Spec URL: https://raw.githubusercontent.com/martinezjavier/tpm2-abrmd-selinux/master/tpm2-abrmd-selinux.spec SRPM URL: https://github.com/martinezjavier/tpm2-abrmd-selinux/raw/master/tpm2-abrmd-selinux-1.2.0-1.fc29.src.rpm Koji build: https://koji.fedoraproject.org/koji/taskinfo?taskID=25390371 Description: The tpm2-abrmd (TPM2 access broker and Resource Manager) daemon is already included in Fedora. The latest 1.2.0 release contain some changes that makes the tpm2-abrmd to require a SELinux module in order to be used with the Fedora system wide SELinux policy. This package is needed so the tpm2-abrmd SELinux module can be shipped and the daemon package updated to the latest release. Fedora Account System Username: javierm
Hi All, I reviewed SELinux security policy for tpm2-abrmd and both spec file and policy looks good to me, it reflects IndependentPolicy guidelines. Thanks, Lukas.
Thanks Lukas, I'm not a SELinux specialist so I didn't take this package, I''ll finish the review now. - These are not needed as this is the default: %defattr(-,root,root,0755) %attr(0644,root,root) %attr(0644,root,root) - The latest version of tpm2-abrmd is 1.3.1, please bump your package. - The version in the header and the %changeloq are mismatched: * Thu Mar 01 2018 Javier Martinez Canillas <javierm> - 0.0.1-1 It should be 1.2.0-1 (or 1.3.1-1 when you update)
- Add the LICENSE file with %license in %install - Own these directories: [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/share/selinux/devel/include/contrib, /usr/share/selinux/devel/include, /usr/share/selinux/devel - Use %make_build instead of make for parallel build (unless it fails the build) Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed ===== MUST items ===== Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [!]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "*No copyright* BSD (2 clause)", "BSD (2 clause)", "Unknown or generated". 30 files have unknown license. Detailed output of licensecheck in /home/bob/packaging/review/tpm2-abrmd-selinux/review- tpm2-abrmd-selinux/licensecheck.txt [!]: Package must own all directories that it creates. Note: Directories without known owners: /usr/share/selinux/devel/include/contrib, /usr/share/selinux/devel/include, /usr/share/selinux/devel [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [!]: Each %files section contains %defattr if rpm < 4.4 Note: %defattr present but not needed [-]: Package contains desktop file if it is a GUI application. [-]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: Package requires other packages for directories it uses. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 0 bytes in 0 files. [x]: Packages must not store files under /srv, /opt or /usr/local ===== SHOULD items ===== Generic: [!]: Uses parallel make %{?_smp_mflags} macro. [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [?]: Package functions as described. [!]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [-]: Description and summary sections in the package spec file contains translations for supported Non-English languages, if available. [x]: Package should compile and build into binary rpms on all supported architectures. [-]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: There are rpmlint messages (see attachment). [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: tpm2-abrmd-selinux-1.3.1-1.fc29.noarch.rpm tpm2-abrmd-selinux-1.3.1-1.fc29.src.rpm tpm2-abrmd-selinux.noarch: E: explicit-lib-dependency libselinux-utils tpm2-abrmd-selinux.noarch: W: no-documentation tpm2-abrmd-selinux.noarch: W: dangerous-command-in-%pre cp tpm2-abrmd-selinux.noarch: W: dangerous-command-in-%posttrans rm 2 packages and 0 specfiles checked; 1 errors, 3 warnings.
tpm2-abrmd-1.2.0/selinux/tabrmd.te: allow tabrmd_t self:unix_dgram_socket { create_socket_perms }; redundant: provided by logging_send_syslog_msg(tabrmd_t) https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/logging.te#L691 Questionable (can you reproduce this?): # This next bit doesn't belong here. It should be exposed through an # interface likely from the dbus policy module. gen_require(` type system_dbusd_t; ') allow system_dbusd_t tabrmd_t:unix_stream_socket { read write }; If you can reproduce this then it should be inside the below optional block (no need to require type system_dbusd_t: optional_policy(` dbus_system_domain(tabrmd_t, tabrmd_exec_t) ') Your tabrmd.if file is useless (its like a library providing interfaces required to interact with your domain).
tabrmd.fc: arguably a bug in selinux-policy: /usr/local/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) ideally an entry should be added to: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/config/file_contexts.subs_dist /usr/local/sbin /usr/sbin
https://raw.githubusercontent.com/martinezjavier/tpm2-abrmd-selinux/master/tpm2-abrmd-selinux.spec Excuse me but I believe that this spec is wrong: The tabrmd.if file should be installed optionally seperately as part of a tpm2-abrmd-selinux-devel rpm, that requires selinux-policy-devel package (that owns /etc/selinux/targeted/devel Look at these .if files as development headers
(In reply to Robert-André Mauchin from comment #2) > Thanks Lukas, I'm not a SELinux specialist so I didn't take this package, > I''ll finish the review now. > Thanks a lot for your review! > > - These are not needed as this is the default: > > %defattr(-,root,root,0755) > %attr(0644,root,root) > %attr(0644,root,root) > Ok. > > - The latest version of tpm2-abrmd is 1.3.1, please bump your package. > That version wasn't released yet when I proposed the package for review more than a month ago (my original plan was to get reviewed so I could have this and update the tpm2-abrmd package to 1.3.0). > - The version in the header and the %changeloq are mismatched: > > * Thu Mar 01 2018 Javier Martinez Canillas <javierm> - 0.0.1-1 > > It should be 1.2.0-1 (or 1.3.1-1 when you update) Right, I thought that other packages were using their selinux_policyver in the %changelog but probably just got confused. I'll use the Version-Release instead.
(In reply to Robert-André Mauchin from comment #3) > - Add the LICENSE file with %license in %install > > - Own these directories: > > [!]: Package must own all directories that it creates. > Note: Directories without known owners: > /usr/share/selinux/devel/include/contrib, > /usr/share/selinux/devel/include, /usr/share/selinux/devel > > - Use %make_build instead of make for parallel build (unless it fails the > build) > > > Package Review > ============== I'll fix all these and upload a new version. Thanks!
(In reply to dac.override from comment #4) > tpm2-abrmd-1.2.0/selinux/tabrmd.te: > > allow tabrmd_t self:unix_dgram_socket { create_socket_perms }; > > redundant: provided by logging_send_syslog_msg(tabrmd_t) > > https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/ > system/logging.te#L691 > > Questionable (can you reproduce this?): > > # This next bit doesn't belong here. It should be exposed through an > # interface likely from the dbus policy module. > gen_require(` > type system_dbusd_t; > ') > allow system_dbusd_t tabrmd_t:unix_stream_socket { read write }; > > If you can reproduce this then it should be inside the below optional block > (no need to require type system_dbusd_t: > > optional_policy(` > dbus_system_domain(tabrmd_t, tabrmd_exec_t) > ') > Can you please take a look to the latest version of the policy module? Lukas already fixed tpm2-abrmd upstream: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te > Your tabrmd.if file is useless (its like a library providing interfaces > required to interact with your domain). Do you mean that it can just be removed? Sorry for the silly question but I'm not that familiar with SELinux.
redundant: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L12 No i mean that you should probably populate that file with at least a minimal set of interfaces to interface with your domain. Also thart .if file should ideally be installed with a seperate header devel-rpm that relies on the selinux-policy-devel rpm This is a "header file" or a "devel" file
redudant: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L18 the system_dbusd_t type is already enclosed with "dbus_system_domain()", no need to "import" it again with "dbus_stub()"
(In reply to dac.override from comment #10) > redundant: > https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L12 > > No i mean that you should probably populate that file with at least a > minimal set of interfaces to interface with your domain. > > Also thart .if file should ideally be installed with a seperate header > devel-rpm that relies on the selinux-policy-devel rpm > > This is a "header file" or a "devel" file Got it, I saw your other comment mentioned that too. I'll take care of all these when doing a re-spin of the package. Thanks a lot for your review!
