import fapolicyd-1.0-3.el8

This commit is contained in:
CentOS Sources 2020-11-03 07:08:58 -05:00 committed by Andrew Lukoshko
commit 3dd4bbb98c
15 changed files with 708 additions and 0 deletions

2
.fapolicyd.metadata Normal file
View File

@ -0,0 +1,2 @@
9ddfe0d72d06235cad610072fd8fc9e539b03021 SOURCES/fapolicyd-1.0.tar.gz
593c345068a10b67b353f137378f97bc6aab9111 SOURCES/fapolicyd-selinux-0.2.tar.gz

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/fapolicyd-1.0.tar.gz
SOURCES/fapolicyd-selinux-0.2.tar.gz

View File

@ -0,0 +1,54 @@
diff -urp fapolicyd-0.9.5.orig/doc/fapolicyd.conf.5 fapolicyd-0.9.5/doc/fapolicyd.conf.5
--- fapolicyd-0.9.5.orig/doc/fapolicyd.conf.5 2020-05-22 10:03:14.000000000 -0400
+++ fapolicyd-0.9.5/doc/fapolicyd.conf.5 2020-05-22 10:04:32.583100229 -0400
@@ -55,26 +55,6 @@ This is a comma separated list of file s
This is a comma separated list of trust back-ends. If this is not configured, rpmdb is default. Fapolicyd supports \fBfile\fP back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it as a list of trusted files. The second option is \fBrpmdb\fP backend that generates list of trusted files from rpmdb.
.TP
-.B integrity
-This option tells fapolicyd which integrity strategy it should use. It can be one of 4 values:
-.RS
-.TP 12
-.B none
-This is the
-.IR default
-and does no integrity checking.
-.TP
-.B size
-Selecting this option will compare the size of the file with what it was knows to be. This is better than nothing and very fast since fapolicyd already collects size information during normal processing. However, an attacker could replace the file and as long as the size matches, it will not be detected.
-.TP
-.B ima
-Selecting this option will use a SHA256 hash that the IMA subsystem places in a file's extended attributes in addition to the size check. This means that all file systems holding executable code must support extended attributes.
-.RE
-.TP
-.B sha256
-Selecting this option will calculate a SHA256 hash by cryptographic means. A size check will also be performed.
-
-.TP
.B syslog_format
This option controls how the output from the access decision is formatted. The format is a comma separated list of subject and object names from the rules. It does not allow the keyword "all". It also allows for rule, dec, and perm. The format must include a semi-colon to deliniate subject from object keywords. The typical use is to place information about the access decision, then subject information, a colon, and the object information. Also note that the more things being logged, the more it will impact system performance. Also, the event written is limited to 512 bytes.
diff -urp fapolicyd-0.9.5.orig/init/fapolicyd.conf fapolicyd-0.9.5/init/fapolicyd.conf
--- fapolicyd-0.9.5.orig/init/fapolicyd.conf 2020-05-22 10:03:14.000000000 -0400
+++ fapolicyd-0.9.5/init/fapolicyd.conf 2020-05-22 10:04:46.801098703 -0400
@@ -15,5 +15,4 @@ subj_cache_size = 1549
obj_cache_size = 8191
watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660
trust = rpmdb,file
-integrity = none
syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype
diff -urp fapolicyd-0.9.5.orig/src/daemon/daemon-config.c fapolicyd-0.9.5/src/daemon/daemon-config.c
--- fapolicyd-0.9.5.orig/src/daemon/daemon-config.c 2020-05-22 10:03:14.000000000 -0400
+++ fapolicyd-0.9.5/src/daemon/daemon-config.c 2020-05-22 10:05:35.103093520 -0400
@@ -538,9 +538,9 @@ static int trust_parser(const struct nv_
static const struct nv_list integrity_schemes[] =
{
{"none", IN_NONE },
- {"size", IN_SIZE },
+/* {"size", IN_SIZE },
{"ima", IN_IMA },
- {"sha256", IN_SHA256 },
+ {"sha256", IN_SHA256 }, */
{ NULL, 0 }
};

View File

@ -0,0 +1,13 @@
diff -up ./src/cli/fapolicyd-cli.c.args ./src/cli/fapolicyd-cli.c
--- ./src/cli/fapolicyd-cli.c.args 2020-05-24 19:23:27.000000000 +0200
+++ ./src/cli/fapolicyd-cli.c 2020-06-01 11:58:01.397204265 +0200
@@ -232,6 +232,9 @@ static int do_manage_files(int argc, cha
else
rc = file_update("/");
+ } else {
+ fprintf(stderr, "Missing operation option add|delete|update\n\n");
+ goto args_err;
}
return rc;

View File

@ -0,0 +1,39 @@
From 98768e7d2b3736a7924d8e17de206fd25071e395 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 2 Jun 2020 17:11:19 -0400
Subject: [PATCH] Make fapolicyd-cli buffer bigger for rule listing
---
ChangeLog | 2 ++
src/cli/fapolicyd-cli.c | 5 +++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
index feb9e71..8783547 100644
--- a/src/cli/fapolicyd-cli.c
+++ b/src/cli/fapolicyd-cli.c
@@ -41,6 +41,7 @@
#include "database.h"
#include "file-backend.h"
#include "fapolicyd-backend.h"
+#include "string-util.h"
static const char *usage =
@@ -318,14 +319,14 @@ static int do_ftype(const char *path)
static int do_list(void)
{
unsigned count = 1, lineno = 0;
- char buf[160];
+ char buf[BUFFER_MAX+1];
FILE *f = fopen(RULES_FILE, "rm");
if (f == NULL) {
fprintf(stderr, "Cannot open rules file (%s)\n",
strerror(errno));
return 1;
}
- while (get_line(f, buf, sizeof(buf), &lineno)) {
+ while (get_line(f, buf, BUFFER_MAX, &lineno)) {
char *str = buf;
lineno++;
while (*str) {

View File

@ -0,0 +1,30 @@
diff -U0 ./ChangeLog.cli-empty-db ./ChangeLog
diff -up ./src/cli/fapolicyd-cli.c.cli-empty-db ./src/cli/fapolicyd-cli.c
--- ./src/cli/fapolicyd-cli.c.cli-empty-db 2020-06-05 17:12:49.010948664 +0200
+++ ./src/cli/fapolicyd-cli.c 2020-06-05 17:12:49.016948738 +0200
@@ -112,6 +112,7 @@ static int do_dump_db(void)
MDB_env *env;
MDB_txn *txn;
MDB_dbi dbi;
+ MDB_stat status;
MDB_cursor *cursor;
MDB_val key, val;
@@ -129,6 +130,17 @@ static int do_dump_db(void)
rc = 1;
goto env_close;
}
+ rc = mdb_env_stat(env, &status);
+ if (rc) {
+ fprintf(stderr, "mdb_env_stat failed, error %d %s\n", rc,
+ mdb_strerror(rc));
+ rc = 1;
+ goto env_close;
+ }
+ if (status.ms_entries == 0) {
+ printf("Trust database is empty\n");
+ goto env_close; // Note: rc is 0 to get here
+ }
rc = mdb_txn_begin(env, NULL, MDB_RDONLY, &txn);
if (rc) {
fprintf(stderr, "mdb_txn_begin failed, error %d %s\n", rc,

View File

@ -0,0 +1,36 @@
From 84916944b481d5c478202f6c4239e4aed0731406 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 2 Jun 2020 17:27:58 -0400
Subject: [PATCH] Return only valid lines
If fapolicyd_get_line does not find a 0x0A, then we have an unterminated
string because its too long. Only return terminated strings, otherwise
pass NULL back.
---
src/library/string-util.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/library/string-util.c b/src/library/string-util.c
index f991f5f..ffdc645 100644
--- a/src/library/string-util.c
+++ b/src/library/string-util.c
@@ -53,15 +53,16 @@ char * fapolicyd_strtrim(char * s)
return s;
}
-char * fapolicyd_get_line(FILE *f, char *buf)
+char *fapolicyd_get_line(FILE *f, char *buf)
{
if (fgets_unlocked(buf, BUFFER_MAX-1, f)) {
/* remove newline */
char *ptr = strchr(buf, 0x0a);
- if (ptr)
+ if (ptr) {
*ptr = 0;
- return buf;
+ return buf;
+ }
}
return NULL;

