diff --git a/.gitignore b/.gitignore index aa41813..b07fab8 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /fapolicyd-0.9.tar.gz /fapolicyd-selinux-0.1.tar.gz /fapolicyd-selinux-0.2.tar.gz +/fapolicyd-0.9.2.tar.gz diff --git a/fapolicyd-conf.patch b/fapolicyd-conf.patch new file mode 100644 index 0000000..f77509a --- /dev/null +++ b/fapolicyd-conf.patch @@ -0,0 +1,9 @@ +diff -up ./init/fapolicyd.conf.fix ./init/fapolicyd.conf +--- ./init/fapolicyd.conf.fix 2020-02-03 12:18:23.775222689 +0100 ++++ ./init/fapolicyd.conf 2020-02-03 12:18:42.567359324 +0100 +@@ -14,4 +14,4 @@ db_max_size = 250 + subj_cache_size = 1024 + obj_cache_size = 6144 + watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660 +-trust = rpmdb,files ++trust = rpmdb,file diff --git a/fapolicyd.spec b/fapolicyd.spec index 16d851f..efe65a3 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -4,8 +4,8 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 0.9 -Release: 4%{?dist} +Version: 0.9.2 +Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -21,6 +21,7 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Patch1: fapolicyd-conf.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -40,8 +41,6 @@ BuildArch: noarch %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. - - %prep %setup -q @@ -51,10 +50,20 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules + +%patch1 -p1 -b .default-conf %build + ./autogen.sh -%configure --with-audit + +%configure \ + --with-audit \ + --with-rpm \ + --disable-shared + + make CFLAGS="%{optflags}" %{?_smp_mflags} # selinux @@ -80,6 +89,8 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}% install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if +#cleanup +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} @@ -100,6 +111,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} @@ -135,6 +147,18 @@ fi %changelog +* Fri Jan 31 2020 Radovan Sroka - 0.9.2-1 +- rebase fapolicyd to 0.9.2 +- allows watched mount points to be specified by file system types +- ELF file detection was improved +- the rules have been rewritten to express the policy based on subject + object trust for better performance and reliability +- exceptions for dracut and ansible were added to the rules to avoid problems + under normal system use +- adds an admin defined trust database (fapolicyd.trust) +- setting boost, queue, user, and group on the daemon + command line are deprecated + * Tue Jan 28 2020 Fedora Release Engineering - 0.9-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/sources b/sources index 06e6ef9..d43675a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (fapolicyd-0.9.tar.gz) = 9a7fc929730403cf1430051e8f2c34568f43e38119f2bb09393886f7d8880354941f70cca34a2da2ca5ad9d65bd1e4854037a0deb9d7b0656f841b33019e2146 +SHA512 (fapolicyd-0.9.2.tar.gz) = 472282f2bf31788e3fb4e41648ddbffe2c550396bd371bb85f685773de76333bd55abd63e0145d6abe3b2c8bf72946138448eb0582bb693893310f81741a201b SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad