diff --git a/restore-ima-selinux-type-when-perform-new-configurat.patch b/restore-ima-selinux-type-when-perform-new-configurat.patch new file mode 100644 index 0000000000000000000000000000000000000000..b783c71d8c9de4377c7043dfb252e3abb35a0a57 --- /dev/null +++ b/restore-ima-selinux-type-when-perform-new-configurat.patch @@ -0,0 +1,127 @@ +From 7adb0853596e1ec546ef33aba26b69e31a695041 Mon Sep 17 00:00:00 2001 +From: xuce +Date: Mon, 2 Dec 2024 16:16:40 +0800 +Subject: [PATCH] restore ima selinux type when perform new configuration + +Signed-off-by: xuce +--- + secpaver-secconf-1.0.0/secconf/gen/gen_ima | 73 ++++++++++++---------- + 1 file changed, 40 insertions(+), 33 deletions(-) + +diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +index a657614..d40dce6 100644 +--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima ++++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima +@@ -14,7 +14,7 @@ measure_list+=({{.}}) + {{end}} + + needReboot=false +-packages=("ima-evm-utils" "digest-list-tools") ++packages=("ima-evm-utils" "digest-list-tools" "selinux-policy" "selinux-policy-targeted" "policycoreutils") + for pkg in "${packages[@]}"; do + get_usr_input "${pkg} is about to installed?【Y/N】" + if [ $? -eq 1 ]; then +@@ -33,14 +33,14 @@ rm_kernel_param() + for param in "${@}"; do + cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false") + grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false") +- if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then +- sed -i "s/ \<${param}\>//g" ${grub_path} +- needReboot=true +- elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then +- sed -i "s/ \<${param}\>//g" ${grub_path} +- elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then +- needReboot=true +- fi ++ if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then ++ sed -i "s/ \<${param}\>//g" ${grub_path} ++ needReboot=true ++ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then ++ sed -i "s/ \<${param}\>//g" ${grub_path} ++ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then ++ needReboot=true ++ fi + done + } + +@@ -60,8 +60,39 @@ set_kernel_param() + done + } + ++set_selinux_type() ++{ ++ module_name=$(echo "$1" | awk -F'_' '{print $1 "_" $2}') ++ semodule -l | grep $module_name > /dev/null ++ if [ $? -eq 1 ]; then ++ file=/tmp/${module_name}.cil ++ cat < $file ++(type $1) ++(roletype object_r $1) ++(typeattributeset file_type ($1)) ++(allow domain $1 (file (append execmod ioctl mounton relabelfrom swapon watch_reads audit_access execute link open relabelto unlink watch_sb create execute_no_trans lock quotaon rename watch watch_with_perm entrypoint getattr map read setattr watch_mount write))) ++EOF ++ ++ semodule -i $file ++ echo "selinux type $1 has been successfully created" ++ rm $file ++ fi ++ chcon -t $1 $2 ++} ++ ++restore_selinux_type() ++{ ++ for type in "$@"; do ++ find / -context "*${type}*" -exec restorecon -v {} \; &>/dev/null ++ done ++} ++ + appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata") + measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng") ++measure_type=ima_measure_bprm_t ++appraise_type=ima_appraise_bprm_t ++all_type=ima_all_bprm_t ++restore_selinux_type $measure_type $appraise_type $all_type + + if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then + rm_kernel_param "${appraise_param[@]}" +@@ -82,27 +113,6 @@ if [[ $needReboot == "true" ]]; then + return 0 + fi + +- +-set_selinux_type() +-{ +- module_name=$(echo "$1" | awk -F'_' '{print $1 "_" $2}') +- semodule -l | grep $module_name > /dev/null +- if [ $? -eq 1 ]; then +- file=/tmp/${module_name}.cil +- cat < $file +-(type $1) +-(roletype object_r $1) +-(typeattributeset file_type ($1)) +-(allow domain $1 (file (append execmod ioctl mounton relabelfrom swapon watch_reads audit_access execute link open relabelto unlink watch_sb create execute_no_trans lock quotaon rename watch watch_with_perm entrypoint getattr map read setattr watch_mount write))) +-EOF +- +- semodule -i $file +- echo "selinux type $1 has been successfully created" +- rm $file +- fi +- chcon -t $1 $2 +-} +- + unique() { + echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' ' + } +@@ -124,9 +134,6 @@ if [[ ${#common_list[@]} -eq 0 && ${#appraise_list[@]} -eq 0 && ${#measure_list[ + echo "IMA is disabled!" + return 0 + fi +-measure_type=ima_measure_bprm_t +-appraise_type=ima_appraise_bprm_t +-all_type=ima_all_bprm_t + + for measure_file in "${measure_list[@]}"; do + set_selinux_type $measure_type $measure_file +-- +2.33.0 + diff --git a/secpaver.spec b/secpaver.spec index 04975ad3796774aeee349eb4ae66a88c9ebaa9c6..2fac1586f1271bfe1a80f5316500c2e28ab5b0de 100755 --- a/secpaver.spec +++ b/secpaver.spec @@ -2,7 +2,7 @@ Name: secpaver Summary: Security policy development tool Version: 1.0.2 -Release: 13 +Release: 14 License: MulanPSL-2.0 URL: https://gitee.com/openeuler/secpaver Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz @@ -16,6 +16,7 @@ Patch0003: support-clang-build.patch Patch0004: fix-go-build-ref-cldflags.patch Patch0005: remove-unused-socket.patch Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch +Patch0007: restore-ima-selinux-type-when-perform-new-configurat.patch %ifarch riscv64 loongarch64 Patch1000: 1000-fix-build-on-riscv64.patch %endif @@ -59,6 +60,7 @@ unzip %{SOURCE2} %patch0004 -p1 %patch0005 -p1 %patch0006 -p1 +%patch0007 -p1 %ifarch riscv64 loongarch64 %patch1000 -p1 %endif @@ -117,7 +119,10 @@ make test %systemd_postun_with_restart pavd.service %changelog -* Thu Nov 28 2024 jinlun - 1.0.2-13 +* Mon Dec 2 2024 xuce - 1.0.2-14 +- restore ima selinux type when perform new configuration + +* Thu Nov 28 2024 xuce - 1.0.2-13 - Add example of how to import digest list when using IMA appraise * Mon Nov 25 2024 jinlun - 1.0.2-12