_measure obj_type=git_script_tmp_t +dont_measure obj_type=gkeyringd_tmp_t +dont_measure obj_type=glance_registry_tmp_t +dont_measure obj_type=glance_tmp_t +dont_measure obj_type=glusterd_tmp_t +dont_measure obj_type=gpg_agent_tmp_t +dont_measure obj_type=gpg_agent_tmpfs_t +dont_measure obj_type=gpg_pinentry_tmp_t +dont_measure obj_type=gpg_pinentry_tmpfs_t +dont_measure obj_type=gpm_tmp_t +dont_measure obj_type=gssd_tmp_t +dont_measure obj_type=hsqldb_tmp_t +dont_measure obj_type=httpd_php_tmp_t +dont_measure obj_type=httpd_suexec_tmp_t +dont_measure obj_type=httpd_tmp_t +dont_measure obj_type=inetd_child_tmp_t +dont_measure obj_type=inetd_tmp_t +dont_measure obj_type=init_tmp_t +dont_measure obj_type=initrc_tmp_t +dont_measure obj_type=ipsec_tmp_t +dont_measure obj_type=iptables_tmp_t +dont_measure obj_type=iscsi_tmp_t +dont_measure obj_type=jetty_tmp_t +dont_measure obj_type=kadmind_tmp_t +dont_measure obj_type=kdumpctl_tmp_t +dont_measure obj_type=kdumpgui_tmp_t +dont_measure obj_type=keepalived_tmp_t +dont_measure obj_type=keystone_tmp_t +dont_measure obj_type=kismet_tmp_t +dont_measure obj_type=kismet_tmpfs_t +dont_measure obj_type=klogd_tmp_t +dont_measure obj_type=kmod_tmp_t +dont_measure obj_type=krb5_host_rcache_t +dont_measure obj_type=krb5kdc_tmp_t +dont_measure obj_type=ktalkd_tmp_t +dont_measure obj_type=l2tpd_tmp_t +dont_measure obj_type=ldconfig_tmp_t +dont_measure obj_type=livecd_tmp_t +dont_measure obj_type=logrotate_mail_tmp_t +dont_measure obj_type=logrotate_tmp_t +dont_measure obj_type=logwatch_mail_tmp_t +dont_measure obj_type=logwatch_tmp_t +dont_measure obj_type=lpd_tmp_t +dont_measure obj_type=lpr_tmp_t +dont_measure obj_type=lsassd_tmp_t +dont_measure obj_type=lsmd_plugin_tmp_t +dont_measure obj_type=lvm_tmp_t +dont_measure obj_type=mail_munin_plugin_tmp_t +dont_measure obj_type=mailman_cgi_tmp_t +dont_measure obj_type=mailman_mail_tmp_t +dont_measure obj_type=mailman_queue_tmp_t +dont_measure obj_type=mdadm_tmp_t +dont_measure obj_type=mediawiki_tmp_t +dont_measure obj_type=mock_tmp_t +dont_measure obj_type=mojomojo_tmp_t +dont_measure obj_type=mongod_tmp_t +dont_measure obj_type=mount_tmp_t +dont_measure obj_type=mozilla_plugin_tmp_t +dont_measure obj_type=mozilla_plugin_tmpfs_t +dont_measure obj_type=mozilla_tmp_t +dont_measure obj_type=mozilla_tmpfs_t +dont_measure obj_type=mpd_tmp_t +dont_measure obj_type=mplayer_tmpfs_t +dont_measure obj_type=mscan_tmp_t +dont_measure obj_type=munin_script_tmp_t +dont_measure obj_type=munin_tmp_t +dont_measure obj_type=mysqld_tmp_t +dont_measure obj_type=nagios_eventhandler_plugin_tmp_t +dont_measure obj_type=nagios_openshift_plugin_tmp_t +dont_measure obj_type=nagios_system_plugin_tmp_t +dont_measure obj_type=nagios_tmp_t +dont_measure obj_type=named_tmp_t +dont_measure obj_type=netutils_tmp_t +dont_measure obj_type=neutron_tmp_t +dont_measure obj_type=nfsd_tmp_t +dont_measure obj_type=nova_tmp_t +dont_measure obj_type=nsd_tmp_t +dont_measure obj_type=ntop_tmp_t +dont_measure obj_type=ntpd_tmp_t +dont_measure obj_type=nut_upsd_tmp_t +dont_measure obj_type=nut_upsdrvctl_tmp_t +dont_measure obj_type=nut_upsmon_tmp_t +dont_measure obj_type=nx_server_tmp_t +dont_measure obj_type=opendnssec_tmp_t +dont_measure obj_type=openshift_app_tmp_t +dont_measure obj_type=openshift_cgroup_read_tmp_t +dont_measure obj_type=openshift_cron_tmp_t +dont_measure obj_type=openshift_initrc_tmp_t +dont_measure obj_type=openshift_tmp_t +dont_measure obj_type=openvpn_tmp_t +dont_measure obj_type=openvswitch_tmp_t +dont_measure obj_type=openwsman_tmp_t +dont_measure obj_type=oracleasm_tmp_t +dont_measure obj_type=pam_timestamp_tmp_t +dont_measure obj_type=passenger_tmp_t +dont_measure obj_type=pcp_tmp_t +dont_measure obj_type=pegasus_openlmi_storage_tmp_t +dont_measure obj_type=pegasus_tmp_t +dont_measure obj_type=pesign_tmp_t +dont_measure obj_type=piranha_web_tmp_t +dont_measure obj_type=pkcs_slotd_tmp_t +dont_measure obj_type=pki_tomcat_tmp_t +dont_measure obj_type=podsleuth_tmp_t +dont_measure obj_type=podsleuth_tmpfs_t +dont_measure obj_type=policykit_tmp_t +dont_measure obj_type=portmap_tmp_t +dont_measure obj_type=postfix_bounce_tmp_t +dont_measure obj_type=postfix_cleanup_tmp_t +dont_measure obj_type=postfix_local_tmp_t +dont_measure obj_type=postfix_map_tmp_t +dont_measure obj_type=postfix_pickup_tmp_t +dont_measure obj_type=postfix_pipe_tmp_t +dont_measure obj_type=postfix_qmgr_tmp_t +dont_measure obj_type=postfix_smtp_tmp_t +dont_measure obj_type=postfix_smtpd_tmp_t +dont_measure obj_type=postfix_virtual_tmp_t +dont_measure obj_type=postgresql_tmp_t +dont_measure obj_type=pppd_tmp_t +dont_measure obj_type=prelink_tmp_t +dont_measure obj_type=prelude_lml_tmp_t +dont_measure obj_type=procmail_tmp_t +dont_measure obj_type=prosody_tmp_t +dont_measure obj_type=psad_tmp_t +dont_measure obj_type=pulseaudio_tmpfs_t +dont_measure obj_type=puppet_tmp_t +dont_measure obj_type=puppetmaster_tmp_t +dont_measure obj_type=qpidd_tmp_t +dont_measure obj_type=rabbitmq_tmp_t +dont_measure obj_type=racoon_tmp_t +dont_measure obj_type=realmd_tmp_t +dont_measure obj_type=redis_tmp_t +dont_measure obj_type=rhev_agentd_tmp_t +dont_measure obj_type=rhsmcertd_tmp_t +dont_measure obj_type=ricci_tmp_t +dont_measure obj_type=rlogind_tmp_t +dont_measure obj_type=rolekit_tmp_t +dont_measure obj_type=rpcbind_tmp_t +dont_measure obj_type=rpm_script_tmp_t +dont_measure obj_type=rpm_tmp_t +dont_measure obj_type=rpmdb_tmp_t +dont_measure obj_type=rsync_tmp_t +dont_measure obj_type=rtas_errd_tmp_t +dont_measure obj_type=samba_net_tmp_t +dont_measure obj_type=sbd_tmpfs_t +dont_measure obj_type=sblim_tmp_t +dont_measure obj_type=secadm_sudo_tmp_t +dont_measure obj_type=sectool_tmp_t +dont_measure obj_type=selinux_munin_plugin_tmp_t +dont_measure obj_type=semanage_tmp_t +dont_measure obj_type=sendmail_tmp_t +dont_measure obj_type=services_munin_plugin_tmp_t +dont_measure obj_type=session_dbusd_tmp_t +dont_measure obj_type=setroubleshoot_fixit_tmp_t +dont_measure obj_type=setroubleshoot_tmp_t +dont_measure obj_type=sge_tmp_t +dont_measure obj_type=shorewall_tmp_t +dont_measure obj_type=slapd_tmp_t +dont_measure obj_type=smbd_tmp_t +dont_measure obj_type=smoltclient_tmp_t +dont_measure obj_type=smsd_tmp_t +dont_measure obj_type=snapperd_tmp_t +dont_measure obj_type=snort_tmp_t +dont_measure obj_type=sosreport_tmp_t +dont_measure obj_type=soundd_tmp_t +dont_measure obj_type=spamc_tmp_t +dont_measure obj_type=spamd_tmp_t +dont_measure obj_type=speech_dispatcher_tmp_t +dont_measure obj_type=squid_tmp_t +dont_measure obj_type=squirrelmail_spool_t +dont_measure obj_type=ssh_agent_tmp_t +dont_measure obj_type=ssh_keygen_tmp_t +dont_measure obj_type=ssh_tmpfs_t +dont_measure obj_type=staff_sudo_tmp_t +dont_measure obj_type=stapserver_tmp_t +dont_measure obj_type=stapserver_tmpfs_t +dont_measure obj_type=stunnel_tmp_t +dont_measure obj_type=svirt_tmp_t +dont_measure obj_type=svnserve_tmp_t +dont_measure obj_type=swat_tmp_t +dont_measure obj_type=swift_tmp_t +dont_measure obj_type=sysadm_passwd_tmp_t +dont_measure obj_type=sysadm_sudo_tmp_t +dont_measure obj_type=syslogd_tmp_t +dont_measure obj_type=system_cronjob_tmp_t +dont_measure obj_type=system_dbusd_tmp_t +dont_measure obj_type=system_mail_tmp_t +dont_measure obj_type=system_munin_plugin_tmp_t +dont_measure obj_type=systemd_importd_tmp_t +dont_measure obj_type=targetclid_tmp_t +dont_measure obj_type=targetd_tmp_t +dont_measure obj_type=tcpd_tmp_t +dont_measure obj_type=telepathy_gabble_tmp_t +dont_measure obj_type=telepathy_idle_tmp_t +dont_measure obj_type=telepathy_logger_tmp_t +dont_measure obj_type=telepathy_mission_control_tmp_t +dont_measure obj_type=telepathy_msn_tmp_t +dont_measure obj_type=telepathy_salut_tmp_t +dont_measure obj_type=telepathy_sofiasip_tmp_t +dont_measure obj_type=telepathy_stream_engine_tmp_t +dont_measure obj_type=telepathy_sunshine_tmp_t +dont_measure obj_type=telnetd_tmp_t +dont_measure obj_type=tetex_data_t +dont_measure obj_type=tgtd_tmp_t +dont_measure obj_type=thumb_tmp_t +dont_measure obj_type=tmp_t +dont_measure obj_type=tomcat_tmp_t +dont_measure obj_type=tuned_tmp_t +dont_measure obj_type=tvtime_tmp_t +dont_measure obj_type=tvtime_tmpfs_t +dont_measure obj_type=udev_tmp_t +dont_measure obj_type=uml_tmp_t +dont_measure obj_type=uml_tmpfs_t +dont_measure obj_type=unconfined_munin_plugin_tmp_t +dont_measure obj_type=user_fonts_t +dont_measure obj_type=user_mail_tmp_t +dont_measure obj_type=user_tmp_t +dont_measure obj_type=uucpd_tmp_t +dont_measure obj_type=var_spool_t +dont_measure obj_type=varnishd_tmp_t +dont_measure obj_type=virt_qemu_ga_tmp_t +dont_measure obj_type=virt_tmp_t +dont_measure obj_type=vmtools_tmp_t +dont_measure obj_type=vmware_host_tmp_t +dont_measure obj_type=vmware_tmp_t +dont_measure obj_type=vmware_tmpfs_t +dont_measure obj_type=vpnc_tmp_t +dont_measure obj_type=w3c_validator_tmp_t +dont_measure obj_type=webadm_tmp_t +dont_measure obj_type=webalizer_tmp_t +dont_measure obj_type=wicked_tmp_t +dont_measure obj_type=wireshark_tmp_t +dont_measure obj_type=wireshark_tmpfs_t +dont_measure obj_type=xauth_tmp_t +dont_measure obj_type=xend_tmp_t +dont_measure obj_type=xenstored_tmp_t +dont_measure obj_type=xserver_tmpfs_t +dont_measure obj_type=ypbind_tmp_t +dont_measure obj_type=ypserv_tmp_t +dont_measure obj_type=zabbix_tmp_t +dont_measure obj_type=zarafa_deliver_tmp_t +dont_measure obj_type=zarafa_indexer_tmp_t +dont_measure obj_type=zarafa_server_tmp_t +dont_measure obj_type=zarafa_var_lib_t +dont_measure obj_type=zebra_tmp_t + +# for i in $(seinfo -avirt_image_type -x | grep _t | tr '[:space:]' " "); do echo "dont_measure obj_type=$i"; done +dont_measure obj_type=svirt_image_t +dont_measure obj_type=virt_content_t +dont_measure obj_type=virt_image_t +dont_measure obj_type=xen_image_t + +measure func=MMAP_CHECK mask=MAY_EXEC +measure func=BPRM_CHECK mask=MAY_EXEC +measure func=FILE_CHECK mask=^MAY_READ euid=0 +measure func=FILE_CHECK mask=^MAY_READ uid=0 +measure func=MODULE_CHECK +measure func=FIRMWARE_CHECK +measure func=POLICY_CHECK diff --git a/ima-policy.service b/ima-policy.service new file mode 100644 index 0000000..2a838a5 --- /dev/null +++ b/ima-policy.service @@ -0,0 +1,13 @@ +[Unit] +Description=Load the IMA Policy + +[Service] +Type=oneshot +RemainAfterExit=yes +Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy +Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD +ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY' +TimeoutStartSec=0 + +[Install] +WantedBy=basic.target diff --git a/keylime-agent.conf.diff b/keylime-agent.conf.diff new file mode 100644 index 0000000..08d2bd6 --- /dev/null +++ b/keylime-agent.conf.diff @@ -0,0 +1,42 @@ +Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf +=================================================================== +--- rust-keylime-0.2.0+git.1677002906.cf6c4f0.orig/keylime-agent.conf ++++ rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf +@@ -19,13 +19,15 @@ version = "2.2" + # of 'SHA256(public EK in PEM format)'. + # + # To override, set KEYLIME_AGENT_UUID environment variable. +-uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000" ++# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000" ++uuid = "generate" + + # The binding IP address and port for the agent server + # + # To override ip, set KEYLIME_AGENT_IP environment variable. + # To override port, set KEYLIME_AGENT_PORT environment variable. +-ip = "127.0.0.1" ++# ip = "127.0.0.1" ++ip = "0.0.0.0" + port = 9002 + + # Address and port where the verifier and tenant can connect to reach the agent. +@@ -41,7 +43,8 @@ contact_port = 9002 + # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable. + # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment + # variable. +-registrar_ip = "127.0.0.1" ++# registrar_ip = "127.0.0.1" ++registrar_ip = "" + registrar_port = 8890 + + # Enable mTLS communication between agent, verifier and tenant. +@@ -151,7 +154,8 @@ revocation_actions_dir = "/usr/libexec/k + # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable. + # To override revocation_notification_port, set + # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable. +-revocation_notification_ip = "127.0.0.1" ++# revocation_notification_ip = "127.0.0.1" ++revocation_notification_ip = "" + revocation_notification_port = 8992 + + # The path to the certificate to verify revocation messages received from the diff --git a/keylime-user.conf b/keylime-user.conf new file mode 100644 index 0000000..48ee0dc --- /dev/null +++ b/keylime-user.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +u keylime - "Keylime agent" /var/lib/keylime diff --git a/keylime.xml b/keylime.xml new file mode 100644 index 0000000..2902ad8 --- /dev/null +++ b/keylime.xml @@ -0,0 +1,10 @@ + + + Keylime + Keylime is a remote attestation tool that requires access to several ports. + + + + + + diff --git a/rust-keylime-0.2.6+13.obscpio b/rust-keylime-0.2.6+13.obscpio new file mode 100644 index 0000000..b506e72 --- /dev/null +++ b/rust-keylime-0.2.6+13.