RHEL 9.0.0 ERRATUM

- rebase to 1.1 Resolves: rhbz#2032408 - introduce rules.d Resolves: rhbz#2054740 - remove pretrans scriptlet Resolves: rhbz#2051481
2022-02-16 12:00:24 +01:00 · 2022-02-16 12:00:24 +01:00 · 04a7a9e4fd
commit 04a7a9e4fd
parent f8d6e274ed
8 changed files with 58 additions and 591 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,4 @@
 /uthash-2.3.0.tar.gz
 /fapolicyd-1.0.3.tar.gz
 /fapolicyd-1.0.4.tar.gz
 /fapolicyd-1.1.tar.gz
--- a/fapolicyd-detect-sharedlib.patch
+++ b/fapolicyd-detect-sharedlib.patch
@ -1,11 +0,0 @@
 diff --color -ru a/src/library/file.c b/src/library/file.c
 --- a/src/library/file.c	2021-11-12 20:21:54.000000000 +0100
 +++ b/src/library/file.c	2021-12-15 12:40:05.088564218 +0100
@@ -295,6 +295,7 @@
 			if (!strncmp(p, "64", 2))
 				p += 2;
 			if (!strncmp(p, "/libc-2", 7) ||
 +				!strncmp(p, "/libc.so", 8) ||
 				!strncmp(p, "/libpthread-2", 13))
 				ptr = "application/x-sharedlib";
 		}
--- a/fapolicyd-do-manage-files.patch
+++ b/fapolicyd-do-manage-files.patch
@ -1,190 +0,0 @@
 From 95ec2f9577abe98a73d8dcb9112043aa743fa7ad Mon Sep 17 00:00:00 2001
 From: Zoltan Fridrich <zfridric@redhat.com>
 Date: Fri, 19 Nov 2021 18:15:33 +0100
 Subject: [PATCH] cli do_manage_file function refactoring and fix
 ---
 src/cli/fapolicyd-cli.c | 159 ++++++++++++++++++++++------------------
 1 file changed, 89 insertions(+), 70 deletions(-)
 diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
 index ee5d5bd..30b92be 100644
 --- a/src/cli/fapolicyd-cli.c
 +++ b/src/cli/fapolicyd-cli.c
@@ -207,87 +207,106 @@ static int do_dump_db(void)
 	return rc;
 }
 -
 -/*
 - * This function always requires at least one option, the command. We can
 - * guarantee that argv[2] is the command because getopt_long would have
 - * printed an error otherwise. argv[3] would be an optional parameter based
 - * on which command is being run. If argv[4] == "--trust-file" then argv[5]
 - * specifies a trust file to operate on.
 - *
 - * The function returns 0 on success and 1 on failure
 - */
 -static int do_manage_files(int argc, char * const argv[])
 +static int do_file_add(int argc, char * const argv[])
 {
 -	int rc = 0;
 +	char full_path[PATH_MAX] = { 0 };
 -	if (argc > 0) {
 -		if ( (strcmp("add", argv[0]) != 0)
 -			 && (strcmp("delete", argv[0]) != 0)
 -			 && (strcmp("update", argv[0]) != 0) ) {
 -			fprintf(stderr, "%s is not valid option, choose from add|delete|update\n", argv[0]);
 -			goto args_err;
 -		}
 +	if (argc == 1) {
 +		if (!realpath(argv[0], full_path))
 +			return 3;
 +		return file_append(full_path, NULL);
 	}
 +	if (argc == 3) {
 +		if (!realpath(argv[0], full_path))
 +			return 3;
 +		if (strcmp("--trust-file", argv[1]))
 +			return 2;
 +		return file_append(full_path, argv[2]);
 +	}
 +	return 2;
 +}
 -	if (argc < 2)
 -		goto args_err;
 -
 -	char full_path[PATH_MAX] = {0};
 +static int do_file_delete(int argc, char * const argv[])
 +{
 +	char full_path[PATH_MAX] = { 0 };
 -	if (realpath(argv[1], full_path) == NULL) {
 -		fprintf(stderr, "Cannot get realpath from: %s\n", argv[1]);
 -		perror("realpath");
 -		goto args_err;
 +	if (argc == 1) {
 +		if (!realpath(argv[0], full_path))
 +			return 3;
 +		return file_delete(full_path, NULL);
 	}
 +	if (argc == 3) {