also this should be investigated reproduced: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20 Its definitely not "rw_stream_socket_perms", if anything it is "unix_stream_socket { read write }" but even that should be clarified
(In reply to dac.override from comment #13) > also this should be investigated reproduced: > > https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20 > > Its definitely not "rw_stream_socket_perms", if anything it is > "unix_stream_socket { read write }" but even that should be clarified Ah, I see. The rw_stream_socket_perms it's actually much more than just read and write by looking at its definition in selinux-policy. I think you are correct and unix_stream_socket { read write } should be enough. What do you mean by clarified? That's the reason why we need this policy in the first place, it's needed after the following tpm2-abrmd commit: https://github.com/tpm2-software/tpm2-abrmd/commit/51a3c55d772b
it should be clarified because it is questionable. If a "system_dbusd_domain" would need this permission then the permission would have been enclosed with "system_dbusd_domain()" Looking at https://github.com/tpm2-software/tpm2-abrmd/commit/51a3c55d772b it seems that this file descriptor gets passed to dbusd So at least now that part is explained. ideally the dbusd.if header would have exported an "dbus_rw_inherited_system_unix_stream_sockets()" interface for you to call, but there is not so just change line: https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20 to look like: allow system_dbusd_t tabrmd_t:unix_stream_socket { read write}; Optionally add a comment: # TODO: add to dbus.if: dbus_rw_inherited_system_unix_stream_sockets() and call that instead
(In reply to dac.override from comment #15) > it should be clarified because it is questionable. > > If a "system_dbusd_domain" would need this permission then the permission > would have been enclosed with "system_dbusd_domain()" > > Looking at > https://github.com/tpm2-software/tpm2-abrmd/commit/51a3c55d772b > it seems that this file descriptor gets passed to dbusd > > So at least now that part is explained. > > ideally the dbusd.if header would have exported an > "dbus_rw_inherited_system_unix_stream_sockets()" interface for you to call, > but there is not so just change line: > > https://github.com/tpm2-software/tpm2-abrmd/blob/1.x/selinux/tabrmd.te#L20 > > to look like: > > allow system_dbusd_t tabrmd_t:unix_stream_socket { read write}; > > Optionally add a comment: # TODO: add to dbus.if: > dbus_rw_inherited_system_unix_stream_sockets() and call that instead I will, thanks again!
Oops i am wrong You should add a tabrmd_rw_inherited_unix_stream_sockets() interface to tabrmd.if and them call that in dbus.if instead.... ######################################## ## <summary> ## Use and inherit system tabrmd file descriptors. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`tabrmd_use_fds',` gen_require(` type tabrmd_t; ') allow $1 tabrmd_t:fd use; ') ######################################## ## <summary> ## Read and write inherited tabrmd DBUS unix stream sockets. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`tabrmd_rw_inherited_unix_stream_sockets',` gen_require(` type tabrmd_t; ') tabrmd_use_fds($1) allow $1 tabrmd_t:unix_stream_socket { read write }; ')
I other words this also demonstrates how the "selinux-policy modularization" effort lacks. Even now you have to ideally add changes to selinux-policy (dbus.te and file_contexts.subs_dist) to get it nice and tidy
typo's ######################################## ## <summary> ## Use and inherit tabrmd file descriptors. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`tabrmd_use_fds',` gen_require(` type tabrmd_t; ') allow $1 tabrmd_t:fd use; ') ######################################## ## <summary> ## Read and write inherited tabrmd unix stream sockets. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`tabrmd_rw_inherited_unix_stream_sockets',` gen_require(` type tabrmd_t; ') tabrmd_use_fds($1) allow $1 tabrmd_t:unix_stream_socket { read write }; ')
So basically you export "tabrmd_rw_inherited_unix_stream_sockets()" in tabrmd.if and then you call "optional_policy(` tabrmd_rw_inherited_unix_stream_sockets(dbusd_system_t) ')" in dbus.te
(In reply to dac.override from comment #20) > So basically you export "tabrmd_rw_inherited_unix_stream_sockets()" in > tabrmd.if and then you call "optional_policy(` > tabrmd_rw_inherited_unix_stream_sockets(dbusd_system_t) ')" in dbus.te I see, so then tpm2-abrmd-selinux will have to depend on a version of selinux-policy-contrib that contains the dbus.te changes, right? I would also like Lukas opinion about this as well before doing the proposed change.
Yes.This is not going to work.
Indeed when the dbus module gets compiled it will be looking for the tabrmd_rw_inherited_unix_stream_sockets() interface that you export in tabrmd.if If it is not there at build-time then it will just not include the rule.
In other words, you might get into a chicken and egg situation here.
Basically the way I see it is that this modularization effort requires that the headers are alway's installed if policy is installed. That then means that the various policy-devel packages need to alway's be installed.
