diff --git a/0001-selinux-add-missing-rules-for-libvirt-system.patch b/0001-selinux-add-missing-rules-for-libvirt-system.patch new file mode 100644 index 0000000000000000000000000000000000000000..65a9a93b98eb92ccf471bd810ca14719b7082515 --- /dev/null +++ b/0001-selinux-add-missing-rules-for-libvirt-system.patch @@ -0,0 +1,41 @@ +From aa5c7191acf32b31c965e34df2423768dbac0f3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Sat, 13 Jul 2024 13:37:29 +0400 +Subject: [PATCH] selinux: add missing rules for libvirt system +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reported & tested: +https://issues.redhat.com/browse/RHEL-47273 + +Signed-off-by: Marc-André Lureau +--- + src/selinux/swtpm_svirt.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te +index f7b886c..424efa7 100644 +--- a/src/selinux/swtpm_svirt.te ++++ b/src/selinux/swtpm_svirt.te +@@ -13,6 +13,7 @@ require { + type user_tmp_t; + type virtd_t; + type virtqemud_t; ++ type virt_var_run_t; + } + + swtpm_domtrans(svirt_t) +@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink }; + allow svirt_t virtd_t:dir search; + allow svirt_t virtd_t:fifo_file write; + allow svirt_t virtqemud_t:fifo_file write; ++allow svirt_t virt_var_run_t:dir { write add_name remove_name }; ++allow svirt_t virt_var_run_t:file { create write setattr unlink }; ++allow svirt_t virt_var_run_t:sock_file { create write setattr unlink }; + + # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 ) + allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink }; +-- +2.41.0 + diff --git a/0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch b/0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch deleted file mode 100644 index efc0b2753344daf91da66603bbdf5f38f3c1623c..0000000000000000000000000000000000000000 --- a/0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5b8c9d205a59932ce4e1894dbf09f5df4cfbb907 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Thu, 10 Nov 2022 14:20:53 -0500 -Subject: [PATCH] swtpm_setup: Initialized **argv to NULL (Fedore Rawhide) - -gcc 12.2.1 on Fedora Rawhide emits this message: - -In file included from /usr/include/glib-2.0/glib.h:116, - from swtpm_setup.c:26: -In function 'g_autoptr_cleanup_generic_gfree', - inlined from 'get_swtpm_capabilities.constprop.0' at swtpm_setup.c:940:24: -/usr/include/glib-2.0/glib/glib-autocleanups.h:30:3: error: 'argv' may be used uninitialized [-Werror=maybe-uninitialized] - 30 | g_free (*pp); - | ^~~~~~~~~~~~ -swtpm_setup.c: In function 'get_swtpm_capabilities.constprop.0': -swtpm_setup.c:940:24: note: 'argv' was declared here - 940 | g_autofree gchar **argv; - | ^~~~ -cc1: all warnings being treated as errors - -This makes little sense since the variable is then first used like this: - - argv = concat_arrays(swtpm_prg_l, my_argv, FALSE); - -Signed-off-by: Stefan Berger ---- - src/swtpm_setup/swtpm_setup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c -index 1b528c8..3570235 100644 ---- a/src/swtpm_setup/swtpm_setup.c -+++ b/src/swtpm_setup/swtpm_setup.c -@@ -937,7 +937,7 @@ static int get_swtpm_capabilities(gchar **swtpm_prg_l, gboolean is_tpm2, - gchar *my_argv[] = { "--print-capabilities", is_tpm2 ? "--tpm2" : NULL, NULL }; - g_autofree gchar *logop = NULL; - g_autoptr(GError) error = NULL; -- g_autofree gchar **argv; -+ g_autofree gchar **argv = NULL; - int exit_status = 0; - gboolean success; - int ret = 1; --- -2.38.0 - diff --git a/swtpm.spec b/swtpm.spec index 1d108e755d385ecc539755ac2e85a54ef05ab49a..e87a8abebaad506a178264d5ab81ace571280161 100644 --- a/swtpm.spec +++ b/swtpm.spec @@ -9,13 +9,13 @@ Summary: TPM Emulator Name: swtpm -Version: 0.8.0 +Version: 0.9.0 Release: %{anolis_release}%{?dist} -License: BSD +License: BSD-3-Clause Url: http://github.com/stefanberger/swtpm Source0: https://github.com/stefanberger/swtpm/archive/refs/tags/v%{version}.tar.gz -Patch0001: 