 +		if (!realpath(argv[0], full_path))
 +			return 3;
 +		if (strcmp("--trust-file", argv[1]))
 +			return 2;
 +		return file_delete(full_path, argv[2]);
 +	}
 +	return 2;
 +}
 -	if (strcmp("add", argv[0]) == 0) {
 -		switch (argc) {
 -		case 2:
 -			rc = file_append(full_path, NULL);
 -			break;
 -		case 4:
 -			if (strcmp("--trust-file", argv[2]))
 -				goto args_err;
 -			rc = file_append(full_path, argv[3]);
 -			break;
 -		default:
 -			goto args_err;
 -		}
 -	} else if (strcmp("delete", argv[0]) == 0) {
 -		switch (argc) {
 -		case 2:
 -			rc = file_delete(full_path, NULL);
 -			break;
 -		case 4:
 -			if (strcmp("--trust-file", argv[2]))
 -				goto args_err;
 -			rc = file_delete(full_path, argv[3]);
 -			break;
 -		default:
 -			goto args_err;
 -		}
 -	} else if (strcmp("update", argv[0]) == 0) {
 -		switch (argc) {
 -		case 2:
 -			rc = file_update(full_path, NULL);
 -			break;
 -		case 4:
 -			if (strcmp("--trust-file", argv[2]))
 -				goto args_err;
 -			rc = file_update(full_path, argv[3]);
 -			break;
 -		default:
 -			goto args_err;
 -		}
 +static int do_file_update(int argc, char * const argv[])
 +{
 +	char full_path[PATH_MAX] = { 0 };
 +
 +	if (argc == 0)
 +		return file_update("/", NULL);
 +	if (argc == 1) {
 +		if (!realpath(argv[0], full_path))
 +			return 3;
 +		return file_update(full_path, NULL);
 +	}
 +	if (argc == 2) {
 +		if (strcmp("--trust-file", argv[0]))
 +			return 2;
 +		return file_update("/", argv[1]);
 +	}
 +	if (argc == 3) {
 +		if (!realpath(argv[0], full_path))
 +			return 3;
 +		if (strcmp("--trust-file", argv[1]))
 +			return 2;
 +		return file_update(full_path, argv[2]);
 	}
 +	return 2;
 +}
 -	return rc ? 1 : 0;
 +static int do_manage_files(int argc, char * const argv[])
 +{
 +	int rc = 0;
 -args_err:
 -	fprintf(stderr, "Wrong number of arguments\n\n");
 -	fprintf(stderr, "%s", usage);
 +	if (argc < 1 || argc > 4) {
 +		fprintf(stderr, "Wrong number of arguments\n");
 +		fprintf(stderr, "\n%s", usage);
 +		return 1;
 +	}
 +
 +	if (!strcmp("add", argv[0]))
 +		rc = do_file_add(argc - 1, argv + 1);
 +	else if (!strcmp("delete", argv[0]))
 +		rc = do_file_delete(argc - 1, argv + 1);
 +	else if (!strcmp("update", argv[0]))
 +		rc = do_file_update(argc - 1, argv + 1);
 +	else {
 +		fprintf(stderr, "%s is not a valid option, choose one of add|delete|update\n", argv[0]);
 +		fprintf(stderr, "\n%s", usage);
 +		return 1;
 +	}
 +	switch (rc) {
 +	case 0: // no error
 +		return 0;
 +	case 2: // args error
 +		fprintf(stderr, "Wrong number of arguments\n");
 +		fprintf(stderr, "\n%s", usage);
 +		break;
 +	case 3: // realpath error
 +		fprintf(stderr, "Can't obtain realpath from: %s\n", argv[1]);
 +		fprintf(stderr, "\n%s", usage);
 +		break;
 +	default: // file function errors
 +		break;
 +	}
 	return 1;
 }
--- a/fapolicyd-documentation.patch
+++ b/fapolicyd-documentation.patch
@ -1,16 +0,0 @@
 diff --color -ru a/doc/fapolicyd.trust.5 b/doc/fapolicyd.trust.5
 --- a/doc/fapolicyd.trust.5	2021-11-12 20:21:54.000000000 +0100
 +++ b/doc/fapolicyd.trust.5	2021-12-07 13:28:18.358213561 +0100
@@ -7,6 +7,12 @@
 contains list of trusted files/binaries for the application whitelisting daemon. You may add comments to the file by starting the line with a '#' character.
