RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/fapolicyd#c96e437e8964d0a9b5a4828c8890d142b41a70c7

.gitignore

@@ -0,0 +1,14 @@
+/fapolicyd-0.8.5.tar.gz
+/fapolicyd-0.8.6.tar.gz
+/fapolicyd-0.8.7.tar.gz
+/fapolicyd-0.8.8.tar.gz
+/fapolicyd-0.8.9.tar.gz
+/fapolicyd-0.8.10.tar.gz
+/fapolicyd-0.9.tar.gz
+/fapolicyd-selinux-0.1.tar.gz
+/fapolicyd-selinux-0.2.tar.gz
+/fapolicyd-0.9.2.tar.gz
+/fapolicyd-0.9.3.tar.gz
+/fapolicyd-0.9.4.tar.gz
+/fapolicyd-1.0.tar.gz
+/fapolicyd-selinux-0.3.tar.gz

fapolicyd-cli-args.patch

@@ -0,0 +1,13 @@
+diff -up ./src/cli/fapolicyd-cli.c.args ./src/cli/fapolicyd-cli.c
+--- ./src/cli/fapolicyd-cli.c.args	2020-05-24 19:23:27.000000000 +0200
++++ ./src/cli/fapolicyd-cli.c	2020-06-01 11:58:01.397204265 +0200
+@@ -232,6 +232,9 @@ static int do_manage_files(int argc, cha
+ 		 else
+ 			rc = file_update("/");
+ 
++	} else {
++		fprintf(stderr, "Missing operation option add|delete|update\n\n");
++		goto args_err;
+ 	}
+ 
+ 	return rc;

fapolicyd-cli-big-buffer.patch

@@ -0,0 +1,39 @@
+From 98768e7d2b3736a7924d8e17de206fd25071e395 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 2 Jun 2020 17:11:19 -0400
+Subject: [PATCH] Make fapolicyd-cli buffer bigger for rule listing
+
+---
+ ChangeLog               | 2 ++
+ src/cli/fapolicyd-cli.c | 5 +++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
+index feb9e71..8783547 100644
+--- a/src/cli/fapolicyd-cli.c
++++ b/src/cli/fapolicyd-cli.c
+@@ -41,6 +41,7 @@
+ #include "database.h"
+ #include "file-backend.h"
+ #include "fapolicyd-backend.h"
++#include "string-util.h"
+ 
+ 
+ static const char *usage =
+@@ -318,14 +319,14 @@ static int do_ftype(const char *path)
+ static int do_list(void)
+ {
+ 	unsigned count = 1, lineno = 0;
+-	char buf[160];
++	char buf[BUFFER_MAX+1];
+ 	FILE *f = fopen(RULES_FILE, "rm");
+ 	if (f == NULL) {
+ 		fprintf(stderr, "Cannot open rules file (%s)\n",
+ 						strerror(errno));
+ 		return 1;
+ 	}
+-	while (get_line(f, buf, sizeof(buf), &lineno)) {
++	while (get_line(f, buf, BUFFER_MAX, &lineno)) {
+ 		char *str = buf;
+ 		lineno++;
+ 		while (*str) {

fapolicyd-cli-empty-db.patch

@@ -0,0 +1,30 @@
+diff -U0 ./ChangeLog.cli-empty-db ./ChangeLog
+diff -up ./src/cli/fapolicyd-cli.c.cli-empty-db ./src/cli/fapolicyd-cli.c
+--- ./src/cli/fapolicyd-cli.c.cli-empty-db	2020-06-05 17:12:49.010948664 +0200
++++ ./src/cli/fapolicyd-cli.c	2020-06-05 17:12:49.016948738 +0200
+@@ -112,6 +112,7 @@ static int do_dump_db(void)
+ 	MDB_env *env;
+ 	MDB_txn *txn;
+ 	MDB_dbi dbi;
++	MDB_stat status;
+ 	MDB_cursor *cursor;
+ 	MDB_val key, val;
+ 
+@@ -129,6 +130,17 @@ static int do_dump_db(void)
+ 		rc = 1;
+ 		goto env_close;
+ 	}
++	rc = mdb_env_stat(env, &status);
++	if (rc) {
++		fprintf(stderr, "mdb_env_stat failed, error %d %s\n", rc,
++							mdb_strerror(rc));
++		rc = 1;
++		goto env_close;
++	}
++	if (status.ms_entries == 0) {
++		printf("Trust database is empty\n");
++		goto env_close; // Note: rc is 0 to get here
++	}
+ 	rc = mdb_txn_begin(env, NULL, MDB_RDONLY, &txn);
+ 	if (rc) {
+ 		fprintf(stderr, "mdb_txn_begin failed, error %d %s\n", rc,