View File

@ -0,0 +1,60 @@
diff -up ./init/fapolicyd-magic.magic-override ./init/fapolicyd-magic
--- ./init/fapolicyd-magic.magic-override 2020-06-01 12:19:03.714672865 +0200
+++ ./init/fapolicyd-magic 2020-06-01 12:19:52.754376249 +0200
@@ -13,6 +13,12 @@
0 string/wt #!\ /usr/bin/lua Lua script text executable
!:mime text/x-lua
+0 string/wt #!\ /usr/bin/texlua LuaTex script text executable
+!:mime text/x-luatex
+
+0 string/wt #!\ /usr/bin/luatex LuaTex script text executable
+!:mime text/x-luatex
+
0 string/wt #!\ /usr/bin/Rscript R script text executable
!:mime text/x-R
@@ -53,8 +59,19 @@
!:strength + 15
!:mime text/x-python
+0 search/1/w #!\ /usr/bin/env\ python Python script text executable
+!:strength + 15
+!:mime text/x-python
+
0 string/wt #!\ /usr/bin/guile Guile script text executable
!:mime text/x-script.guile
0 string \223NUMPY NumPy data file
!:mime application/x-numpy-data
+
+0 search/1/w #!\ /usr/bin/tclsh Tcl/Tk script text executable
+!:mime text/x-tcl
+
+
+0 search/1/w #!\ /usr/bin/stap Systemtap script text executable
+!:mime text/x-systemtap
diff -up ./init/fapolicyd.rules.known-libs.magic-override ./init/fapolicyd.rules.known-libs
--- ./init/fapolicyd.rules.known-libs.magic-override 2020-06-01 12:20:56.498290540 +0200
+++ ./init/fapolicyd.rules.known-libs 2020-06-01 12:23:17.220324490 +0200
@@ -3,7 +3,7 @@
# performance while ensuring that there is not much interference by
# the daemon.
-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl
+%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
# Carve out an exception for dracut initramfs building
allow perm=any uid=0 : dir=/var/tmp/
diff -up ./init/fapolicyd.rules.restrictive.magic-override ./init/fapolicyd.rules.restrictive
--- ./init/fapolicyd.rules.restrictive.magic-override 2020-06-01 12:22:55.144002314 +0200
+++ ./init/fapolicyd.rules.restrictive 2020-06-01 12:23:55.860888398 +0200
@@ -15,7 +15,7 @@
# allow perm=open exe=%python : all
#
-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl
+%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
# Carve out an exception for dracut
allow perm=any uid=0 : dir=/var/tmp/

View File

@ -0,0 +1,61 @@
From 598d167f1d3e774104fc8b75ca6525351fbc4558 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Mon, 1 Jun 2020 14:34:17 +0200
Subject: [PATCH] Added few python and shell magic entries
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
init/fapolicyd-magic | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/init/fapolicyd-magic b/init/fapolicyd-magic
index 3128545..703625e 100644
--- a/init/fapolicyd-magic
+++ b/init/fapolicyd-magic
@@ -1,9 +1,17 @@
0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable
!:mime text/x-shellscript
+0 search/1/w #!\ /usr/bin/env\ bash Bourne-Again shell script text executable
+!:strength + 15
+!:mime text/x-shellscript
+
0 string/w #!\ /usr/bin/sh Shell script text executable
!:mime text/x-shellscript
+0 search/1/w #!\ /usr/bin/env\ sh Shell script text executable
+!:strength + 15
+!:mime text/x-shellscript
+
0 string/wt #!\ /bin/rc Plan 9 shell script text executable
!:mime text/x-plan9-shellscript
@@ -47,10 +55,18 @@
!:strength + 15
!:mime text/x-python
+0 search/1/w #!\ /usr/bin/env\ python3 Python script text executable
+!:strength + 15
+!:mime text/x-python
+
0 search/1/w #!\ /usr/bin/python2 Python script text executable
!:strength + 15
!:mime text/x-python
+0 search/1/w #!\ /usr/bin/env\ python2 Python script text executable
+!:strength + 15
+!:mime text/x-python
+
0 search/1/w #!\ /usr/bin/python Python script text executable
!:strength + 15
!:mime text/x-python
@@ -72,6 +88,5 @@
0 search/1/w #!\ /usr/bin/tclsh Tcl/Tk script text executable
!:mime text/x-tcl
-
0 search/1/w #!\ /usr/bin/stap Systemtap script text executable
!:mime text/x-systemtap
--
2.25.4