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41daaa20dbba56925b18176a1a7c351e7b0d587608d64b14471f064130698e7b +size 434827790 diff --git a/rust-keylime-0.2.6+13.tar.zst b/rust-keylime-0.2.6+13.tar.zst new file mode 100644 index 0000000..cc1b0cb --- /dev/null +++ b/rust-keylime-0.2.6+13.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c877bd6c2694cba637356b0761f1adcfb52c3f291b1e996432bdc91c5c326ee1 +size 33706896 diff --git a/rust-keylime-0.2.6~0.tar.zst b/rust-keylime-0.2.6~0.tar.zst new file mode 100644 index 0000000..02435dc --- /dev/null +++ b/rust-keylime-0.2.6~0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:19038bff7afd68bc418b2a161a906010c2e3649ed79e65d1a3eb657f853c8404 +size 180453 diff --git a/rust-keylime.changes b/rust-keylime.changes new file mode 100644 index 0000000..f1594cb --- /dev/null +++ b/rust-keylime.changes @@ -0,0 +1,743 @@ +------------------------------------------------------------------- +Mon Sep 02 11:53:27 UTC 2024 - aplanas@suse.com + +- Update vendored crates (bsc#1229952, bsc#1230029) + * rustix 0.37.25 + * rustix 0.38.34 + * shlex 1.3.0 + +- Update to version 0.2.6+13: + * Enable test functional/iak-idevid-persisted-and-protected + * build(deps): bump uuid from 1.7.0 to 1.10.0 + * build(deps): bump openssl from 0.10.64 to 0.10.66 + * keylime-agent/src/revocation: Fix comment indentation + * keylime/crypto: Fix indentation of documentation comment + * build(deps): bump thiserror from 1.0.59 to 1.0.63 + * build(deps): bump serde_json from 1.0.116 to 1.0.120 + * dependabot: Extend to also monitor workflow actions + * ci: Disable Packit CI on CentOS Stream 9 + * ci: use CODECOV_TOKEN when submitting coverage data + * revocation: Use into() for unfallible transformation + * secure_mount: Fix possible infinite loop + * error: Rename enum variants to avoid clippy warning + +------------------------------------------------------------------- +Fri Jun 14 07:39:29 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.6~0: + * Bump version to 0.2.6 + * build(deps): bump libc from 0.2.153 to 0.2.155 + * build(deps): bump serde from 1.0.196 to 1.0.203 + * rpm/fedora: Update rust macro usage + * config: Support hostnames in registrar_ip option + * added use of persisted IAK and IDevID and authorisation values + * config changes + * Adding /agent/info API to agent + * Fix leftover 'unnecessary qualification' warnings on tests + +------------------------------------------------------------------- +Thu May 16 13:40:05 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.5~4: + * Fix 'unnecessary qualification' warnings + * fix IAK template to match IDevID + * rpm: fix COPR RPMs build for centos-stream-10 + * Build COPR RPMs for centos-stream-10 + +------------------------------------------------------------------- +Thu May 02 07:31:40 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.5~0: + * Bump version to 0.2.5 + * cargo: Relax required version for pest crate + * build(deps): bump log from 0.4.20 to 0.4.21 + * build(deps): bump thiserror from 1.0.56 to 1.0.59 + +------------------------------------------------------------------- +Tue Apr 30 07:52:30 UTC 2024 - aplanas@suse.com + +- actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650) +- Update to version 0.2.4~39: + * build(deps): bump openssl from 0.10.63 to 0.10.64 + * build(deps): bump h2 from 0.3.24 to 0.3.26 + * build(deps): bump serde_json from 1.0.107 to 1.0.116 + * build(deps): bump actix-web from 4.4.1 to 4.5.1 + * crypto: Enable TLS 1.3 + * build(deps): bump tempfile from 3.9.0 to 3.10.1 + * build(deps): bump mio from 0.8.4 to 0.8.11 + * enable hex values to be used for tpm_ownerpassword + * config: Support IPv6 with or without brackets + * keylime: Implement a simple IP parser to remove brackets + * crypto: Implement CertificateBuilder to generate certificates + * tests: Fix coverage download by supporting arbitrary URL + * cargo: Add testing feature to keylime library + * Set X509 SAN with local DNSname/IP/IPv6 + * Include newest Node20 versions for Github actions + * tpm: Add unit test for uncovered public functions + * crypto: Implement ECC key generation support + * crypto: Add test for match_cert_to_template() + * Fix minor typo, format and remove end whitespaces + * crypto: Make error types less specific + * tests/run.sh: Run tarpaulin with a single thread + * payloads: Remove explicit drop of channel transmitter + * crypto: Move to keylime library + * crypto: Add specific type for every possible error + * tpm: Rename origin of error as source in structures + * list_parser: Add source for error for backtrace + * algorithms: Make errors more specific + * typo fix for default path to measured boot log file + * README: remove mentions of libarchive as a dependency + * Dockerfile.wolfi: Update clang to version 17 + * docker: Remove libarchive as a dependency + * rpm: Remove libarchive from dependencies + * cargo: Replace compress-tools with zip crate + * cargo: Bump ahash to version 0.8.7 + * build(deps): bump serde from 1.0.195 to 1.0.196 + * build(deps): bump libc from 0.2.152 to 0.2.153 + * build(deps): bump reqwest from 0.11.23 to 0.11.24 + * docker: Install configuration file in the correct path + * config: Make IAK/IDevID disabled by default + +------------------------------------------------------------------- +Wed Jan 31 09:22:00 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.4+git.1706692574.a744517: + * Bump version to 0.2.4 + * build(deps): bump uuid from 1.4.1 to 1.7.0 + * keylime-agent.conf: Allow setting event logs paths + * Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration. + * workflows: Update checkout action to version 4 + * build(deps): bump serde from 1.0.188 to 1.0.195 + * build(deps): bump pest_derive from 2.7.0 to 2.7.6 + * build(deps): bump openssl from 0.10.62 to 0.10.63 + * build(deps): bump config from 0.13.3 to 0.13.4 + * build(deps): bump base64 from 0.21.4 to 0.21.7 + * build(deps): bump tempfile from 3.8.0 to 3.9.0 + * build(deps): bump pest from 2.7.0 to 2.7.6 + * build(deps): bump actix-web from 4.4.0 to 4.4.1 + * build(deps): bump reqwest from 0.11.22 to 0.11.23 + * build(deps): bump h2 from 0.3.17 to 0.3.24 + * build(deps): bump shlex from 1.1.0 to 1.3.0 + * cargo: Bump tss-esapi to version 7.4.0 + * workflows: Fix keylime-bot token usage + * tpm: Add error context for every possible error + * tpm: Add AlgorithmError to TpmError + * detect idevid template from certificates + * build(deps): bump wiremock from 0.5.18 to 0.5.22 + * build(deps): bump thiserror from 1.0.48 to 1.0.56 + * Make use of workspace dependencies + * build(deps): bump openssl from 0.10.57 to 0.10.62 + * packit: Bump Fedora version used for code coverage + +------------------------------------------------------------------- +Fri Dec 01 10:04:40 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.3+git.1701075380.a5dc985: + * build(deps): bump actix-rt from 2.8.0 to 2.9.0 + * Bump version to 0.2.3 + * build(deps): bump reqwest from 0.11.20 to 0.11.22 + * Bump configuration version and fix enable_iak_idevid + * Enable test functional/iak-idevid-register-with-certificates + * Update packit plan with new tests + * Add certificates and certificate checking for IDevID and IAK keys (#669) + +------------------------------------------------------------------- +Fri Nov 03 15:23:05 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.2+git.1697658634.9c7c6fa: + * build(deps): bump rustix from 0.37.11 to 0.37.25 + * build(deps): bump tempfile from 3.6.0 to 3.8.0 + * build(deps): bump base64 from 0.21.0 to 0.21.4 + * build(deps): bump serde_json from 1.0.96 to 1.0.107 + * build(deps): bump openssl from 0.10.55 to 0.10.57 + * cargo: Bump serde to version 1.0.188 + * tests: Fix tarpaulin issues with dropped -v option + * build(deps): bump signal-hook from 0.3.15 to 0.3.17 + * build(deps): bump actix-web from 4.3.1 to 4.4.0 + * build(deps): bump thiserror from 1.0.40 to 1.0.48 + * Remove private_in_public + * Initial PR to add support for IDevID and IAK + * build(deps): bump uuid from 1.3.1 to 1.4.1 + * build(deps): bump log from 0.4.17 to 0.4.20 + * build(deps): bump reqwest from 0.11.16 to 0.11.20 + * Do not use too specific version on cargo audit workflow + * Add workflow to run cargo-audit security audit + * README: update dependencies for Debian and Ubuntu + * Use latest versions of checkout/upload-artifacts + * docker: Add 'keylime' system user + * Use "currently" for swtpm emulator warning (#632) + * Update container workflow actions versions + * Build container image and push to quay.io + * README: update requirements + +------------------------------------------------------------------- +Fri Jul 14 07:31:23 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.2+git.1689256829.3d2b627: + * Bump version to 0.2.2 + * build(deps): bump tempfile from 3.5.0 to 3.6.0 + * removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal + +------------------------------------------------------------------- +Wed Jul 12 14:17:39 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.1+git.1689167094.67ce0cf: + * cargo: Bump serde to version 1.0.166 + * build(deps): bump libc from 0.2.142 to 0.2.147 + * adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi + * hash: add more configurable hash algorithm for public key digest + * cargo: Update clap to version 4.3.11 + * cargo: Bump tokio crate version to 1.28.2 + * Add an example of IMA policy + * main: Gracefully shutdown on SIGTERM or SIGINT + * cargo: Bump proc-macro2 crate version + * revocation: Parse revocation actions flexibly + * crypto: Add unit tests for x509 functions + * crypto: Make internal functions private + * config: Add unit test for the list to files mapping + * config: Make trusted_client_ca to accept lists + * lib: Implement parser for lists from config file + * build(deps): bump openssl from 0.10.48 to 0.10.55 + * Add secure mount sanity test to packit testing. + * [packit] Do not let COPR project expire + +------------------------------------------------------------------- +Wed Jun 7 09:08:22 UTC 2023 - Alberto Planas Dominguez + +- Recommends the IMA Policy subpackage only if SELinux is configured + +------------------------------------------------------------------- +Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.1+git.1685699835.3c9d17c: + * Remove MOUNT_SECURE bool + * rpm: Remove unused directory and add dependency for mount + * keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst + * docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime + * [tests] Update test coverage task name regexp + * [tests] Simply coverage file URL parsing + +------------------------------------------------------------------- +Thu Apr 27 09:34:45 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.1+git.1682587333.b497f1d: + * Bump version to 0.2.1 + * Cargo: Update base64 to version 0.21 + * build(deps): bump enumflags2 from 0.7.5 to 0.7.7 + * build(deps): bump uuid from 1.3.0 to 1.3.1 + * build(deps): bump libc from 0.2.141 to 0.2.142 + * keylime-agent/src/common.rs: remove VTPM and IMA stub variables + * rpm/fedora: Use vendored dependencies for all versions + * packit: Enable building RPM on Copr for fedora-all + * rpm/fedora: Fix metadata patch + * build(deps): bump serde from 1.0.159 to 1.0.160 + * build(deps): bump serde_json from 1.0.95 to 1.0.96 + * cargo: Drop default features from actix-web + * cargo: Drop default features from reqwest crate + * cargo: Drop default features from config crate + * build(deps): bump tempfile from 3.4.0 to 3.5.0 + * build(deps): bump libc from 0.2.140 to 0.2.141 + +------------------------------------------------------------------- +Fri Apr 14 07:42:55 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.0+git.1681457715.54484b7: + * build(deps): bump h2 from 0.3.14 to 0.3.17 (CVE-2023-26964, + bsc#1210344) + * build(deps): bump reqwest from 0.11.15 to 0.11.16 + +------------------------------------------------------------------- +Wed Apr 12 14:52:38 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.0+git.1681223954.646cf61: + * Allow setting measured boot log path for testing + * build(deps): bump base64 from 0.13.1 to 0.21.0 + * build(deps): bump wiremock from 0.5.14 to 0.5.18 + * Build Fedora and CentOS packages on Copr using packit + * build(deps): bump serde_json from 1.0.91 to 1.0.95 + * build(deps): bump actix-rt from 2.7.0 to 2.8.0 + * build(deps): bump base64 from 0.13.1 to 0.21.0 + * build(deps): bump serde from 1.0.147 to 1.0.159 + * build(deps): bump glob from 0.3.0 to 0.3.1 + * Add missing test from keylime testsuite to e2e plan + * Fix typo in name of test for generating coverage + * build(deps): bump thiserror from 1.0.38 to 1.0.40 + * build(deps): bump base64 from 0.13.1 to 0.21.0 + * build(deps): bump actix-web from 4.2.1 to 4.3.1 + * build(deps): bump serde from 1.0.145 to 1.0.147 + * build(deps): bump libc from 0.2.139 to 0.2.140 + * build(deps): bump futures from 0.3.25 to 0.3.27 + * build(deps): bump reqwest from 0.11.12 to 0.11.15 + * build(deps): bump config from 0.13.2 to 0.13.3 + * build(deps): bump openssl from 0.10.45 to 0.10.48 + * build(deps): bump tokio from 1.24.2 to 1.26.0 + * Cargo: Update tempfile to 3.4.0 version + +------------------------------------------------------------------- +Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez + +- Add keylime-ima-policy subpackage to provide a better IMA policy + +------------------------------------------------------------------- +Thu Mar 02 15:12:27 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.0+git.1677691779.f7edd9a: + * Disable e2e on Rawhide due to RHBZ#2171376 + * Change number of required uploaded files + * Coverage for rust agent as github action. + * config: Skip validation of keylime_dir during tests + +------------------------------------------------------------------- +Thu Mar 2 15:11:47 UTC 2023 - Alberto Planas Dominguez + +- Create the certificiate directory + +------------------------------------------------------------------- +Wed Feb 22 09:07:12 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.0+git.1677002906.cf6c4f0: + * Bump version to 0.2.0 + * packit: Remove workaround for Fedora BZ#2158598 + * ima-emulator: Implement graceful shutdown + * Update tss-esapi in Cargo.toml + * packit: Re-enable tests on Fedora Rawhide + * Deprecate `with-zmq` and `legacy-python-actions` features + +------------------------------------------------------------------- +Thu Feb 16 12:51:38 UTC 2023 - aplanas@suse.com + +- Drop zmq from the feature set +- Remove already merged patches: + * 0001-keylime-agent-remove-const_err-deny.patch + * 0001-Cargo.toml-tss-esapi-bindings.patch +- Update to version 0.1.0+git.1676549716.5382ed9: + * Cargo: Update clap minimum version to 3.2 + * Cargo: Update uuid minimum version to 1.3 + * Cargo: Update tokio minimum version to 1.24 and reduce features + * build(deps): bump tss-esapi from 7.1.0 to 7.2.0 + * cargo deb: include shim.py in packaging + * build(deps): bump thiserror from 1.0.36 to 1.0.38 + * keylime-agent.conf: Add comments on how to override options + * config: Fix overriding options with env vars + * Add missing e2e tests and reordering tests based on alphabetical order + * e2e tests: Fix test name + * Store associated U keys, auth tags, and payloads together + * Refactor ZeroMQ revocation listener to not block + * keylime-agent: Gracefully shutdown on SIGINT + * Refactor async code for keys and payloads + * main: Move payload related functions to payloads module + * main: Run ZeroMQ service in a separate task + * Remove unused option "openstack" for obtaining uuid + * algorithms: fix typo + * clippy: fix uninlined_format_args warnings + * clippy: fix needless_borrow warnings + * crypto, mTLS: allow certificate chain for trusted_client_ca + * build(deps): bump base64 from 0.13.0 to 0.13.1 + * build(deps): bump serde_json from 1.0.85 to 1.0.91 + * build(deps): bump libc from 0.2.133 to 0.2.139 + * build(deps): bump bumpalo from 3.11.0 to 3.12.0 + * build(deps): bump futures from 0.3.24 to 0.3.25 + * Cargo.toml: tss-esapi bindings + * packit-ci: Disable Rawhide due to agent compilation issues + * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 + * keylime-agent: remove const_err deny + * build(deps): bump tokio from 1.23.0 to 1.24.2 + +------------------------------------------------------------------- +Mon Jan 16 14:02:08 UTC 2023 - aplanas@suse.com + +- Update to version 0.1.0+git.1672681780.762cec8: + * build(deps): bump openssl from 0.10.41 to 0.10.45 + * build(deps): bump tokio from 1.21.1 to 1.23.0 + * Disable dnf-makecache.service to save RAM + * CI tests: Do not remove Fedora tag repository + * add support for cargo deb + * Pacify clippy::needless-borrow + * Move tpm.rs from keylime-agent to the library + * Split crates into library and applications +- Add 0001-keylime-agent-remove-const_err-deny.patch +- Fix "cargo install" with workspaces + https://github.com/rust-lang/cargo/issues/7599 +- Add 0001-Cargo.toml-tss-esapi-bindings.patch + +------------------------------------------------------------------- +Fri Dec 09 13:10:40 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1670590616.e80c67a: + * main: only read uuid from KeylimeConfig + * Enabling more e2e tests in Packit CI + * systemd: start agent after network is online + * Cargo: Drop unused dependencies rust-ini and toml + +------------------------------------------------------------------- +Tue Oct 25 08:16:33 UTC 2022 - aplanas@suse.com + +- Add cargo-audit service per policy +- Update to version 0.1.0+git.1666019359.f5de47b: + * README: mark Rust agent as the official one, fix cargo run command + +------------------------------------------------------------------- +Wed Oct 12 07:51:22 UTC 2022 - aplanas@suse.com + +- Drop bindgen.patch as is already upstream +- Update to version 0.1.0+git.1664480840.0ea0492: + * Increase unit testing + * Test all features with cargo tarpaulin + * Cargo.toml: tss-esapi bindings + +------------------------------------------------------------------- +Mon Sep 26 14:15:04 UTC 2022 - aplanas@suse.com + +- Rebase bindgen.patch and upstream the change +- Rebase keylime-agent.conf.diff +- Store the configuration file in /usr/etc/keylime/agent.conf +- Fix keylime user creation +- Drop webapp service port in firewall XML service file +- Update to version 0.1.0+git.1663769444.6318234: + * Update comments in the configuration file + * config: Align config locations with the python components + * config: Add configuration file version + * config: Add back support for KEYLIME_DIR env var + * Change configuration format to TOML + * Add support for using passphrase protected key + * Do not try to load TPM data generated by another TPM + * Allow using existing key and certificate + * Remove the agent TPM data from the config struct + * Rename the configuration options + * Use password to generate EK when provided + * Add tpm_ownerpassword option to keylime.conf + * Add cargo audit to CI static tests + * Add agent and faked_measured_boot_log tests context + * Appease clippy + +------------------------------------------------------------------- +Wed Aug 10 13:39:08 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1659977521.0186093: + * Fix display of mb measurement file path + * Add more helpful error when config file is not found + * Fix small comment about implementing TPM ownership + * main: die when cannot drop privileges + * keylime.conf: add run_as section + * Use Rust agent-specific config in Makefile + * Fix typo in listen_notifications option in keylime.conf + * tpm: Support pre-existing EK + * Set swtpm context