commit 03253938f519b650f5135721e98563832b5abbd8
Author: CentOS Sources <bugs@centos.org>
Date:   Tue Mar 28 09:31:41 2023 +0000

    import tpm2-abrmd-selinux-2.3.1-7.el9

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3ad6f31
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/tpm2-abrmd-2.3.1.tar.gz
diff --git a/.tpm2-abrmd-selinux.metadata b/.tpm2-abrmd-selinux.metadata
new file mode 100644
index 0000000..29cd5e7
--- /dev/null
+++ b/.tpm2-abrmd-selinux.metadata
@@ -0,0 +1 @@
+54a4c097520d6726fd19c04131dfafce2c4e6be8 SOURCES/tpm2-abrmd-2.3.1.tar.gz
diff --git a/SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch b/SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch
new file mode 100644
index 0000000..f1cf60a
--- /dev/null
+++ b/SOURCES/0001-Add-new-interfaces-for-communication-with-keylime.patch
@@ -0,0 +1,68 @@
+From d319a1a6723ad20766c18964c289d47c06e19182 Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Fri, 19 Aug 2022 14:03:49 +0200
+Subject: [PATCH 1/2] Add new interfaces for communication with keylime
+
+Policy need rules to communicate with keylime.
+
+AVC:
+allow keylime_agent_t tabrmd_t:dbus send_msg;
+allow keylime_agent_t tabrmd_t:unix_stream_socket { getattr getopt read write };
+
+Create new interfaces to allow keylime
+communicate with keylime.
+
+Signed-off-by: Patrik Koncity <pkoncity@redhat.com>
+---
+ selinux/tabrmd.if | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/selinux/tabrmd.if b/selinux/tabrmd.if
+index 3eb6a30..c04eca0 100644
+--- a/selinux/tabrmd.if
++++ b/selinux/tabrmd.if
+@@ -1 +1,41 @@
+ ## <summary></summary>
++
++########################################
++## <summary>
++##      Create and use a unix stream socket
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`tabrmd_create_unix_stream_sockets',`
++        gen_require(`
++                type tabrmd_t;
++        ')
++
++        allow $1 tabrmd_t:unix_stream_socket create_stream_socket_perms;
++')
++
++########################################
++## <summary>
++##      Send messages to and from 
++##      tabrmd over DBUS.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`tabr,d_dbus_chat',`
++        gen_require(`
++                type tabrmd_t;
++                class dbus send_msg;
++        ')
++
++        allow $1 tabrmd_t:dbus send_msg;
++        allow tabrmd_t $1:dbus send_msg;
++')
++
+-- 
+2.39.0
+
diff --git a/SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch b/SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch
new file mode 100644
index 0000000..b3d7ef0
--- /dev/null
+++ b/SOURCES/0002-Fix-in-SELinux-interface-file-a-typo.patch
@@ -0,0 +1,29 @@
+From 64994388056b9b8c687eef3bc6030f2f40888440 Mon Sep 17 00:00:00 2001
+From: Patrik Koncity <pkoncity@redhat.com>
+Date: Mon, 9 Jan 2023 12:30:42 +0100
+Subject: [PATCH 2/2] Fix in SELinux interface file a typo
+
+In name of interface in SELinux policy is
+typo issue.