View File

@ -0,0 +1,24 @@
From 00e7b498cac2cdb7e82075b6328b313b420120d6 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 2 Jun 2020 21:25:12 +0200
Subject: [PATCH] Sync fapolicyd.conf man page trust option with the real
default. (#71)
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
doc/fapolicyd.conf.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/fapolicyd.conf.5 b/doc/fapolicyd.conf.5
index 5ed657e..0f28081 100644
--- a/doc/fapolicyd.conf.5
+++ b/doc/fapolicyd.conf.5
@@ -52,7 +52,7 @@ This is a comma separated list of file systems that should be watched for access
.TP
.B trust
-This is a comma separated list of trust back-ends. If this is not configured, rpmdb is default. Fapolicyd supports \fBfile\fP back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it as a list of trusted files. The second option is \fBrpmdb\fP backend that generates list of trusted files from rpmdb.
+This is a comma separated list of trust back-ends. If this is not configured, 'rpmdb,file' is default. Fapolicyd supports \fBfile\fP back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it as a list of trusted files. The second option is \fBrpmdb\fP backend that generates list of trusted files from rpmdb.
.TP
.B syslog_format

View File

@ -0,0 +1,33 @@
diff -up ./doc/fapolicyd-cli.1.man-page ./doc/fapolicyd-cli.1
--- ./doc/fapolicyd-cli.1.man-page 2020-06-01 14:20:55.720491113 +0200
+++ ./doc/fapolicyd-cli.1 2020-06-01 14:20:59.684554153 +0200
@@ -16,7 +16,7 @@ Deletes the trust database. Normally thi
.B \-D, \-\-dump-db
Dumps the trust db contents for inspection. This will print the original trust source, path, file size, and SHA256 sum of the file as known by the trust source the entry came from.
.TP
-.B \-f, \-\-file [add] [path]
+.B \-f, \-\-file add|delete|update [path]
Manage the file trust database.
.RS
.TP 12
diff -up ./doc/fapolicyd.rules.5.man-page ./doc/fapolicyd.rules.5
--- ./doc/fapolicyd.rules.5.man-page 2020-05-24 19:23:27.000000000 +0200
+++ ./doc/fapolicyd.rules.5 2020-06-01 14:20:31.272102326 +0200
@@ -14,7 +14,7 @@ for the access control decision. The col
.SS Decision
The decision is either
.IR allow ", " deny ", " allow_audit ", " deny_audit ", " allow_syslog ", "deny_syslog ", " allow_log ", or " deny_log ".
-If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event.
+If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event. Regardless of the notification, any rule with a deny in the keyword will deny access and any with an allow in the keyword will allow access.
.SS Perm
Perm describes what kind permission is being asked for. The permission is either
@@ -132,7 +132,7 @@ This option matches against the sha256 h
.RE
.SH SETS
-Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for specific rule attribute. Definition is in key=value syntax and it starts with a set name. Set name has to start with % and the rest is alphanumeric. Value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. Assigned set has to match attribute type. It is not possible set groups for TRUST and PATTERN attributes.
+Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for a specific rule attribute. The definition is in key=value syntax and starts with a set name. The set name has to start with % and the rest is alphanumeric. The value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. The assigned set has to match the attribute type. It is not possible set groups for TRUST and PATTERN attributes.
.SS SETS EXAMPLES

View File

@ -0,0 +1,58 @@
From c7d409cebf86b1c71192fd79ec5f5582f4f00f30 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 2 Jun 2020 21:24:28 +0200
Subject: [PATCH] Ignore db errors from check_trust_database() (#70)
- mark every subject and object as not trusted
when it is not possible to do a query
- previously, when error occurred then subject or
object was actually considered to be trusted
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/event.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/src/library/event.c b/src/library/event.c
index 564c120..2a4083b 100644
--- a/src/library/event.c
+++ b/src/library/event.c
@@ -339,9 +339,15 @@ subject_attr_t *get_subj_attr(event_t *e, subject_type_t t)
subj.val = 0;
if (exe) {
- if (exe->str && check_trust_database(exe->str,
- NULL, 0))
- subj.val = 1;
+ if (exe->str) {
+ int res = check_trust_database(exe->str, NULL, 0);
+
+ // ignore -1
+ if (res == 1)
+ subj.val = 1;
+ else
+ subj.val = 0;
+ }
}
}
break;
@@ -422,10 +428,15 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t)
case OBJ_TRUST: {
object_attr_t *path = get_obj_attr(e, PATH);
- if (path && path->o && check_trust_database(path->o,
- o->info, e->fd))
- obj.val = 1;
+ if (path && path->o) {
+ int res = check_trust_database(path->o, o->info, e->fd);
+ // ignore -1
+ if (res == 1)
+ obj.val = 1;
+ else
+ obj.val = 0;
+ }
}
break;
case FMODE:

View File

@ -0,0 +1,9 @@
diff -up ./fapolicyd-selinux-0.2/fapolicyd.fc.pid ./fapolicyd-selinux-0.2/fapolicyd.fc
--- ./fapolicyd-selinux-0.2/fapolicyd.fc.pid 2020-06-01 11:17:45.593683440 +0200
+++ ./fapolicyd-selinux-0.2/fapolicyd.fc 2020-06-01 11:21:36.420409234 +0200
@@ -9,3 +9,5 @@
/var/log/fapolicyd-access.log -- gen_context(system_u:object_r:fapolicyd_log_t,s0)
/var/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+
+/var/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0)

20
SOURCES/selinux.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up ./fapolicyd-selinux-0.2/fapolicyd.te.selinux ./fapolicyd-selinux-0.2/fapolicyd.te
--- ./fapolicyd-selinux-0.2/fapolicyd.te.selinux 2019-11-05 14:17:08.000000000 +0100
+++ ./fapolicyd-selinux-0.2/fapolicyd.te 2020-05-25 15:02:37.196991039 +0200
@@ -30,6 +30,7 @@ files_pid_file(fapolicyd_var_run_t)
# fapolicyd local policy
#
allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
+allow fapolicyd_t self:cap_userns sys_ptrace;
allow fapolicyd_t self:fifo_file rw_fifo_file_perms;
allow fapolicyd_t self:process { setcap setsched };
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48,7 +49,7 @@ manage_dirs_pattern(fapolicyd_t, fapolic
manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t)
manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
-files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file lnk_file })
+files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file fifo_file lnk_file })
kernel_dgram_send(fapolicyd_t)