0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch +Patch0001: 0001-selinux-add-missing-rules-for-libvirt-system.patch BuildRequires: make BuildRequires: git-core @@ -27,7 +27,7 @@ BuildRequires: expect BuildRequires: net-tools BuildRequires: openssl-devel BuildRequires: socat -BuildRequires: trousers >= 0.3.9 +BuildRequires: tpm2-tss BuildRequires: softhsm BuildRequires: json-glib-devel %if %{with gnutls} @@ -52,14 +52,14 @@ TPM emulator built on libtpms providing TPM functionality for QEMU VMs %package libs Summary: Private libraries for swtpm TPM emulators -License: BSD +License: BSD-3-Clause %description libs A private library with callback functions for libtpms based swtpm TPM emulator %package devel Summary: Include files for the TPM emulator's CUSE interface for usage by clients -License: BSD +License: BSD-3-Clause Requires: %{name}-libs = %{version}-%{release} %description devel @@ -67,20 +67,20 @@ Include files for the TPM emulator's CUSE interface. %package tools Summary: Tools for the TPM emulator -License: BSD +License: BSD-3-Clause Requires: swtpm = %{version}-%{release} -# trousers: for tss account -Requires: trousers >= 0.3.9 bash gnutls-utils +# tpm2-tss for tss account +Requires: tpm2-tss bash gnutls-utils %description tools Tools for the TPM emulator from the swtpm package %package tools-pkcs11 Summary: Tools for creating a local CA based on a TPM pkcs11 device -License: BSD +License: BSD-3-Clause Requires: swtpm-tools = %{version}-%{release} Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd -Requires: expect gnutls-utils trousers >= 0.3.9 +Requires: expect gnutls-utils %description tools-pkcs11 Tools for creating a local CA based on a pkcs11 device @@ -93,6 +93,17 @@ BuildArch: noarch %description doc Doc files for %{name} +%package selinux +Summary: SELinux security policy for swtpm +Requires(post): swtpm = %{version}-%{release} +BuildArch: noarch +%if ! 0%{?flatpak} +%{?selinux_requires} +%endif + +%description selinux +SELinux security policy for swtpm. + %prep %autosetup -p1 @@ -117,21 +128,22 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} %generate_compatibility_deps -%post +%post selinux for pp in /usr/share/selinux/packages/swtpm.pp \ - /usr/share/selinux/packages/swtpm_svirt.pp; do + /usr/share/selinux/packages/swtpm_svirt.pp \ + /usr/share/selinux/packages/swtpm_libvirt.pp; do %selinux_modules_install -s %{selinuxtype} ${pp} done restorecon %{_bindir}/swtpm -%postun +%postun selinux if [ $1 -eq 0 ]; then - for p in swtpm swtpm_svirt; do + for p in swtpm_libvirt swtpm swtpm_svirt; do %selinux_modules_uninstall -s %{selinuxtype} $p done fi -%posttrans +%posttrans selinux %selinux_relabel_post -s %{selinuxtype} %ldconfig_post libs @@ -141,7 +153,10 @@ fi %license LICENSE %{_bindir}/swtpm %{_mandir}/man8/swtpm.8* + +%files selinux %{_datadir}/selinux/packages/swtpm.pp +%{_datadir}/selinux/packages/swtpm_libvirt.pp %{_datadir}/selinux/packages/swtpm_svirt.pp %files libs @@ -175,7 +190,6 @@ fi %{_mandir}/man8/swtpm-localca.8* %{_mandir}/man8/swtpm_localca.8* %{_mandir}/man8/swtpm_setup.8* -%{_mandir}/man8/swtpm_cuse.8* %exclude %{_mandir}/man8/swtpm_cuse.8.gz %config(noreplace) %{_sysconfdir}/swtpm_setup.conf %config(noreplace) %{_sysconfdir}/swtpm-localca.options @@ -194,5 +208,8 @@ fi %doc README %changelog +* Thu Feb 27 2025 Weisson - 0.9.0-1 +- Refer to CentOS Stream swtpm-0.9.0-1 (marcandre.lureau@redhat.com) + * Sat Mar 18 2023 Chunmei Xu - 0.8.0-1 - init from upstream diff --git a/v0.8.0.tar.gz b/v0.8.0.tar.gz deleted file mode 100644 index ee5865e2c325ed35e333c654e93455e0f01798ad..0000000000000000000000000000000000000000 Binary files a/v0.8.0.tar.gz and /dev/null differ diff --git a/v0.9.0.tar.gz b/v0.9.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..9374ff19fc6c0343c3e152e7189af2073b7a9bed Binary files /dev/null and b/v0.9.0.tar.gz differ