Rebase to fapolicyd 0.9.2
- allows watched mount points to be specified by file system types - ELF file detection was improved - the rules have been rewritten to express the policy based on subject object trust for better performance and reliability - exceptions for dracut and ansible were added to the rules to avoid problems under normal system use - adds an admin defined trust database (fapolicyd.trust) - setting boost, queue, user, and group on the daemon command line are deprecated
This commit is contained in:
Radovan Sroka
parent
ee02cf10a9
commit
193b9f0cdf
1
.gitignore
vendored
1
.gitignore
vendored
@ -7,3 +7,4 @@
|
|||||||
/fapolicyd-0.9.tar.gz
|
/fapolicyd-0.9.tar.gz
|
||||||
/fapolicyd-selinux-0.1.tar.gz
|
/fapolicyd-selinux-0.1.tar.gz
|
||||||
/fapolicyd-selinux-0.2.tar.gz
|
/fapolicyd-selinux-0.2.tar.gz
|
||||||
|
/fapolicyd-0.9.2.tar.gz
|
||||||
|
|||||||
9
fapolicyd-conf.patch
Normal file
9
fapolicyd-conf.patch
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
diff -up ./init/fapolicyd.conf.fix ./init/fapolicyd.conf
|
||||||
|
--- ./init/fapolicyd.conf.fix 2020-02-03 12:18:23.775222689 +0100
|
||||||
|
+++ ./init/fapolicyd.conf 2020-02-03 12:18:42.567359324 +0100
|
||||||
|
@@ -14,4 +14,4 @@ db_max_size = 250
|
||||||
|
subj_cache_size = 1024
|
||||||
|
obj_cache_size = 6144
|
||||||
|
watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660
|
||||||
|
-trust = rpmdb,files
|
||||||
|
+trust = rpmdb,file
|
||||||
@ -4,8 +4,8 @@
|
|||||||
|
|
||||||
Summary: Application Whitelisting Daemon
|
Summary: Application Whitelisting Daemon
|
||||||
Name: fapolicyd
|
Name: fapolicyd
|
||||||
Version: 0.9
|
Version: 0.9.2
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||||
@ -21,6 +21,7 @@ Requires(post): systemd-units
|
|||||||
Requires(preun): systemd-units
|
Requires(preun): systemd-units
|
||||||
Requires(postun): systemd-units
|
Requires(postun): systemd-units
|
||||||
|
|
||||||
|
Patch1: fapolicyd-conf.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||||
@ -40,8 +41,6 @@ BuildArch: noarch
|
|||||||
%description selinux
|
%description selinux
|
||||||
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
|
||||||
%setup -q
|
%setup -q
|
||||||
@ -51,10 +50,20 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
|||||||
|
|
||||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
||||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
||||||
|
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
||||||
|
|
||||||
|
%patch1 -p1 -b .default-conf
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
./autogen.sh
|
./autogen.sh
|
||||||
%configure --with-audit
|
|
||||||
|
%configure \
|
||||||
|
--with-audit \
|
||||||
|
--with-rpm \
|
||||||
|
--disable-shared
|
||||||
|
|
||||||
|
|
||||||
make CFLAGS="%{optflags}" %{?_smp_mflags}
|
make CFLAGS="%{optflags}" %{?_smp_mflags}
|
||||||
|
|
||||||
# selinux
|
# selinux
|
||||||
@ -80,6 +89,8 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%
|
|||||||
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
|
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
|
||||||
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
|
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
|
||||||
|
|
||||||
|
#cleanup
|
||||||
|
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
|
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
|
||||||
@ -100,6 +111,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
|
|||||||
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
|
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
|
||||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
||||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
||||||
|
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
|
||||||
%attr(644,root,root) %{_unitdir}/%{name}.service
|
%attr(644,root,root) %{_unitdir}/%{name}.service
|
||||||
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
|
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
|
||||||
%attr(755,root,root) %{_sbindir}/%{name}
|
%attr(755,root,root) %{_sbindir}/%{name}
|
||||||
@ -135,6 +147,18 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
|
||||||
|
- rebase fapolicyd to 0.9.2
|
||||||
|
- allows watched mount points to be specified by file system types
|
||||||
|
- ELF file detection was improved
|
||||||
|
- the rules have been rewritten to express the policy based on subject
|
||||||
|
object trust for better performance and reliability
|
||||||
|
- exceptions for dracut and ansible were added to the rules to avoid problems
|
||||||
|
under normal system use
|
||||||
|
- adds an admin defined trust database (fapolicyd.trust)
|
||||||
|
- setting boost, queue, user, and group on the daemon
|
||||||
|
command line are deprecated
|
||||||
|
|
||||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
|||||||
2
sources
2
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (fapolicyd-0.9.tar.gz) = 9a7fc929730403cf1430051e8f2c34568f43e38119f2bb09393886f7d8880354941f70cca34a2da2ca5ad9d65bd1e4854037a0deb9d7b0656f841b33019e2146
|
SHA512 (fapolicyd-0.9.2.tar.gz) = 472282f2bf31788e3fb4e41648ddbffe2c550396bd371bb85f685773de76333bd55abd63e0145d6abe3b2c8bf72946138448eb0582bb693893310f81741a201b
|
||||||
SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad
|
SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user