fapolicyd-get-line.patch

@@ -0,0 +1,36 @@
+From 84916944b481d5c478202f6c4239e4aed0731406 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 2 Jun 2020 17:27:58 -0400
+Subject: [PATCH] Return only valid lines
+
+If fapolicyd_get_line does not find a 0x0A, then we have an unterminated
+string because its too long. Only return terminated strings, otherwise
+pass NULL back.
+---
+ src/library/string-util.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/library/string-util.c b/src/library/string-util.c
+index f991f5f..ffdc645 100644
+--- a/src/library/string-util.c
++++ b/src/library/string-util.c
+@@ -53,15 +53,16 @@ char * fapolicyd_strtrim(char * s)
+ 	return s;
+ }
+ 
+-char * fapolicyd_get_line(FILE *f, char *buf)
++char *fapolicyd_get_line(FILE *f, char *buf)
+ {
+ 	if (fgets_unlocked(buf, BUFFER_MAX-1, f)) {
+ 
+ 		/* remove newline */
+ 		char *ptr = strchr(buf, 0x0a);
+-		if (ptr)
++		if (ptr) {
+ 			*ptr = 0;
+-		return buf;
++			return buf;
++		}
+ 	}
+ 
+ 	return NULL;

fapolicyd-magic-override.patch

@@ -0,0 +1,60 @@
+diff -up ./init/fapolicyd-magic.magic-override ./init/fapolicyd-magic
+--- ./init/fapolicyd-magic.magic-override	2020-06-01 12:19:03.714672865 +0200
++++ ./init/fapolicyd-magic	2020-06-01 12:19:52.754376249 +0200
+@@ -13,6 +13,12 @@
+ 0	string/wt	#!\ /usr/bin/lua	Lua script text executable
+ !:mime	text/x-lua
+ 
++0	string/wt	#!\ /usr/bin/texlua	LuaTex script text executable
++!:mime	text/x-luatex
++
++0	string/wt	#!\ /usr/bin/luatex	LuaTex script text executable
++!:mime	text/x-luatex
++
+ 0	string/wt	#!\ /usr/bin/Rscript	R script text executable
+ !:mime	text/x-R
+ 
+@@ -53,8 +59,19 @@
+ !:strength + 15
+ !:mime text/x-python
+ 
++0       search/1/w       #!\ /usr/bin/env\ python        Python script text executable
++!:strength + 15
++!:mime text/x-python
++
+ 0	string/wt	#!\ /usr/bin/guile	Guile script text executable
+ !:mime  text/x-script.guile
+ 
+ 0	string	\223NUMPY			NumPy data file
+ !:mime	application/x-numpy-data
++
++0       search/1/w      #!\ /usr/bin/tclsh       Tcl/Tk script text executable
++!:mime  text/x-tcl
++
++
++0       search/1/w      #!\ /usr/bin/stap       Systemtap script text executable
++!:mime  text/x-systemtap
+diff -up ./init/fapolicyd.rules.known-libs.magic-override ./init/fapolicyd.rules.known-libs
+--- ./init/fapolicyd.rules.known-libs.magic-override	2020-06-01 12:20:56.498290540 +0200
++++ ./init/fapolicyd.rules.known-libs	2020-06-01 12:23:17.220324490 +0200
+@@ -3,7 +3,7 @@
+ # performance while ensuring that there is not much interference by
+ # the daemon.
+ 
+-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl
++%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+ 
+ # Carve out an exception for dracut initramfs building
+ allow perm=any uid=0 : dir=/var/tmp/
+diff -up ./init/fapolicyd.rules.restrictive.magic-override ./init/fapolicyd.rules.restrictive
+--- ./init/fapolicyd.rules.restrictive.magic-override	2020-06-01 12:22:55.144002314 +0200
++++ ./init/fapolicyd.rules.restrictive	2020-06-01 12:23:55.860888398 +0200
+@@ -15,7 +15,7 @@
+ # allow perm=open exe=%python : all
+ #
+ 
+-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl
++%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+ 
+ # Carve out an exception for dracut
+ allow perm=any uid=0 : dir=/var/tmp/