 Each line has to contain three columns and space is a valid separator. The first column contains full path to the file, the second is size of the file in bytes
 and the third is valid sha256 hash.
 +.sp
 +The directory \fI/etc/fapolicyd/trust\&.d\fR can be used to store multiple trust files\&.
 +This way a privileged user can split the trust database into multiple files and manage them separately through \fBfapolicyd\-cli\fR\&.
 +Functionally, the fapolicy daemon will behave the same way as if the whole trust database has been defined inside \fBfapolicyd\&.trust\fR file\&.
 +Syntax and semantics of trust files inside \fBtrust\&.d\fR directory are the same as for \fBfapolicyd\&.trust\fR file (described above)\&.
 +Trust files can either be created manually inside \fBtrust\&.d\fR directory or via \fBfapolicyd\-cli\fR\& (the latter option is recommended).
 .SH EXAMPLE
 .PP
--- a/fapolicyd-fix-escaping.patch
+++ b/fapolicyd-fix-escaping.patch
@ -1,209 +0,0 @@
 diff --color -ru a/init/fapolicyd.trust b/init/fapolicyd.trust
 --- a/init/fapolicyd.trust	2021-11-12 20:21:54.000000000 +0100
 +++ b/init/fapolicyd.trust	2021-12-08 13:25:43.441187113 +0100
@@ -1,3 +1,4 @@
 +# AUTOGENERATED FILE VERSION 2
 # This file contains a list of trusted files
 #
 #  FULL PATH        SIZE                             SHA256
 diff --color -ru a/src/cli/file-cli.c b/src/cli/file-cli.c
 --- a/src/cli/file-cli.c	2021-11-12 20:21:54.000000000 +0100
 +++ b/src/cli/file-cli.c	2021-12-08 13:25:43.441187113 +0100
@@ -89,9 +89,6 @@
 	return 0;
 }
 -
 -
 -
 int file_append(const char *path, const char *fname)
 {
 	set_message_mode(MSG_STDERR, DBG_NO);
@@ -110,11 +107,14 @@
 	char *dest = fname ? fapolicyd_strcat(TRUST_DIR_PATH, fname) :
 							TRUST_FILE_PATH;
 +
 	int rc = trust_file_append(dest, &add_list);
 +	list_empty(&add_list);
 +
 	if (fname)
 		free(dest);
 -	list_empty(&add_list);
 +
 	return rc ? -1 : 0;
 }
 diff --color -ru a/src/library/trust-file.c b/src/library/trust-file.c
 --- a/src/library/trust-file.c	2021-11-12 20:21:54.000000000 +0100
 +++ b/src/library/trust-file.c	2021-12-08 15:42:15.787206923 +0100
@@ -51,6 +51,7 @@
 #define FTW_NOPENFD 1024
 #define FTW_FLAGS (FTW_ACTIONRETVAL | FTW_PHYS)
 +#define HEADER0 "# AUTOGENERATED FILE VERSION 2\n"
 #define HEADER1 "# This file contains a list of trusted files\n"
 #define HEADER2 "#\n"
 #define HEADER3 "#  FULL PATH        SIZE                             SHA256\n"
@@ -137,12 +138,19 @@
 		return 1;
 	}
 -	size_t hlen = strlen(HEADER1);
 +	size_t hlen;
 +	hlen = strlen(HEADER0);
 +	fwrite(HEADER0, hlen, 1, f);
 +
 +	hlen = strlen(HEADER1);
 	fwrite(HEADER1, hlen, 1, f);
 +
 	hlen = strlen(HEADER2);
 	fwrite(HEADER2, hlen, 1, f);
 +
 	hlen = strlen(HEADER3);
 	fwrite(HEADER3, hlen, 1, f);
 +
 	hlen = strlen(HEADER4);
 	fwrite(HEADER4, hlen, 1, f);
@@ -163,50 +171,49 @@
 	return 0;
 }
 -
 -
 -int trust_file_append(const char *fpath, const list_t *list) {
 -	int fd = open(fpath, O_CREAT | O_WRONLY | O_APPEND, 0600);
 -	if (fd == -1) {
 -		msg(LOG_ERR, "Cannot open %s", fpath);
 +int trust_file_append(const char *fpath, list_t *list)
 +{
 +	list_t content;
 +	list_init(&content);
 +	int rc = trust_file_load(fpath, &content);
 +	if (rc)
 		return 1;
 -	}
