Rebase to fapolicyd 0.9.2

- allows watched mount points to be specified by file system types - ELF file detection was improved - the rules have been rewritten to express the policy based on subject object trust for better performance and reliability - exceptions for dracut and ansible were added to the rules to avoid problems under normal system use - adds an admin defined trust database (fapolicyd.trust) - setting boost, queue, user, and group on the daemon command line are deprecated
2020-01-31 08:43:48 +01:00 · 2020-01-31 08:43:48 +01:00 · 193b9f0cdf
commit 193b9f0cdf
parent ee02cf10a9
4 changed files with 40 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@
 /fapolicyd-0.9.tar.gz
 /fapolicyd-selinux-0.1.tar.gz
 /fapolicyd-selinux-0.2.tar.gz
+/fapolicyd-0.9.2.tar.gz
--- a/fapolicyd-conf.patch
+++ b/fapolicyd-conf.patch
@ -0,0 +1,9 @@
+diff -up ./init/fapolicyd.conf.fix ./init/fapolicyd.conf
+--- ./init/fapolicyd.conf.fix	2020-02-03 12:18:23.775222689 +0100
+++ ./init/fapolicyd.conf	2020-02-03 12:18:42.567359324 +0100
+@@ -14,4 +14,4 @@ db_max_size = 250
+ subj_cache_size = 1024
+ obj_cache_size = 6144
+ watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660
+-trust = rpmdb,files
+trust = rpmdb,file
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -4,8 +4,8 @@

 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 0.9
-Release: 4%{?dist}
+Version: 0.9.2
+Release: 1%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -21,6 +21,7 @@ Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units

+Patch1: fapolicyd-conf.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -40,8 +41,6 @@ BuildArch: noarch
 %description    selinux
 The %{name}-selinux package contains selinux policy for the %{name} daemon.

-
-
 %prep

 %setup -q
@ -51,10 +50,20 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.

 sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
 sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
+sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
+
+%patch1 -p1 -b .default-conf

 %build
+
 ./autogen.sh
-%configure --with-audit
+
+%configure \
+    --with-audit \
+    --with-rpm \
+    --disable-shared
+
+
 make CFLAGS="%{optflags}" %{?_smp_mflags}

 # selinux
@ -80,6 +89,8 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
 install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if

+#cleanup
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'

 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
@ -100,6 +111,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
 %attr(755,root,root) %{_sbindir}/%{name}
@ -135,6 +147,18 @@ fi


 %changelog
+* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
+- rebase fapolicyd to 0.9.2
+- allows watched mount points to be specified by file system types
+- ELF file detection was improved
+- the rules have been rewritten to express the policy based on subject
+  object trust for better performance and reliability
+- exceptions for dracut and ansible were added to the rules to avoid problems
+  under normal system use
+- adds an admin defined trust database (fapolicyd.trust)
+- setting boost, queue, user, and group on the daemon
+  command line are deprecated
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (fapolicyd-0.9.tar.gz) = 9a7fc929730403cf1430051e8f2c34568f43e38119f2bb09393886f7d8880354941f70cca34a2da2ca5ad9d65bd1e4854037a0deb9d7b0656f841b33019e2146
+SHA512 (fapolicyd-0.9.2.tar.gz) = 472282f2bf31788e3fb4e41648ddbffe2c550396bd371bb85f685773de76333bd55abd63e0145d6abe3b2c8bf72946138448eb0582bb693893310f81741a201b
 SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad