diff --git a/fapolicyd-skip-nonregular.patch b/fapolicyd-skip-nonregular.patch new file mode 100644 index 0000000..9d25230 --- /dev/null +++ b/fapolicyd-skip-nonregular.patch @@ -0,0 +1,39 @@ +From 508805c9f47ca22695fd7a265668f99e9258ea27 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Thu, 24 Jul 2025 15:30:06 +0200 +Subject: [PATCH] Skip to add non regular files to trustdb + +- it does not make any sense to have them in the trustdb +- the patch should be fix potential error when reading nonregular files + +Signed-off-by: Radovan Sroka +--- + src/cli/file-cli.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c +index 7deec39c..ae326c14 100644 +--- a/src/cli/file-cli.c ++++ b/src/cli/file-cli.c +@@ -67,7 +67,7 @@ static int ftw_add_list_append(const char *fpath, + */ + static int add_list_load_path(const char *path) + { +- int fd = open(path, O_RDONLY); ++ int fd = open(path, O_RDONLY|O_NONBLOCK); + if (fd < 0) { + msg(LOG_ERR, "Cannot open %s", path); + return 1; +@@ -83,8 +83,11 @@ static int add_list_load_path(const char *path) + + if (S_ISDIR(sb.st_mode)) + nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS); +- else ++ else if (S_ISREG(sb.st_mode)) { + list_append(&add_list, strdup(path), NULL); ++ } else { ++ msg(LOG_INFO, "Skipping non regular file: %s", path); ++ } + + return 0; + } diff --git a/fapolicyd-socket-segfault.patch b/fapolicyd-socket-segfault.patch new file mode 100644 index 0000000..33c2c65 --- /dev/null +++ b/fapolicyd-socket-segfault.patch @@ -0,0 +1,48 @@ +From 73770c9111800cb5a1e62203e460ae9149307d49 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Mon, 28 Jul 2025 18:44:08 +0200 +Subject: [PATCH] Fix segfault when socket is inside of the directory + +$ socat UNIX-LISTEN:"/home/rsroka/dir/socket" /dev/null & + +[ ERROR ]: Cannot open /home/rsroka/dir/socket +Program received signal SIGSEGV, Segmentation fault. + +Signed-off-by: Radovan Sroka +--- + src/cli/file-cli.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c +index ae326c14..655e8f15 100644 +--- a/src/cli/file-cli.c ++++ b/src/cli/file-cli.c +@@ -53,8 +53,13 @@ static int ftw_add_list_append(const char *fpath, + int typeflag, + struct FTW *ftwbuf __attribute__ ((unused))) + { +- if (typeflag == FTW_F) +- list_append(&add_list, strdup(fpath), NULL); ++ if (typeflag == FTW_F) { ++ if (S_ISREG(sb->st_mode)) { ++ list_append(&add_list, strdup(fpath), NULL); ++ } else { ++ msg(LOG_INFO, "Skipping non regular file: %s", fpath); ++ } ++ } + return FTW_CONTINUE; + } + +@@ -83,11 +88,8 @@ static int add_list_load_path(const char *path) + + if (S_ISDIR(sb.st_mode)) + nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS); +- else if (S_ISREG(sb.st_mode)) { ++ else + list_append(&add_list, strdup(path), NULL); +- } else { +- msg(LOG_INFO, "Skipping non regular file: %s", path); +- } + + return 0; + } diff --git a/fapolicyd.spec b/fapolicyd.spec index 563acf7..ee5f268 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -5,7 +5,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.3.3 -Release: 103%{?dist} +Release: 105%{?dist} License: GPL-3.0-or-later URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -43,6 +43,9 @@ Patch6: fapolicyd-rpm-loader.patch Patch7: fapolicyd-infinite-loop.patch Patch8: fapolicyd-data-format.patch Patch9: var-run-t-dir-selinux.patch +Patch10: fapolicyd-skip-nonregular.patch +Patch11: fapolicyd-socket-segfault.patch +Patch12: selinux-sbin-bin.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -86,6 +89,9 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch -P 7 -p1 -b .infinite-loop %patch -P 8 -p1 -b .data-format %patch -P 9 -p1 -b .var-run-dir +%patch -P 10 -p1 -b .skip-nonregular +%patch -P 11 -p1 -b .socket-segfault +%patch -P 12 -p1 -b .sbin-bin # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules @@ -228,7 +234,7 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Wed May 28 2025 Radovan Sroka - 1.3.3-103 +* Wed May 28 2025 Radovan Sroka - 1.3.3-105 RHEL 10.1 ERRATUM - RPMDB crashes with SIGBUS when updating the RPMDB repeatedly Resolves: RHEL-94540 @@ -238,6 +244,8 @@ Resolves: RHEL-94536 Resolves: RHEL-94538 - fapolicy rule containing 'pattern=normal' produces error Resolves: RHEL-94537 +- "fapolicyd-cli --file add" crashes when processing sockets +Resolves: RHEL-105425 * Tue Oct 29 2024 Troy Dawson - 1.3.3-102 - Bump release for October 2024 mass rebuild: diff --git a/selinux-sbin-bin.patch b/selinux-sbin-bin.patch new file mode 100644 index 0000000..72326ee --- /dev/null +++ b/selinux-sbin-bin.patch @@ -0,0 +1,27 @@ +From f80e6b1817e32e8b33067c6bdfe838aa136de92f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 20 Jun 2024 11:28:07 +0200 +Subject: [PATCH] Add file context entry for /usr/bin/fapolicyd + +To comply with the "Unify bin and sbin" Fedora Change [1], +file equivalency for the /bin, /sbin, and /usr/sbin paths +are now set in selinux-policy to /usr/bin. +This requires follow-up changes in DSP modules, too. + +[1] https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin +--- + fapolicyd.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc +index d081dc8..1b9f649 100644 +--- a/fapolicyd-selinux-0.7/fapolicyd.fc ++++ b/fapolicyd-selinux-0.7/fapolicyd.fc +@@ -2,6 +2,7 @@ + + /usr/lib/systemd/system/fapolicyd.* -- gen_context(system_u:object_r:fapolicyd_unit_file_t,s0) + ++/usr/bin/fapolicyd -- gen_context(system_u:object_r:fapolicyd_exec_t,s0) + /usr/sbin/fapolicyd -- gen_context(system_u:object_r:fapolicyd_exec_t,s0) + + /var/lib/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_lib_t,s0)