 	for (list_item_t *lptr = list->first; lptr; lptr = lptr->next) {
 -		int count = 1;
 -		char *line = make_path_string(lptr->index, &count);
 -		if (!line)
 -			continue;
 -
 -		if (write(fd, line, count) == -1) {
 -			msg(LOG_ERR, "failed writing to %s\n", fpath);
 -			free(line);
 -			close(fd);
 -			return 2;
 -		}
 -		free(line);
 +		int i = 0;
 +		lptr->data = make_path_string(lptr->index, &i);
 	}
 -	close(fd);
 -	return 0;
 +	list_merge(&content, list);
 +	write_out_list(&content, fpath);
 +	list_empty(&content);
 +	return rc ? 1 : 0;
 }
 int trust_file_load(const char *fpath, list_t *list)
 {
 +	char buffer[BUFFER_SIZE];
 +	int escaped = 0;
 +	long line = 0;
 +
 	FILE *file = fopen(fpath, "r");
 	if (!file) {
 		msg(LOG_ERR, "Cannot open %s", fpath);
 		return 1;
 	}
 -	char buffer[BUFFER_SIZE];
 	while (fgets(buffer, BUFFER_SIZE, file)) {
 -		char name[4097], sha[65], *index, *data;
 +		char name[4097], sha[65], *index = NULL, *data = NULL;
 		unsigned long sz;
 		unsigned int tsource = SRC_FILE_DB;
 -		if (iscntrl(buffer[0]) || buffer[0] == '#')
 +		line++;
 +
 +		if (iscntrl(buffer[0]) || buffer[0] == '#') {
 +			if (line == 1 && strncmp(buffer, HEADER0, strlen(HEADER0)) == 0)
 +				escaped = 1;
 			continue;
 +		}
 		if (sscanf(buffer, FILE_READ_FORMAT, name, &sz, sha) != 3) {
 			msg(LOG_WARNING, "Can't parse %s", buffer);
@@ -217,7 +224,7 @@
 		if (asprintf(&data, DATA_FORMAT, tsource, sz, sha) == -1)
 			data = NULL;
 -		index = unescape(name);
 +		index = escaped ? unescape(name) : strdup(name);
 		if (index == NULL) {
 			msg(LOG_ERR, "Could not unescape %s from %s", name, fpath);
 			free(data);
@@ -311,33 +318,22 @@
 int trust_file_rm_duplicates(const char *fpath, list_t *list)
 {
 -	FILE *file = fopen(fpath, "r");
 -	if (!file) {
 -		msg(LOG_ERR, "Cannot open %s", fpath);
 -		return 1;
 -	}
 -
 -	char buffer[BUFFER_SIZE];
 -	while (fgets(buffer, BUFFER_SIZE, file)) {
 -		char thash[65], tpath[4097];
 -		long unsigned size;
 +	list_t trust_file;
 +	list_init(&trust_file);
 -		if (iscntrl(buffer[0]) || buffer[0] == '#')
 -			continue;
 +	int rc = trust_file_load(fpath, &trust_file);
 +	if (rc)
 +		goto cleanup;
 -		if (sscanf(buffer, FILE_READ_FORMAT, tpath, &size, thash) != 3) {
 -			msg(LOG_WARNING, "Can't parse %s", buffer);
 -			fclose(file);
 -			return 2;
 -		}
 -
 -		list_remove(list, tpath);
 +	for (list_item_t *lptr = trust_file.first; lptr; lptr = lptr->next) {
 +		list_remove(list, lptr->index);
 		if (list->count == 0)
 			break;
 	}
 -	fclose(file);
 -	return 0;
 +cleanup:
 +	list_empty(&trust_file);
 +	return rc;
 }
 diff --color -ru a/src/library/trust-file.h b/src/library/trust-file.h
 --- a/src/library/trust-file.h	2021-11-12 20:21:54.000000000 +0100
 +++ b/src/library/trust-file.h	2021-12-08 13:25:43.441187113 +0100
@@ -30,8 +30,7 @@
 #define TRUST_FILE_PATH "/etc/fapolicyd/fapolicyd.trust"
 #define TRUST_DIR_PATH "/etc/fapolicyd/trust.d/"
 -int trust_file_append(const char *fpath, const list_t *list);
 -
 +int trust_file_append(const char *fpath, list_t *list);
 int trust_file_load(const char *fpath, list_t *list);
 int trust_file_update_path(const char *fpath, const char *path);
 int trust_file_delete_path(const char *fpath, const char *path);
--- a/fapolicyd-trust-file-append.patch
+++ b/fapolicyd-trust-file-append.patch
@ -1,117 +0,0 @@
 diff --color -ru a/src/library/trust-file.c b/src/library/trust-file.c
 --- a/src/library/trust-file.c	2021-12-13 09:37:56.633741747 +0100
 +++ b/src/library/trust-file.c	2021-12-13 13:44:13.689151921 +0100
@@ -176,8 +176,11 @@
 	list_t content;
 	list_init(&content);
 	int rc = trust_file_load(fpath, &content);
 -	if (rc)
 +	// if trust file does not exist, we ignore it as it will be created while writing
 +	if (rc == 2) {
 +		// exit on parse error, we dont want invalid entries to be removed
 		return 1;
 +	}
 	for (list_item_t *lptr = list->first; lptr; lptr = lptr->next) {
 		int i = 0;
@@ -187,9 +190,16 @@
 	list_merge(&content, list);
 	write_out_list(&content, fpath);
 	list_empty(&content);
 -	return rc ? 1 : 0;
 +	return 0;
 }
 +/**
 + * @brief Load trust file into list
 + *
 + * @param fpath Full path to trust file
 + * @param list Trust file will be loaded into this list
 + * @return 0 on success, 1 if file can't be open, 2 on parsing error
 + */
 int trust_file_load(const char *fpath, list_t *list)
 {
 	char buffer[BUFFER_SIZE];
@@ -197,10 +207,8 @@
 	long line = 0;
 	FILE *file = fopen(fpath, "r");
 -	if (!file) {
 -		msg(LOG_ERR, "Cannot open %s", fpath);
 +	if (!file)
 		return 1;
 -	}
 	while (fgets(buffer, BUFFER_SIZE, file)) {
 		char name[4097], sha[65], *index = NULL, *data = NULL;
@@ -257,7 +265,17 @@
 {
 	list_t list;
 	list_init(&list);
 -	trust_file_load(fpath, &list);
 +	int rc = trust_file_load(fpath, &list);
 +	switch (rc) {
 +	case 1:
 +		msg(LOG_ERR, "Cannot open %s", fpath);
 +		return 0;
 +	case 2:
 +		list_empty(&list);
 +		return -1;
 +	default:
 +		break;
 +	}
 	int count = 0;
 	size_t path_len = strlen(path);
@@ -295,7 +313,17 @@
 {
 	list_t list;
 	list_init(&list);
 -	trust_file_load(fpath, &list);
 +	int rc = trust_file_load(fpath, &list);
 +	switch (rc) {
 +	case 1:
 +		msg(LOG_ERR, "Cannot open %s", fpath);
 +		return 0;
 +	case 2:
 +		list_empty(&list);
 +		return -1;
 +	default:
 +		break;
 +	}
 	int count = 0;
 	size_t path_len = strlen(path);
@@ -320,20 +348,26 @@
 {
 	list_t trust_file;
 	list_init(&trust_file);
 -
 	int rc = trust_file_load(fpath, &trust_file);
 -	if (rc)
 -		goto cleanup;
 -
 +	switch (rc) {
 +	case 1:
 +		msg(LOG_ERR, "Cannot open %s", fpath);
 +		return -1;
 +	case 2:
 +		list_empty(&trust_file);
 +		return -1;
 +	default:
 +		break;
 +	}
 +	
 	for (list_item_t *lptr = trust_file.first; lptr; lptr = lptr->next) {
 		list_remove(list, lptr->index);
 		if (list->count == 0)
 			break;
 	}
 -cleanup:
 	list_empty(&trust_file);
 -	return rc;
 +	return 0;
 }
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -4,8 +4,8 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.0.4
+Version: 1.1
-Release: 101%{?dist}
+Release: 100%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -32,11 +32,6 @@ Requires(postun): systemd-units
 Patch1: fapolicyd-uthash-bundle.patch
 Patch2: fapolicyd-selinux.patch
 Patch3: fapolicyd-do-manage-files.patch
 Patch4: fapolicyd-documentation.patch
 Patch5: fapolicyd-fix-escaping.patch
 Patch6: fapolicyd-trust-file-append.patch
 Patch7: fapolicyd-detect-sharedlib.patch
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -83,15 +78,10 @@ Don't use dnf and rpm plugin together.
