Rebase to 0.8.10

2019-08-30 13:05:25 +02:00 · 2019-08-30 13:05:25 +02:00 · 157f8de90e
commit 157f8de90e
parent e99464298e
4 changed files with 47 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@
 /fapolicyd-0.8.7.tar.gz
 /fapolicyd-0.8.8.tar.gz
 /fapolicyd-0.8.9.tar.gz
+/fapolicyd-0.8.10.tar.gz
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -1,7 +1,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 0.8.9
-Release: 5%{?dist}
+Version: 0.8.10
+Release: 1%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -15,6 +15,7 @@ Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units

+Patch1: python.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -23,8 +24,14 @@ source are allowed access while unknown applications are not. The daemon
 makes use of the kernel's fanotify interface to determine file access rights.

 %prep
+
 %setup -q

+%patch1 -p1 -b .python
+
+sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
+sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
+
 %build
 ./autogen.sh
 %configure --with-audit
@ -74,6 +81,10 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
 %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc

 %changelog
+* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
+- rebase to 0.8.10
+- generate python paths dynamically
+
 * Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
 - Rebuilt for Python 3.8

--- a/python.patch
+++ b/python.patch
@ -0,0 +1,32 @@
+diff -up ./init/fapolicyd.rules.fix ./init/fapolicyd.rules
+--- ./init/fapolicyd.rules.fix	2019-08-30 12:59:02.997181607 +0200
+++ ./init/fapolicyd.rules	2019-08-30 13:00:21.639034651 +0200
+@@ -11,7 +11,7 @@ deny_audit pattern=ld_so all
+ # We have to carve out an exception for the system updaters
+ # or things go very bad (deadlock).
+ allow exe=/usr/bin/rpm all
+-allow exe=/usr/bin/python3.6 comm=dnf all
+allow exe=%python3_path% comm=dnf all
+ 
+ # Don't allow untrusted executables
+ deny_audit exe_dir=execdirs exe=untrusted all
+@@ -31,10 +31,10 @@ deny_audit all ftype=application/x-share
+ # Only allow system python executables and libs
+ # File type by: file --mime-type /path-to-file
+ allow all dir=execdirs ftype=text/x-python
+-allow exe=/usr/bin/python3.6 dir=execdirs ftype=text/x-python
+-allow exe=/usr/bin/python3.6 dir=execdirs ftype=application/octet-stream
+-allow exe=/usr/bin/python2.7 dir=execdirs ftype=text/x-python
+-allow exe=/usr/bin/python2.7 dir=execdirs ftype=application/octet-stream
+allow exe=%python3_path% dir=execdirs ftype=text/x-python
+allow exe=%python3_path% dir=execdirs ftype=application/octet-stream
+allow exe=%python2_path% dir=execdirs ftype=text/x-python
+allow exe=%python2_path% dir=execdirs ftype=application/octet-stream
+ deny_audit  all ftype=text/x-python
+ #deny_audit all ftype=application/octet-stream path=*.pyc
+ 
+@@ -72,4 +72,3 @@ deny_audit exe=/usr/bin/ruby all
+ 
+ # Allow everything else
+ allow all all
+-
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (fapolicyd-0.8.9.tar.gz) = de3f9aaac36fb7d2b00bc873d4b0cb68fabf5f3bb74812d530ec7f66b3c3690a0cc51f35922a3f0a212c670ecae719956e26bfb0b14cab76d8356ea058709dc5
+SHA512 (fapolicyd-0.8.10.tar.gz) = 7a316a1e4ccb6b4f09c37cb33a3dd309c16bdb47a936b3610204851024ef45a896538fd0f5d8322cb4903c7cb375caa4072d801f702b5265833944cc51a58945