Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rust-keylime for openSUSE:Factory checked in at 2023-03-17 17:02:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rust-keylime (Old) and /work/SRC/openSUSE:Factory/.rust-keylime.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rust-keylime" Fri Mar 17 17:02:33 2023 rev:11 rq:1072184 version:0.2.0+git.1677691779.f7edd9a Changes: -------- --- /work/SRC/openSUSE:Factory/rust-keylime/rust-keylime.changes 2023-03-03 22:24:58.150637989 +0100 +++ /work/SRC/openSUSE:Factory/.rust-keylime.new.31432/rust-keylime.changes 2023-03-17 17:03:02.053294297 +0100 @@ -1,0 +2,5 @@ +Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez <[email protected]> + +- Add keylime-ima-policy subpackage to provide a better IMA policy + +------------------------------------------------------------------- New: ---- README.suse ima-policy ima-policy.service ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rust-keylime.spec ++++++ --- /var/tmp/diff_new_pack.9Oglvy/_old 2023-03-17 17:03:02.817298299 +0100 +++ /var/tmp/diff_new_pack.9Oglvy/_new 2023-03-17 17:03:02.821298320 +0100 @@ -36,6 +36,9 @@ Source3: keylime.xml Source4: keylime-user.conf Source5: tmpfiles.keylime +Source6: ima-policy +Source7: ima-policy.service +Source8: README.suse # PATCH-FIX-OPENSUSE keylime-agent.conf.diff Patch1: keylime-agent.conf.diff BuildRequires: cargo-packaging @@ -48,6 +51,7 @@ Requires: libtss2-tcti-device0 Requires: logrotate Requires: tpm2.0-abrmd +Recommends: keylime-ima-policy Provides: user(keylime) %sysusers_requires # Disable this line if you wish to support all platforms. In most @@ -59,6 +63,12 @@ Rust implementation of keylime agent. Keylime is system integrity monitoring system. +%package -n keylime-ima-policy +Summary: IMA policy for Keylime agent + +%description -n keylime-ima-policy +Subpackage of %{name} to provide an suggested IMA policy for Keylime agent + %prep %autosetup -a1 -p1 mkdir .cargo @@ -91,6 +101,9 @@ # Create work directory and the certificate directory mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca +install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy +install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service + # %_check # %_{cargo_test} @@ -118,7 +131,7 @@ %{_bindir}/keylime_agent %{_bindir}/keylime_ima_emulator %dir %attr(0700,keylime,tss) %{_distconfdir}/keylime -%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/keylime/agent.conf +%_config_norepl %attr(0600,keylime,tss) %{_distconfdir}/keylime/agent.conf %{_unitdir}/keylime_agent.service %{_unitdir}/var-lib-keylime-secure.mount %dir %{_prefix}/lib/firewalld @@ -131,4 +144,9 @@ %dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime %dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca +%files -n keylime-ima-policy +%dir %attr(0750,root,root) %{_sysconfdir}/ima +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/ima/ima-policy +%{_unitdir}/ima-policy.service + %changelog ++++++ README.suse ++++++ # Notes about the IMA policy This IMA policy is provided as an example that can be later adapted to more specific usage. This was generated from a default tcb IMA policy from a 6.1.12 Linux kernel, and extended with SELinux file types to filter out the part of the system that we usually do not want to measure. To use this policy, we need to copy it in "/etc/ima/ima-policy" and systemd will load it after the SELinux policy has been loaded. For this example, we used the initial set of SELinux attributes, that group the file types under categories. From that list we selected some of those attribute to deep more into the types that can be relevant for the IMA policy: seinfo -a The current selection cover full or partially the types under those attributes: base_file_type base_ro_file_type configfile file_type files_unconfined_type init_script_file_type init_sock_file_type lockfile logfile non_auth_file_type non_security_file_type openshift_file_type pidfile pulseaudio_tmpfsfile security_file_type setfiles_domain spoolfile svirt_file_type systemd_unit_file_type tmpfile tmpfsfile Special mention to non_auth_file_type and non_security_file_type (among other liske logfile or tmpfile), that should cover the most relevant types of the dynamic part of the system. The list should also include types from other attributes like virt_image_type and others (see the policy file comments from a complete list). Sometimes is important to see what files are labeled under a specific type, and for that we can use this: semanage fcontext -l | grep $TYPE ++++++ ima-policy ++++++ ++++ 1049 lines (skipped) ++++++ ima-policy.service ++++++ [Unit] Description=Load the IMA Policy [Service] Type=oneshot RemainAfterExit=yes Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy Environment=IMA_POLICY=/etc/ima/ima-policy ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY' TimeoutStartSec=0 [Install] WantedBy=basic.target
