RHEL 10.1 ERRATUM

- add selinux patch for bin/sbin equivalence

- "fapolicyd-cli --file add" crashes when processing sockets
Resolves: RHEL-105425

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
Radovan Sroka 2025-07-24 17:12:40 +02:00
parent 99663924fa
commit 1165ecc896
4 changed files with 124 additions and 2 deletions

View File

@ -0,0 +1,39 @@
From 508805c9f47ca22695fd7a265668f99e9258ea27 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 24 Jul 2025 15:30:06 +0200
Subject: [PATCH] Skip to add non regular files to trustdb
- it does not make any sense to have them in the trustdb
- the patch should be fix potential error when reading nonregular files
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/cli/file-cli.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
index 7deec39c..ae326c14 100644
--- a/src/cli/file-cli.c
+++ b/src/cli/file-cli.c
@@ -67,7 +67,7 @@ static int ftw_add_list_append(const char *fpath,
*/
static int add_list_load_path(const char *path)
{
- int fd = open(path, O_RDONLY);
+ int fd = open(path, O_RDONLY|O_NONBLOCK);
if (fd < 0) {
msg(LOG_ERR, "Cannot open %s", path);
return 1;
@@ -83,8 +83,11 @@ static int add_list_load_path(const char *path)
if (S_ISDIR(sb.st_mode))
nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS);
- else
+ else if (S_ISREG(sb.st_mode)) {
list_append(&add_list, strdup(path), NULL);
+ } else {
+ msg(LOG_INFO, "Skipping non regular file: %s", path);
+ }
return 0;
}

View File

@ -0,0 +1,48 @@
From 73770c9111800cb5a1e62203e460ae9149307d49 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Mon, 28 Jul 2025 18:44:08 +0200
Subject: [PATCH] Fix segfault when socket is inside of the directory
$ socat UNIX-LISTEN:"/home/rsroka/dir/socket" /dev/null &
[ ERROR ]: Cannot open /home/rsroka/dir/socket
Program received signal SIGSEGV, Segmentation fault.
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/cli/file-cli.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
index ae326c14..655e8f15 100644
--- a/src/cli/file-cli.c
+++ b/src/cli/file-cli.c
@@ -53,8 +53,13 @@ static int ftw_add_list_append(const char *fpath,
int typeflag,
struct FTW *ftwbuf __attribute__ ((unused)))
{
- if (typeflag == FTW_F)
- list_append(&add_list, strdup(fpath), NULL);
+ if (typeflag == FTW_F) {
+ if (S_ISREG(sb->st_mode)) {
+ list_append(&add_list, strdup(fpath), NULL);
+ } else {
+ msg(LOG_INFO, "Skipping non regular file: %s", fpath);
+ }
+ }
return FTW_CONTINUE;
}
@@ -83,11 +88,8 @@ static int add_list_load_path(const char *path)
if (S_ISDIR(sb.st_mode))
nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS);
- else if (S_ISREG(sb.st_mode)) {
+ else
list_append(&add_list, strdup(path), NULL);
- } else {
- msg(LOG_INFO, "Skipping non regular file: %s", path);
- }
return 0;
}

View File

@ -5,7 +5,7 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.3.3
Release: 103%{?dist}
Release: 105%{?dist}
License: GPL-3.0-or-later
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -43,6 +43,9 @@ Patch6: fapolicyd-rpm-loader.patch
Patch7: fapolicyd-infinite-loop.patch
Patch8: fapolicyd-data-format.patch
Patch9: var-run-t-dir-selinux.patch
Patch10: fapolicyd-skip-nonregular.patch
Patch11: fapolicyd-socket-segfault.patch
Patch12: selinux-sbin-bin.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -86,6 +89,9 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
%patch -P 7 -p1 -b .infinite-loop
%patch -P 8 -p1 -b .data-format
%patch -P 9 -p1 -b .var-run-dir
%patch -P 10 -p1 -b .skip-nonregular
%patch -P 11 -p1 -b .socket-segfault
%patch -P 12 -p1 -b .sbin-bin
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
@ -228,7 +234,7 @@ fi
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Wed May 28 2025 Radovan Sroka <rsroka@redhat.com> - 1.3.3-103
* Wed May 28 2025 Radovan Sroka <rsroka@redhat.com> - 1.3.3-105
RHEL 10.1 ERRATUM
- RPMDB crashes with SIGBUS when updating the RPMDB repeatedly
Resolves: RHEL-94540
@ -238,6 +244,8 @@ Resolves: RHEL-94536
Resolves: RHEL-94538
- fapolicy rule containing 'pattern=normal' produces error
Resolves: RHEL-94537
- "fapolicyd-cli --file add" crashes when processing sockets
Resolves: RHEL-105425
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.3.3-102
- Bump release for October 2024 mass rebuild:

27
selinux-sbin-bin.patch Normal file
View File

@ -0,0 +1,27 @@
From f80e6b1817e32e8b33067c6bdfe838aa136de92f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 20 Jun 2024 11:28:07 +0200
Subject: [PATCH] Add file context entry for /usr/bin/fapolicyd
To comply with the "Unify bin and sbin" Fedora Change [1],
file equivalency for the /bin, /sbin, and /usr/sbin paths
are now set in selinux-policy to /usr/bin.
This requires follow-up changes in DSP modules, too.
[1] https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin
---
fapolicyd.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc
index d081dc8..1b9f649 100644
--- a/fapolicyd-selinux-0.7/fapolicyd.fc
+++ b/fapolicyd-selinux-0.7/fapolicyd.fc
@@ -2,6 +2,7 @@
/usr/lib/systemd/system/fapolicyd.* -- gen_context(system_u:object_r:fapolicyd_unit_file_t,s0)
+/usr/bin/fapolicyd -- gen_context(system_u:object_r:fapolicyd_exec_t,s0)
/usr/sbin/fapolicyd -- gen_context(system_u:object_r:fapolicyd_exec_t,s0)
/var/lib/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_lib_t,s0)