267
SPECS/fapolicyd.spec Normal file
View File

@ -0,0 +1,267 @@
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.2
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.0
Release: 3%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
BuildRequires: python2-devel
Recommends: %{name}-selinux
Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Patch1: selinux.patch
Patch2: fapolicyd-0.9.5-integrity.patch
Patch3: selinux-pid.patch
Patch4: fapolicyd-cli-args.patch
Patch5: fapolicyd-magic-override.patch
Patch6: fapolicyd-magic-override2.patch
Patch7: fapolicyd-man-page.patch
Patch8: fapolicyd-trust.patch
Patch9: fapolicyd-cli-empty-db.patch
Patch10: fapolicyd-cli-big-buffer.patch
Patch11: fapolicyd-get-line.patch
Patch12: fapolicyd-man-page-trust.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation
source are allowed access while unknown applications are not. The daemon
makes use of the kernel's fanotify interface to determine file access rights.
%package selinux
Summary: Fapolicyd selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
%description selinux
The %{name}-selinux package contains selinux policy for the %{name} daemon.
%prep
%setup -q
# selinux
%setup -q -D -T -a 1
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
%patch1 -p1 -b .selinux
%patch2 -p1 -b .integrity
%patch3 -p1 -b .pid
%patch4 -p1 -b .args
%patch5 -p1
%patch6 -p1
%patch7 -p1 -b .man-page
%patch8 -p1 -b .trust
%patch9 -p1 -b .cli-empty-db
%patch10 -p1 -b .cli-big-buffer
%patch11 -p1 -b .get-line
%patch12 -p1 -b .man-page-trust
%build
./autogen.sh
%configure \
--with-audit \
--with-rpm \
--disable-shared
make CFLAGS="%{optflags}" %{?_smp_mflags}
# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
make DESTDIR="%{buildroot}" INSTALL='install -p' install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
#cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
%post
%systemd_post %{name}.service
%preun
%systemd_preun %{name}.service
%postun
%systemd_postun_with_restart %{name}.service
%files
%doc README.md
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(755,root,root) %{_sbindir}/%{name}
%attr(755,root,root) %{_sbindir}/%{name}-cli
%attr(644,root,root) %{_mandir}/man8/*
%attr(644,root,root) %{_mandir}/man5/*
%attr(644,root,root) %{_mandir}/man1/*
%attr(644,root,root) %{_datadir}/%{name}/*
%ghost %{_localstatedir}/log/%{name}-access.log
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
%attr(770,root,%{name}) %dir /run/%{name}
%ghost %{_localstatedir}/run/%{name}/%{name}.fifo
%ghost %{_localstatedir}/lib/%{name}/data.mdb
%ghost %{_localstatedir}/lib/%{name}/lock.mdb
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
# selinux
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
RHEL 8.3 ERRATUM
- fixed manpage fapolicyd-conf
Resolves: rhbz#1817413
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
RHEL 8.3 ERRATUM
- rebase to v1.0
- installed multiple policies to /usr/share/fapolicyd
- known-libs (default)
- restrictive
- installed fapolicyd.trust file
- enhanced fapolicyd-cli
Resolves: rhbz#1817413
- introduced fapolicyd-selinux that provides SELinux policy module
Resolves: rhbz#1714529
* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
RHEL 8.2 ERRATUM
- fixed possible heap buffer overflow in elf parser
Resolves: rhbz#1807912
* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
RHEL 8.2 ERRATUM
- fixed build time python interpreter detection (spec)
- added python2-devel as a BuildRequires (spec)
- allow running bash scripts in home directories
Resolves: rhbz#1801872
* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
RHEL 8.2 ERRATUM
- rebase to v0.9.1
- updated default configuration with new syntax
- removed daemon mounts configuration
Resolves: rhbz#1759895
- default fapolicyd policy prevents Ansible from running
- added ansible rule to default ruleset
Resolves: rhbz#1746464
- suspicious logs on service start
Resolves: rhbz#1747494
- fapolicyd blocks dracut from generating initramfs
- added dracut rule to default configuration
Resolves: rhbz#1757736
- fapolicyd fails to identify perl interpreter
Resolves: rhbz#1765039
* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
- added missing manpage for fapolicyd-cli
Resolves: rhbz#1708015
* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
- Convert hashes to lowercase like sha256sum outputs
- Stop littering STDOUT output for dnf plugin in fapolicyd
Resolves: rhbz#1721496
* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- new upstream release
Resolves: rhbz#1673323
* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
- New upstream release
- imported from fedora30
resolves: rhbz#1673323
* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
- backport some patches to resolve dac_override for fapolicyd
* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1
- New upstream release
- Added new DNF plugin that can update the trust database when rpms are installed
- Added support for FAN_OPEN_EXEC_PERM
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1
- New upstream bugfix release
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1
- New upstream feature release
* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2
- Add dist tag (#1579362)
* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1
- New release