which is later used for test filtering + * Add GitLeaks configuration to ignore RSA key used for testing + * Handle whitespace in keylime.conf +- Rename keylime.conf.diff to keylime-agent.conf.diff +- Drop 0001-main-die-when-cannot-drop-privileges.patch, as is already + merged upstream +- Add bindgen.patch to add more architectures + +------------------------------------------------------------------- +Tue Jul 12 09:20:39 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1657303637.5b9072a: + * keys_handler: Use scopes to drop mutexes before await + * Enable usage of Rust IMA emulator in E2E tests. + * ima_emulator: Support PCR hash algorithms other than SHA-1 + * ima_entry: add IMA entry parser ported from Python Keylime + * algorithms: Add conversion between our hash algorithms and OpenSSL's + * Remove unused functions revocation_ip_get and revocation_port_get. Change String to &str. + * Adjust function usage comments to account for new parameters. + * Load config file less at startup in src/common.rs + * GNUmakefile: Make target dependencies explicit + * permissions: Set supplementary groups when dropping privileges + * main: Use more descriptive message for missing files error + * Show path when fail to load the certificate + * tpm: Add serialization functions for structures in quotes +- Requires tpm2.0-abrmd dependency, as the kernel resource manager + could be not enough +- Downgrade /var/run/keylime permissions +- Set "run_as" parameter to "keylime:tss" +- Create the keylime user via systemd +- Fix keylime service home directory +- Add 0001-main-die-when-cannot-drop-privileges.patch to avoid the + execution as root when the run_as user is missing in the system + +------------------------------------------------------------------- +Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez + +- Update to version 0.1.0+git.1655384301.b834667: + * Update fmf plans to run test with IMA policy + * .github/dependabot.yml: prevent updates that require manifest change +- Add logrotate configuration for the agent service +- Requires libtss2-tcti-device0 to interact with the real device +- Drop legacy Python subpackage and feature +- Move conflicts into the Python version + +------------------------------------------------------------------- +Wed Jun 15 09:52:48 UTC 2022 - Alberto Planas Dominguez + +- Drop CFSSL port from the keylime.xml firewalld rules + +------------------------------------------------------------------- +Tue Jun 14 11:05:01 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1655143451.7c4121e: + * Add dependabot for automatic dependency updates + * config: remove unused options + * persist AK, NK and mTLS certificate to disk + * Update tokio minimum version + * Adjust CI test name according to keylime-tests PR#125 + * Make wiremock an optional dependency + * Drop unused dependency flate2 + * Drop unused dependency rustc-serialize + * Update clap dependency to 3.1.18 + * add support for "hash_ek" UUID creation + * tpm: add and use EKResult struct as return value for create_ek(..) + * replace custom marshall functions with the offical one + * update to tss-esapi 7.1.0 + * quotes_handler: Rewind measured boot log file + * Add test /functional/measured-boot-swtpm-sanity to Packit CI plan + * OpenSSL on deb family is now libssl-dev + +------------------------------------------------------------------- +Tue May 24 14:10:38 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1653314004.ceda2ec: + * Skip serialization of optional fields + * Make support for legacy python revocation actions optional + * main: Do not try to load CA cert if mTLS is disabled + * CI: Add packit to run end-to-end tests + * GNUmakefile: Install shim.py + * Add service for secure mount + * secure_mount: Do not try to give ownership to root + * secure_mount: Rewrite check_mount() + * main: Ignore original ownership when unzipping files + * Drop privileges to run as normal user and group + * main: Mount secure mount before dropping the privileges + * main: Open files that require privilege at the beginning + * quotes_handler: Fix measured boot list encoding + * Fix typo in config_get() + * Add option to disable mTLS + * Update actix-web to 4, remove tokio 0.2 dependencies + * crypto: Add helper function to convert public key to PEM string + * Add ansasaki as maintainer + +------------------------------------------------------------------- +Wed Apr 13 09:54:42 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1649449492.59856c2: + * errors_handler: Add handler for 404 error + * errors_handler: Add tests for error handlers + * main: Add handler for actix request parsing errors + * main: Add default handlers for each scope + * main: Use actix middleware to log requests + * common: Change status code type from u32 to u16 + * common: Use trait ToString for status on JsonWrapper::error + * quotes_handler: Add used measured boot path to warning message + * common: Rename JsonWrapper::new as JsonWrapper::success + * Generalize error JSON wrapping + * main: Use scopes to organize API + * Use JSON wrapper on error responses + * quotes_handler: Simplify integrity quote structures + * quotes_handler: Improve query parameters parsing + * quotes_handler: Add missing log messages + * keys_handler: Add API to verify derived key + * keys_handler: Remove workaround for missing JSON Content-Type + * keys_handler: Fix test for 256-bits keys + * Use shared JSON wrapper for HTTP responses + * ima: Avoid using unwrap() or panic!() + * Apply changes suggested by cargo fmt and cargo clippy + * ima: Read IMA measurement list begining at n-th entry. + * ima: Get ima_ml_entry from HTTP request + * version_handler: Introduce /version REST endpoint (#313) + * main: Do not error if payload_script is not found + * Remove revocation actions naming restriction + * Revert API version to 2.0 + * Set working directory via KEYLIME_DIR env variable + +------------------------------------------------------------------- +Fri Mar 4 16:02:57 UTC 2022 - Alberto Planas Dominguez + +- Add work_dir directory in /var/lib/keylime +- Add subpackage rust-keylime-python to execute revocation payload in Python + +------------------------------------------------------------------- +Tue Mar 01 14:21:35 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1645537954.2f1447d: + * Make zmq an optional dependency + * notifications_handler: Introduce /notifications/revocation REST endpoint + * revocation: Move out revocation message processing + * revocation: Make get_revocation_cert_path() public + * Install systemd unit file + +------------------------------------------------------------------- +Tue Feb 22 12:34:16 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1645023877.811a869: + * Make clippy happy. + * Add a --help message. + * Depend on Rust-TSS-ESAPI 7.0.0 stable + * main: Return error on initialization if python shim is missing + * common: Add hardcoded config defaults for revocation + * main: Add execution permissions to revocation actions + * revocation: Log revocation actions output + * revocation: Fix get_revocation_cert_path() comment + * gitignore: Add filters for some temporary files + * revocation: Do not ignore revocation actions from config + * revocation: Implement python actions support + * tests: Implement proof-of-concept python shim + * revocation: Implement lookup_action() function + * common: Add revocation actions configurations + * revocation: Enforce local action naming restriction + * revocation: Remove duplicate logger initialization + * crypto: unfiy import_x509 and load_x509 + * update Cargo.lock + * common: update API version to v2.0 + * tpm: drop zlib compression in quotes + * run agent webserver with mTLS enabled and add mtls_cert to registrar + * crypto: load and generate X509 certificates, mTLS context generation + * keylime.conf: add setting for Keylime CA + * Bump tss-esapi crate to 7.0.0-beta.1 + * Update to fix typo + * Use Path and PathBuf consistently to represent paths + * Bump versions of some dependencies + * quotes_handler: Check quotes in tests + * tpm: Remove hard-coded struct sizes with std::mem::size_of + * tpm: Let compiler to infer arch-dependent integer types + * Use CString as the first argument of libc::chown + * keys_handler: Add API to get public key (#284) + * crypto: Fix algorithms used for revocation signature (#275) + * revocation: Use revocation certificate set by configuration (#300) + * common: Add revocation_cert to the global configuration structure + * ima_emulator: Fix running hash calculation on resumption + * keys_handler: Add test with encrypted payload + * main: Use condition variable to wait for payload encryption key + * main: Use Option to represent a combined key + * main: Redefine KeySet as a vector + * keys_handler, main: Move crypto operations to crypto module + * keys_handler: Make use of type safe payload deserialization + * Remove unused imports + * Remove duplicate CODEOWNERS file + * Remove panic when running rev action + * move global configuration into a single struct + * Add codeowners + +------------------------------------------------------------------- +Mon Jan 10 13:06:42 UTC 2022 - aplanas@suse.com + +- Update to version 0.1.0+git.1641587454.1248597: + * quotes_handler: send TPM2 event log for measured boot + * serialization: move serialization into separate module + * try to load AK from disk instead of always creating a new one + * update Cargo.lock file + * make hash, encryption and signing algorithm configurable + * tpm: remove get_sig_scheme(..) function + * hash: rename to algorithms and implement tss conversions + * cmd_exec: remove cmd_exec module + * secure_mount: fix mount of tmpfs for secure directory + * common: change default WORK_DIR to /var/lib/keylime + * tpm: remove special handling for PCR10 + +------------------------------------------------------------------- +Mon Dec 13 15:53:39 UTC 2021 - aplanas@suse.com + +- Update to version 0.1.0+git.1639176416.fc90088: + * Code refactor to use updated tss-esapi +- Drop add_property_tag_variant_for_maxcapbuffer.patch, included in + the upstream crate + +------------------------------------------------------------------- +Wed Nov 24 13:48:07 UTC 2021 - Alberto Planas Dominguez + +- Conflict with keylime-agent, keylime-config and keylime-firewalld +- Add keylime_ima_emulator tool +- Add patch add_property_tag_variant_for_maxcapbuffer.patch + +------------------------------------------------------------------- +Fri Nov 19 13:02:48 UTC 2021 - aplanas@suse.com + +- Update to version 0.1.0+git.1637095429.d5a3191: + * Run Fedora tests on unified Keylime test container + * ima_emulator: Print error message when TCTI envvar is not set + * Add keylime_ima_emulator executable for testing + * Fix 0mq problem + * ci: Check unit test coverage with cargo tarpaulin (#216) + * config: merge with Python keylime.conf and remove unused entries + * Add support for contact ip and port + * common: move get env or from config into sperate function + * keys_handler: Add unit tests + * quotes_handler: Add unit tests (#265) + * Fix bugs that occur after a delete and re-add from the tenant + * Retain the main loop running after payload execution (#249) + * keys_handler: verify HMAC in constant-time (#248) + * build: Adjust package dependencies to compile in Fedora (#245) + * Generate Cargo.lock file + * Add Ueno as a maintainer and set codeowners + * Fix clippy errors, update to newest TSS-ESAPI +- Drop generate-cargo-lock-file.patch (already in upstream) + +------------------------------------------------------------------- +Mon Aug 16 14:23:13 UTC 2021 - aplanas@suse.com + +- Update to version 0.1.0+git.1629114992.890e8c9: + * Add "v1.0" prefix to agent APIs +- Update generate-cargo-lock-file.patch + +------------------------------------------------------------------- +Wed Jul 28 08:56:33 UTC 2021 - Alberto Planas Dominguez + +- Add generate-cargo-lock-file.patch to fix the build system in OBS +- Add keylime.conf.diff to adjust the default config file +- Adjust build requirements +- Add firewalld XML rules +- Add systemd keylime_agent.service +- Fix license tag + +------------------------------------------------------------------- +Thu Jul 22 09:20:38 UTC 2021 - aplanas@suse.com + +- Update to version 0.0.1+git.1626706730.a009476: + * libarchive-devel is needed to build on Fedora + * Accept sets of U and V keys; use new Key types + * Output mask info + * Fix for race condition bug + * Do not resend pubkey to CV after attestation + * Run payload script from a shell + * Write out data and run payload + * Decrypt payload after key handlers find symm key + * Add handler for U and V keys + * Add helper functions for handling U and V keys + * Some TPM fixes for IMA PCR validation + * Do not flush AK context as this causes an error + * Fix bug in revocation service + * Drop references to vmask + * Better documentation of consts + * Do not fail if EK cert is not present in TPM NV + * Add more verbose logging to better match Python agent + * Remove verify stub