Rebase to v1.2
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
Radovan Sroka
parent
23487839d7
commit
2292734883
1
.gitignore
vendored
1
.gitignore
vendored
@ -26,3 +26,4 @@
|
||||
/fapolicyd-1.1.5.tar.gz
|
||||
/fapolicyd-1.1.7.tar.gz
|
||||
/fapolicyd-selinux-0.5.tar.gz
|
||||
/fapolicyd-1.2.tar.gz
|
||||
|
||||
@ -1,19 +0,0 @@
|
||||
Include <rpmpgp.h> for the rpmFreeCrypto function, to avoid an
|
||||
implicit function declaration.
|
||||
|
||||
Submitted upstream:
|
||||
|
||||
<https://github.com/linux-application-whitelisting/fapolicyd/pull/212>
|
||||
|
||||
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
|
||||
index e5c5f3318285fd4b..6122ef1bf6623522 100644
|
||||
--- a/src/library/rpm-backend.c
|
||||
+++ b/src/library/rpm-backend.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <rpm/rpmmacro.h>
|
||||
#include <rpm/rpmlog.h>
|
||||
#include <rpm/rpmdb.h>
|
||||
+#include <rpm/rpmpgp.h>
|
||||
#include <fnmatch.h>
|
||||
|
||||
#include <uthash.h>
|
||||
@ -1,40 +0,0 @@
|
||||
From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 6 Apr 2021 16:06:48 +0200
|
||||
Subject: [PATCH] Allow fapolicyd watch boot and home directories
|
||||
|
||||
The fapolicyd service needs watch_mount and watch_with_perm permissions
|
||||
for fanotify/inotify/dnotify calls on the following directories:
|
||||
- /boot and /boot/efi directories
|
||||
- /home directories
|
||||
|
||||
Note the /boot/efi directory has the dosfs_t label.
|
||||
---
|
||||
fapolicyd.te | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
index f5d0052..c12f385 100644
|
||||
--- a/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t)
|
||||
|
||||
files_mmap_usr_files(fapolicyd_t)
|
||||
files_read_all_files(fapolicyd_t)
|
||||
+files_watch_mount_boot_dirs(fapolicyd_t)
|
||||
+files_watch_with_perm_boot_dirs(fapolicyd_t)
|
||||
files_watch_mount_generic_tmp_dirs(fapolicyd_t)
|
||||
files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
|
||||
+files_watch_mount_home(fapolicyd_t)
|
||||
+files_watch_with_perm_home(fapolicyd_t)
|
||||
files_watch_mount_root_dirs(fapolicyd_t)
|
||||
files_watch_with_perm_root_dirs(fapolicyd_t)
|
||||
|
||||
fs_getattr_xattr_fs(fapolicyd_t)
|
||||
fs_watch_mount_tmpfs_dirs(fapolicyd_t)
|
||||
fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
|
||||
+fs_watch_mount_dos_dirs(fapolicyd_t)
|
||||
+fs_watch_with_perm_dos_dirs(fapolicyd_t)
|
||||
|
||||
logging_send_syslog_msg(fapolicyd_t)
|
||||
dbus_system_bus_client(fapolicyd_t)
|
||||
@ -1,31 +0,0 @@
|
||||
From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 15 Apr 2021 16:56:08 +0200
|
||||
Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and
|
||||
directories
|
||||
|
||||
For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag
|
||||
to mark the file's mount point to monitor. As this can be any file or
|
||||
directory on the filesystem, the SELinux watch_mount and watch_with_perm
|
||||
permissions are allowed for the file_type attribute.
|
||||
---
|
||||
fapolicyd.te | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
index c12f385..582e03f 100644
|
||||
--- a/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched };
|
||||
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
+gen_require(`
|
||||
+ attribute file_type;
|
||||
+')
|
||||
+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
|
||||
+allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
|
||||
+
|
||||
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
|
||||
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 1.1.7
|
||||
Version: 1.2
|
||||
Release: 4%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
@ -30,7 +30,6 @@ Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
Patch2: fapolicyd-rpm-backend-c99.patch
|
||||
# RHEL-specific patches
|
||||
Patch100: fapolicyd-uthash-bundle.patch
|
||||
|
||||
@ -59,7 +58,6 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
|
||||
# selinux
|
||||
%setup -q -D -T -a 1
|
||||
%patch2 -p1 -b .c99
|
||||
|
||||
%if 0%{?rhel} != 0
|
||||
# uthash
|
||||
@ -172,6 +170,7 @@ fi
|
||||
%ghost %{_sysconfdir}/%{name}/rules.d/*
|
||||
%ghost %{_sysconfdir}/%{name}/%{name}.rules
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rpm-filter.conf
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
|
||||
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
|
||||
%attr(644,root,root) %{_unitdir}/%{name}.service
|
||||
@ -181,7 +180,6 @@ fi
|
||||
%attr(755,root,root) %{_sbindir}/fagenrules
|
||||
%attr(644,root,root) %{_mandir}/man8/*
|
||||
%attr(644,root,root) %{_mandir}/man5/*
|
||||
%attr(644,root,root) %{_mandir}/man1/*
|
||||
%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
|
||||
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
|
||||
%attr(770,root,%{name}) %dir /run/%{name}
|
||||
@ -207,6 +205,9 @@ fi
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%changelog
|
||||
* Fri Feb 10 2023 Radovan Sroka <rsroka@redhat.com> - 1.2-1
|
||||
- rebase to v1.2
|
||||
|
||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.7-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (fapolicyd-1.1.7.tar.gz) = 18fce19486f24c29f5b69c5117d04d201c4e27a5ceb6367e01ee6b0601958ce68eaf8ca37f13340c905b1d38294c8a8401693552d3f146ff5994a82a216f3b14
|
||||
SHA512 (fapolicyd-1.2.tar.gz) = 42c2a66f9b28f96597544bff72022d8735ba8700f022bb7a4d2ab74df43924e372c6e25af0af9d737710b0b835163775002f330bd5adf2964831902b755bebc7
|
||||
SHA512 (fapolicyd-selinux-0.5.tar.gz) = 15f35fcbc8f9a387483be1501693ebfa0e909b6e27fdadd4b89d8541db18738c61074d9fbd3cb8b574edc873bca10fd56767b7b77ad559d93dbb5ef005708273
|
||||
SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294
|
||||
|
||||
Loading…
Reference in New Issue
Block a user