(In reply to dac.override from comment #25) > Basically the way I see it is that this modularization effort requires that > the headers are alway's installed if policy is installed. That then means > that the various policy-devel packages need to alway's be installed. Right, and then selinux-policy would need a BuildRequires dependency with tpm2-abrmd-selinux-devel (and all the -devel packages exporting interfaces). But then it won't be an independent SELinux policy module anymore as explained in the IndependentPolicy guideline... So I think that we have these options: a) Due as you propose and make selinux-policy-contrib to BuildRequires tpm2-abrmd-selinux-devel b) Not having a tpm2-abrmd-selinux package and instead add the tpm2-abrmd AV rules to selinux-policy-contrib. c) Just have "allow system_dbusd_t tabrmd_t:unix_stream_socket { read write }" in optional_policy as you first suggested.
Exactly. a. Is in theory the most sane solution I Believe. b. Is probably the most practical solution but that basically ignores modularization c. Would be a short-term solution but is eventually probably a dead-end and sets a bad precendence. You see processes interact and operate. The purpose of the interfaces is to keep policy maintainable. If you start ignoring the interfaces that introduces inconsistencies and eventually part of the policy becomes hard to maintain
The CIL policy language would be a solution to this particular challenge. With the CIL language the interfaces are part of the modules. That means that there are no header packages. The interfaces are alway's available in the module store CIL provides other benefits for this modularity scenario, The thing is that CIL is meant to be a intermediate layer, and there currently is no higher level language that leverages CIL.
Got it. Thanks a lot for your explanations. I think I'll probably go with (b) then. I like the idea of having independent modules for SELinux policies but now I understand that policies for the different components are more coupled than I thought. I would like to go with (a), but my SELinux knowledge is close to non-existent so I'm by no means qualified to set a precedence on this. I'm really just interested in updating tpm2-abrmd to the latest release to be honest.
Yes, It would have been less painful if your process did not pass fd's to dbus. That is really something I dislike about dbus. I think I like varlink a lot in that regard. Nevertheless, I agree that currently b is probably the best way to go.
So I finally found some time to work on this, as agreed I went with (b). Following is the pull request for Fedora selinux-policy-contrib repo. Please let me know if I got something wrong: https://github.com/fedora-selinux/selinux-policy-contrib/pull/57
I've addressed all the issues pointed in the previous comments about the package. The new version is at: Spec URL: https://raw.githubusercontent.com/martinezjavier/tpm2-abrmd-selinux/master/tpm2-abrmd-selinux.spec SRPM URL: https://raw.githubusercontent.com/martinezjavier/tpm2-abrmd-selinux/master/tpm2-abrmd-selinux-1.3.1-1.fc29.src.rpm Koji build: http://koji.fedoraproject.org/koji/taskinfo?taskID=27617918
Good for me, package approved.
(fedscm-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/tpm2-abrmd-selinux
This packaging causes issues: # dnf install tpm2-abrmd Last metadata expiration check: 0:21:33 ago on Tue 10 Jul 2018 07:31:51 AM CEST. Dependencies resolved. ========================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================= Installing: tpm2-abrmd x86_64 2.0.0-1.fc29 rawhide 101 k Installing dependencies: checkpolicy x86_64 2.8-1.fc29 rawhide 336 k policycoreutils-python-utils noarch 2.8-4.fc29 rawhide 64 k python3-IPy noarch 0.81-22.fc29 rawhide 42 k python3-audit x86_64 2.8.4-3.fc29 rawhide 80 k python3-libsemanage x86_64 2.8-2.fc29 rawhide 125 k python3-policycoreutils noarch 2.8-4.fc29 rawhide 1.7 M selinux-policy noarch 3.14.2-26.fc29 rawhide 114 k selinux-policy-minimum noarch 3.14.2-26.fc29 rawhide 12 M tpm2-abrmd-selinux noarch 2.0.0-1.fc29 rawhide 19 k tpm2-tss x86_64 2.0.0-2.fc29 rawhide 258 k Transaction Summary ========================================================================================================================================= Install 11 Packages Total download size: 15 M Installed size: 39 M Is this ok [y/N]: n
