From 157f8de90e524017351557da91d7e6b878cd2bf4 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Fri, 30 Aug 2019 13:05:25 +0200 Subject: [PATCH] Rebase to 0.8.10 --- .gitignore | 1 + fapolicyd.spec | 15 +++++++++++++-- python.patch | 32 ++++++++++++++++++++++++++++++++ sources | 2 +- 4 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 python.patch diff --git a/.gitignore b/.gitignore index a36b54f..62edc35 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /fapolicyd-0.8.7.tar.gz /fapolicyd-0.8.8.tar.gz /fapolicyd-0.8.9.tar.gz +/fapolicyd-0.8.10.tar.gz diff --git a/fapolicyd.spec b/fapolicyd.spec index d1bbe6f..421217f 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -1,7 +1,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 0.8.9 -Release: 5%{?dist} +Version: 0.8.10 +Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -15,6 +15,7 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Patch1: python.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -23,8 +24,14 @@ source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights. %prep + %setup -q +%patch1 -p1 -b .python + +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules + %build ./autogen.sh %configure --with-audit @@ -74,6 +81,10 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc %changelog +* Wed Aug 28 2019 Radovan Sroka - 0.8.10-1 +- rebase to 0.8.10 +- generate python paths dynamically + * Mon Aug 19 2019 Miro HronĨok - 0.8.9-5 - Rebuilt for Python 3.8 diff --git a/python.patch b/python.patch new file mode 100644 index 0000000..98fd644 --- /dev/null +++ b/python.patch @@ -0,0 +1,32 @@ +diff -up ./init/fapolicyd.rules.fix ./init/fapolicyd.rules +--- ./init/fapolicyd.rules.fix 2019-08-30 12:59:02.997181607 +0200 ++++ ./init/fapolicyd.rules 2019-08-30 13:00:21.639034651 +0200 +@@ -11,7 +11,7 @@ deny_audit pattern=ld_so all + # We have to carve out an exception for the system updaters + # or things go very bad (deadlock). + allow exe=/usr/bin/rpm all +-allow exe=/usr/bin/python3.6 comm=dnf all ++allow exe=%python3_path% comm=dnf all + + # Don't allow untrusted executables + deny_audit exe_dir=execdirs exe=untrusted all +@@ -31,10 +31,10 @@ deny_audit all ftype=application/x-share + # Only allow system python executables and libs + # File type by: file --mime-type /path-to-file + allow all dir=execdirs ftype=text/x-python +-allow exe=/usr/bin/python3.6 dir=execdirs ftype=text/x-python +-allow exe=/usr/bin/python3.6 dir=execdirs ftype=application/octet-stream +-allow exe=/usr/bin/python2.7 dir=execdirs ftype=text/x-python +-allow exe=/usr/bin/python2.7 dir=execdirs ftype=application/octet-stream ++allow exe=%python3_path% dir=execdirs ftype=text/x-python ++allow exe=%python3_path% dir=execdirs ftype=application/octet-stream ++allow exe=%python2_path% dir=execdirs ftype=text/x-python ++allow exe=%python2_path% dir=execdirs ftype=application/octet-stream + deny_audit all ftype=text/x-python + #deny_audit all ftype=application/octet-stream path=*.pyc + +@@ -72,4 +72,3 @@ deny_audit exe=/usr/bin/ruby all + + # Allow everything else + allow all all +- diff --git a/sources b/sources index fe31a7d..2b82c25 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fapolicyd-0.8.9.tar.gz) = de3f9aaac36fb7d2b00bc873d4b0cb68fabf5f3bb74812d530ec7f66b3c3690a0cc51f35922a3f0a212c670ecae719956e26bfb0b14cab76d8356ea058709dc5 +SHA512 (fapolicyd-0.8.10.tar.gz) = 7a316a1e4ccb6b4f09c37cb33a3dd309c16bdb47a936b3610204851024ef45a896538fd0f5d8322cb4903c7cb375caa4072d801f702b5265833944cc51a58945