as we are not using it + * tests: Don't pass --allow-signing to swtpm_setup + * Fix typos + * Add dependency for libzmq3-dev / zeromq-devel + * Fix new clippy lints + * Add handling for Identity and Integrity quotes + * Add Quote functionality + * Add marshaling functions for TPM structs + +------------------------------------------------------------------- +Tue Jun 08 11:59:11 UTC 2021 - aplanas@suse.com + +- Update to version 0.0.1+git.1620935374.4df2148: + * Add function to read PCR mask + * Small fixes in TPM functions + * Send quote data to actixweb handlers + +------------------------------------------------------------------- +Tue May 04 12:23:18 UTC 2021 - aplanas@suse.com + +- Update to version 0.0.1+git.1618949271.f609525: + * Add more TPM helper functions + * Use PKeys consistently + * Rebase on tss-esapi 5.0 + * Pass a PKeyRef to asym_verify + * Use #[[from] from thiserror + * Fix uppercase acronyms + * Add testing feature + * Remove port bindings for agent + * More verbose TPM and revocation error, verbose success + * Fix docker networking + diff --git a/rust-keylime.obsinfo b/rust-keylime.obsinfo new file mode 100644 index 0000000..8974bed --- /dev/null +++ b/rust-keylime.obsinfo @@ -0,0 +1,4 @@ +name: rust-keylime +version: 0.2.6+13 +mtime: 1724838345 +commit: 57992463535d15951ebaca77d1be4217ffaf74d6 diff --git a/rust-keylime.spec b/rust-keylime.spec new file mode 100644 index 0000000..9e7b372 --- /dev/null +++ b/rust-keylime.spec @@ -0,0 +1,152 @@ +# +# spec file for package rust-keylime +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' +# Consolidate _distconfdir and _sysconfdir +%if 0%{?_distconfdir:1} + %define _config_norepl %{nil} +%else + %define _distconfdir %{_sysconfdir} + %define _config_norepl %config(noreplace) +%endif +Name: rust-keylime +Version: 0.2.6+13 +Release: 0 +Summary: Rust implementation of the keylime agent +License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND ISC AND MIT +URL: https://github.com/keylime/rust-keylime +Source: rust-keylime-%{version}.tar.zst +Source1: vendor.tar.xz +Source2: cargo_config +Source3: keylime.xml +Source4: keylime-user.conf +Source5: tmpfiles.keylime +Source6: ima-policy +Source7: ima-policy.service +Source8: README.suse +# PATCH-FIX-OPENSUSE keylime-agent.conf.diff +Patch1: keylime-agent.conf.diff +BuildRequires: cargo-packaging +BuildRequires: clang +BuildRequires: firewall-macros +BuildRequires: libarchive-devel +BuildRequires: rust +BuildRequires: sysuser-tools +BuildRequires: tpm2-0-tss-devel +Requires: libtss2-tcti-device0 +Requires: logrotate +Requires: tpm2.0-abrmd +Recommends: (keylime-ima-policy if selinux-policy-targeted) +Provides: user(keylime) +%sysusers_requires +# Disable this line if you wish to support all platforms. In most +# situations, you will likely only target tier1 arches for user facing +# components. +# ExclusiveArch: %_{rust_tier1_arches} + +%description +Rust implementation of keylime agent. Keylime is system integrity +monitoring system. + +%package -n keylime-ima-policy +Summary: IMA policy for Keylime agent + +%description -n keylime-ima-policy +Subpackage of %{name} to provide an suggested IMA policy for Keylime agent + +%prep +%autosetup -a1 -p1 +mkdir .cargo +install -D -m 644 %{SOURCE2} .cargo/config + +%build +%{cargo_build} --no-default-features +%sysusers_generate_pre %{SOURCE4} keylime keylime-user.conf + +%install +# If https://github.com/Firstyear/cargo-packaging/pull/3 gets merged, +# replace it with: +# +# #{cargo_install -p keylime-agent} --no-default-features --features "with-zmq" +# #{cargo_install -p keylime-ima-emulator} + +install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_agent %{buildroot}%{_bindir}/keylime_agent +install -Dpm 0755 %{_builddir}/%{name}-%{version}/target/release/keylime_ima_emulator %{buildroot}%{_bindir}/keylime_ima_emulator + +install -Dpm 0600 keylime-agent.conf %{buildroot}%{_distconfdir}/keylime/agent.conf +install -Dpm 0644 ./dist/systemd/system/keylime_agent.service %{buildroot}%{_unitdir}/keylime_agent.service +install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot}%{_unitdir}/var-lib-keylime-secure.mount + +install -Dpm 0644 %{SOURCE3} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml +install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf +install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf +install -d %{buildroot}%{_localstatedir}/log/keylime +install -d %{buildroot}%{_libexecdir}/keylime + +# Create work directory and the certificate directory +mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca + +install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy +install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service + +# %_check +# %_{cargo_test} + +%pre -f keylime.pre +%service_add_pre keylime_agent.service +%service_add_pre var-lib-keylime-secure.mount + +%post +%firewalld_reload +%tmpfiles_create keylime.conf +%service_add_post keylime_agent.service +%service_add_post var-lib-keylime-secure.mount + +%preun +%service_del_preun keylime_agent.service +%service_del_preun var-lib-keylime-secure.mount + +%postun +%service_del_postun keylime_agent.service +%service_del_postun var-lib-keylime-secure.mount + +%files +%doc README.md +%license LICENSE +%{_bindir}/keylime_agent +%{_bindir}/keylime_ima_emulator +%dir %attr(0700,keylime,tss) %{_distconfdir}/keylime +%_config_norepl %attr(0600,keylime,tss) %{_distconfdir}/keylime/agent.conf +%{_unitdir}/keylime_agent.service +%{_unitdir}/var-lib-keylime-secure.mount +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/services +%{_prefix}/lib/firewalld/services/keylime.xml +%{_sysusersdir}/keylime-user.conf +%{_tmpfilesdir}/keylime.conf +%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime +%dir %attr(0750,keylime,tss) %{_libexecdir}/keylime +%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime +%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca + +%files -n keylime-ima-policy +%dir %attr(0750,root,root) %{_sysconfdir}/ima +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy +%{_unitdir}/ima-policy.service + +%changelog diff --git a/tmpfiles.keylime b/tmpfiles.keylime new file mode 100644 index 0000000..a07d3fa --- /dev/null +++ b/tmpfiles.keylime @@ -0,0 +1 @@ +d /run/keylime 0700 keylime tss diff --git a/vendor.tar.xz b/vendor.tar.xz new file mode 100644 index 0000000..18f0132 --- /dev/null +++ b/vendor.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9aaacfcd0df6d58916173a5252ce72db0d3ac7e559f2a3a392396d7619952b85 +size 30847276