 %endif
 %patch2 -p1 -b .selinux
 %patch3 -p1 -b .do-manage-files
 %patch4 -p1 -b .documentation
 %patch5 -p1 -b .fix-escaping
 %patch6 -p1 -b .trust-file-append
 %patch7 -p1 -b .detect-sharedlib
-sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name  'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
 %build
 ./autogen.sh
@ -115,14 +105,15 @@ make check
 %selinux_relabel_pre -s %{selinuxtype}
 %install
-make DESTDIR="%{buildroot}" INSTALL='install -p' install
+%make_install
 mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
 install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
 install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
 install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
 mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
 mkdir -p %{buildroot}/run/%{name}
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
 # selinux
 install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
@ -131,34 +122,37 @@ install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
 install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
 #cleanup
-find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
 %pretrans -p <lua>
 if posix.access("/run/fapolicyd.pid", "f") then
  os.execute([[
    c=/etc/fapolicyd/fapolicyd.rules
    rule="allow perm=any uid=0 : all"
    if test -e $c; then
       if systemctl is-active fapolicyd &> /dev/null; then
          tmp=`mktemp`
          cat $c > $tmp
          echo "$rule" > $c
          cat $tmp >> $c
          systemctl restart fapolicyd || true
          sleep 10
          cat $tmp > $c
          rm -f $tmp
        fi
    fi
    ]])
 end
 %post
 # if no pre-existing rule file
 if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
 files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w`
 # Only if no pre-existing component rules
 if [ "$files" -eq 0 ] ; then
  ## Install the known libs policy
  cp %{_datadir}/%{name}/sample-rules/10-languages.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/30-updaters.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/72-shell.rules  %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/
  cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules  %{_sysconfdir}/%{name}/rules.d/
  chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
  if [ -x /usr/sbin/restorecon ] ; then
   # restore correct label
   /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
  fi
  fagenrules --load
 fi
 fi
 %systemd_post %{name}.service
 %preun
@ -172,26 +166,32 @@ end
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %attr(755,root,%{name}) %dir %{_datadir}/%{name}
-%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
 %attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
 %attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
 %ghost %{_sysconfdir}/%{name}/rules.d/*
 %ghost %{_sysconfdir}/%{name}/%{name}.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
-%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
+%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
 %attr(755,root,root) %{_sbindir}/%{name}
 %attr(755,root,root) %{_sbindir}/%{name}-cli
 %attr(755,root,root) %{_sbindir}/fagenrules
 %attr(644,root,root) %{_mandir}/man8/*
 %attr(644,root,root) %{_mandir}/man5/*
 %attr(644,root,root) %{_mandir}/man1/*
-%attr(644,root,root) %{_datadir}/%{name}/*
+%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
 %ghost %{_localstatedir}/log/%{name}-access.log
 %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
 %attr(770,root,%{name}) %dir /run/%{name}
-%ghost /run/%{name}/%{name}.fifo
+%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
-%ghost %{_localstatedir}/lib/%{name}/data.mdb
+%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
-%ghost %{_localstatedir}/lib/%{name}/lock.mdb
+%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
@ -216,6 +216,15 @@ fi
 %changelog
 * Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
 RHEL 9.0.0 ERRATUM
 - rebase to 1.1
 Resolves: rhbz#2032408
 - introduce rules.d
 Resolves: rhbz#2054740
 - remove pretrans scriptlet
 Resolve: rhbz#2051481
 * Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
 RHEL 9.0.0 ERRATUM
 - rebase to 1.0.4
--- a/2
+++ b/2
@ -1,3 +1,3 @@
-SHA512 (fapolicyd-1.0.4.tar.gz) = 08a8625b1ad9a383359435605595b17a537c7ca889ad0b8d6acdf5d27e98dc38f557187a54e5320d9eeb624999f19526cc29c2e43449033f4f086e0bef142d7b
+SHA512 (fapolicyd-1.1.tar.gz) = d8478a5e55f8ab3b40ab881795d391d6edd8c4149e743f3685afedf561f853f46f80e49f7b0f05e20c86d71442e286c7db9b289049b5314047d14d8d1b9f3b4e
 SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2
 SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294