(In reply to dac.override from comment #35) > This packaging causes issues: > > # dnf install tpm2-abrmd > Last metadata expiration check: 0:21:33 ago on Tue 10 Jul 2018 07:31:51 AM > CEST. > Dependencies resolved. Hi Dac, what are the issues from your comment? I just installed and tried this package on Fedora rawhide, seems it's working fine: [yunyings@NUC7i5DNH ~]$ cat /etc/fedora-release Fedora release 29 (Rawhide) [yunyings@NUC7i5DNH ~]$ uname -r 4.18.0-0.rc4.git0.1.fc29.x86_64 [yunyings@NUC7i5DNH ~]$ [yunyings@NUC7i5DNH ~]$ dnf list --installed | grep -i tpm tpm2-abrmd.x86_64 2.0.0-1.fc29 @rawhide tpm2-abrmd-selinux.noarch 2.0.0-1.fc29 @rawhide tpm2-tools.x86_64 3.1.0-1.fc29 @rawhide tpm2-tss.x86_64 2.0.0-2.fc29 @rawhide [yunyings@NUC7i5DNH ~]$ [yunyings@NUC7i5DNH ~]$ sudo tpm2-abrmd --allow-root [yunyings@NUC7i5DNH ~]$ [yunyings@NUC7i5DNH ~]$ ps -A | grep -i tpm 2309 ? 00:00:00 tpm2-abrmd [yunyings@NUC7i5DNH ~]$ [yunyings@NUC7i5DNH ~]$ tpm2_pcrlist sha1 : 0 : 9c8ea5df6d4436f327b867f42e396a3d5c100eb8 1 : f7beefe1b014a3d006e80bb2e1917cfdcc762972 2 : 05dabdee16115f0457a8cf24c13b8c9d68109317 3 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 4 : f8e2a9dd039e011c0e828d6867bea137bc24c4e3 5 : 080a85fb6c9f2b90964f387695bda89a749c5aec 6 : b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 7 : 6653aba680bf45c7130d897ea1d8a18fd32cade6 8 : bbd4dfaea0a6ad82c74e2f08da29496b42b1f4c2 9 : 480d7b75361e3201ce67c319fe13e6a047e3b278 10 : 4ffeb478b3f5d11cc97367977d6bfd1c05bf51db 11 : 0000000000000000000000000000000000000000 12 : 0000000000000000000000000000000000000000 13 : 0000000000000000000000000000000000000000 14 : 0000000000000000000000000000000000000000 15 : 0000000000000000000000000000000000000000 16 : 0000000000000000000000000000000000000000 17 : ffffffffffffffffffffffffffffffffffffffff 18 : ffffffffffffffffffffffffffffffffffffffff 19 : ffffffffffffffffffffffffffffffffffffffff 20 : ffffffffffffffffffffffffffffffffffffffff 21 : ffffffffffffffffffffffffffffffffffffffff 22 : ffffffffffffffffffffffffffffffffffffffff 23 : 0000000000000000000000000000000000000000 sha256 : 0 : c9fdcc2c8588cdd912cbeb28c69f57a693c24ddfa2e0f4b718839446d1ddc9a8 1 : 39a1f8e4b8fbd8e4a1f9424b67eb52ccec3e98dd140d1b3fd3ddd44f34e839d8 2 : 1f7a877eb135bbdbac2925f7e8dfb22a3f5ea6ade2379c6d632f721291e18ee8 3 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 4 : 92f98142001447d834e3f9ebea527b064ec01a48447a6209a5876d0106ebb64c 5 : df1afb91a19da883e023675dd33011af0ca7394780f83545f79d5f6176a9161b 6 : 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 7 : 3d6207f9a2c3fa1db729f06e71b09d2e7ca7c0c198f6c1410c2186bbe2cc1826 8 : 8df519e3440a701504e594a86ca640b6d587bafe08a394227673c251f5ea5594 9 : bae353823e03d8c0be1f057f76c4957b128807ba0ef0eb1939aeac52d764388d 10 : aa5a80b813b40641aacc048b3650ecc3e18ac8045cadaef12a2555c2856db9a7 11 : 0000000000000000000000000000000000000000000000000000000000000000 12 : 0000000000000000000000000000000000000000000000000000000000000000 13 : 0000000000000000000000000000000000000000000000000000000000000000 14 : 0000000000000000000000000000000000000000000000000000000000000000 15 : 0000000000000000000000000000000000000000000000000000000000000000 16 : 0000000000000000000000000000000000000000000000000000000000000000 17 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 18 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 19 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 20 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 21 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 22 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23 : 0000000000000000000000000000000000000000000000000000000000000000 [yunyings@NUC7i5DNH ~]$
The number of hard dependency are a bit excessive in my view. clever use (or better said lack of use) of rpm macros should allow one to drop the dependency on policyvoreutils-python-utils, and should the dependency on tpm2-abrmd-selinux not be a recommends insted?
Package imported, closing ticket.