+
+Signed-off-by: Patrik Koncity <pkoncity@redhat.com>
+---
+ selinux/tabrmd.if | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selinux/tabrmd.if b/selinux/tabrmd.if
+index c04eca0..81c7853 100644
+--- a/selinux/tabrmd.if
++++ b/selinux/tabrmd.if
+@@ -29,7 +29,7 @@ interface(`tabrmd_create_unix_stream_sockets',`
+ ##      </summary>
+ ## </param>
+ #
+-interface(`tabr,d_dbus_chat',`
++interface(`tabrmd_dbus_chat',`
+         gen_require(`
+                 type tabrmd_t;
+                 class dbus send_msg;
+-- 
+2.39.0
+
diff --git a/SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch b/SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch
new file mode 100644
index 0000000..8b956b8
--- /dev/null
+++ b/SOURCES/selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch
@@ -0,0 +1,31 @@
+From 0bb388cc57231cb46f5bfa1a52425588fa149e89 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 12 Feb 2020 13:48:29 +0100
+Subject: [PATCH] selinux: allow fwupd to communicate with tpm2-abrmd
+
+In Fedora, we have the following SELinux AVC error:
+
+Mar 07 09:18:35 river audit[1078]: USER_AVC pid=1078 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.558 spid=8554 tpid=8550 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
+
+Allow fwupd to chat with tpm2-abrmd over D-BUS.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ selinux/tabrmd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/tabrmd.te b/selinux/tabrmd.te
+index 59d7e548051..8996a46a0ea 100644
+--- a/selinux/tabrmd.te
++++ b/selinux/tabrmd.te
+@@ -21,6 +21,7 @@ optional_policy(`
+     dbus_stub()
+     dbus_system_domain(tabrmd_t, tabrmd_exec_t)
+     allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms;
++    fwupd_dbus_chat(tabrmd_t)
+ ')
+ 
+ tunable_policy(`tabrmd_connect_all_unreserved',`
+-- 
+2.24.1
+
diff --git a/SPECS/tpm2-abrmd-selinux.spec b/SPECS/tpm2-abrmd-selinux.spec
new file mode 100644
index 0000000..de9a10a
--- /dev/null
+++ b/SPECS/tpm2-abrmd-selinux.spec
@@ -0,0 +1,121 @@
+# defining macros needed by SELinux
+%global selinuxtype targeted
+%global selinux_policyver 3.14.3-22
+%global moduletype contrib
+%global modulename tabrmd
+
+Name: tpm2-abrmd-selinux
+Version: 2.3.1
+Release: 7%{?dist}
+Summary: SELinux policies for tpm2-abrmd
+
+License: BSD
+URL:     https://github.com/tpm2-software/tpm2-abrmd
+Source0: https://github.com/tpm2-software/tpm2-abrmd/archive/%{version}/tpm2-abrmd-%{version}.tar.gz
+
+Patch0: selinux-allow-fwupd-to-communicate-with-tpm2-abrmd.patch
+Patch1: 0001-Add-new-interfaces-for-communication-with-keylime.patch
+Patch2: 0002-Fix-in-SELinux-interface-file-a-typo.patch
+
+BuildArch: noarch
+Requires: selinux-policy >= %{selinux_policyver}
+BuildRequires: make
+BuildRequires: git
+BuildRequires: pkgconfig(systemd)
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+BuildRequires: selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): libselinux-utils
+Requires(post): policycoreutils
+Requires(post): policycoreutils-python-utils
+
+%description
+SELinux policy modules for tpm2-abrmd.
+
+%prep
+%autosetup -p1 -n tpm2-abrmd-%{version}
+
+%build
+pushd selinux
+make %{?_smp_mflags} TARGET="tabrmd" SHARE="%{_datadir}"
+popd
+
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
+%install
+# install policy modules
+pushd selinux
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 %{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+popd
+
+%check
+
+%post
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{modulename}.pp.bz2
+
+%postun
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans
+%selinux_relabel_post -s %{selinuxtype}
+
+%files
+%license LICENSE
+%{_datadir}/selinux/*
+%{_datadir}/selinux/packages/%{modulename}.pp.bz2
+%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if
+
+%changelog
+* Fri Jan 6 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.1-7
+- Include interface for Keylime
+  Resolves: rhbz#2157894
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.1-6
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.1-5
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Feb 17 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.1-4
+- Fix dependency.
+Resolves: rhbz#1929701
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Feb 12 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.3.1-1
+- Update to 2.3.1 release
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Mar 08 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.1.0-2
+- selinux: allow tpm2-abrmd to communicate with fwupd
+  Resolves: rhbz#1665701
+
+* Fri Feb 22 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.1.0-1
+- Update to 2.1.0 release
+- Add selinux-policy-%{selinuxtype} BuildRequires
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jul 04 2018 Javier Martinez Canillas <javierm@redhat.com> - 2.0.0-1
+- Initial import (rhbz#1550595)