fapolicyd-magic-override2.patch

@@ -0,0 +1,61 @@
+From 598d167f1d3e774104fc8b75ca6525351fbc4558 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Mon, 1 Jun 2020 14:34:17 +0200
+Subject: [PATCH] Added few python and shell magic entries
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ init/fapolicyd-magic | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/init/fapolicyd-magic b/init/fapolicyd-magic
+index 3128545..703625e 100644
+--- a/init/fapolicyd-magic
++++ b/init/fapolicyd-magic
+@@ -1,9 +1,17 @@
+ 0	string/wt	#!\ /usr/bin/bash	Bourne-Again shell script text executable
+ !:mime	text/x-shellscript
+ 
++0	search/1/w	#!\ /usr/bin/env\ bash	Bourne-Again shell script text executable
++!:strength + 15
++!:mime text/x-shellscript
++
+ 0	string/w	#!\ /usr/bin/sh		Shell script text executable
+ !:mime	text/x-shellscript
+ 
++0	search/1/w	#!\ /usr/bin/env\ sh	Shell script text executable
++!:strength + 15
++!:mime text/x-shellscript
++
+ 0	string/wt	#!\ /bin/rc		Plan 9 shell script text executable
+ !:mime	text/x-plan9-shellscript
+ 
+@@ -47,10 +55,18 @@
+ !:strength + 15
+ !:mime text/x-python
+ 
++0	search/1/w	#!\ /usr/bin/env\ python3	Python script text executable
++!:strength + 15
++!:mime text/x-python
++
+ 0	search/1/w	#!\ /usr/bin/python2	Python script text executable
+ !:strength + 15
+ !:mime text/x-python
+ 
++0	search/1/w	#!\ /usr/bin/env\ python2	Python script text executable
++!:strength + 15
++!:mime text/x-python
++
+ 0	search/1/w	#!\ /usr/bin/python	Python script text executable
+ !:strength + 15
+ !:mime text/x-python
+@@ -72,6 +88,5 @@
+ 0       search/1/w      #!\ /usr/bin/tclsh       Tcl/Tk script text executable
+ !:mime  text/x-tcl
+ 
+-
+ 0       search/1/w      #!\ /usr/bin/stap       Systemtap script text executable
+ !:mime  text/x-systemtap
+-- 
+2.25.4
+

fapolicyd-man-page.patch

@@ -0,0 +1,33 @@
+diff -up ./doc/fapolicyd-cli.1.man-page ./doc/fapolicyd-cli.1
+--- ./doc/fapolicyd-cli.1.man-page	2020-06-01 14:20:55.720491113 +0200
++++ ./doc/fapolicyd-cli.1	2020-06-01 14:20:59.684554153 +0200
+@@ -16,7 +16,7 @@ Deletes the trust database. Normally thi
+ .B \-D, \-\-dump-db
+ Dumps the trust db contents for inspection. This will print the original trust source, path, file size, and SHA256 sum of the file as known by the trust source the entry came from.
+ .TP
+-.B \-f, \-\-file  [add] [path]
++.B \-f, \-\-file  add|delete|update [path]
+ Manage the file trust database.
+ .RS
+ .TP 12
+diff -up ./doc/fapolicyd.rules.5.man-page ./doc/fapolicyd.rules.5
+--- ./doc/fapolicyd.rules.5.man-page	2020-05-24 19:23:27.000000000 +0200
++++ ./doc/fapolicyd.rules.5	2020-06-01 14:20:31.272102326 +0200
+@@ -14,7 +14,7 @@ for the access control decision. The col
+ .SS Decision
+ The decision is either
+ .IR allow ", " deny ", " allow_audit ", " deny_audit ", " allow_syslog ", "deny_syslog ", " allow_log ", or " deny_log ".
+-If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event.
++If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event. Regardless of the notification, any rule with a deny in the keyword will deny access and any with an allow in the keyword will allow access.
+ 
+ .SS Perm
+ Perm describes what kind permission is being asked for. The permission is either
+@@ -132,7 +132,7 @@ This option matches against the sha256 h
+ .RE
+ 
+ .SH SETS
+-Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for specific rule attribute. Definition is in key=value syntax and it starts with a set name. Set name has to start with % and the rest is alphanumeric. Value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. Assigned set has to match attribute type. It is not possible set groups for TRUST and PATTERN attributes.
++Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for a specific rule attribute. The definition is in key=value syntax and starts with a set name. The set name has to start with % and the rest is alphanumeric. The value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. The assigned set has to match the attribute type. It is not possible set groups for TRUST and PATTERN attributes.
+ 
+ 
+ .SS SETS EXAMPLES

fapolicyd-trust.patch

@@ -0,0 +1,58 @@
+From c7d409cebf86b1c71192fd79ec5f5582f4f00f30 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Tue, 2 Jun 2020 21:24:28 +0200
+Subject: [PATCH] Ignore db errors from check_trust_database() (#70)
+
+- mark every subject and object as not trusted
+  when it is not possible to do a query
+
+- previously, when error occurred then subject or
+  object was actually considered to be trusted
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/event.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/src/library/event.c b/src/library/event.c
+index 564c120..2a4083b 100644
+--- a/src/library/event.c
++++ b/src/library/event.c
+@@ -339,9 +339,15 @@ subject_attr_t *get_subj_attr(event_t *e, subject_type_t t)
+ 
+ 			subj.val = 0;
+ 			if (exe) {
+-				if (exe->str && check_trust_database(exe->str,
+-								     NULL, 0))
+-					subj.val = 1;
++				if (exe->str) {
++					int res = check_trust_database(exe->str, NULL, 0);
++
++					// ignore -1
++					if (res == 1)
++						subj.val = 1;
++					else
++						subj.val = 0;
++				}
+ 			}
+ 			}
+ 			break;
+@@ -422,10 +428,15 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t)
+ 		case OBJ_TRUST: {
+ 			object_attr_t *path =  get_obj_attr(e, PATH);
+ 
+-			if (path && path->o && check_trust_database(path->o,
+-							    o->info, e->fd))
+-			obj.val = 1;
++			if (path && path->o) {
++				int res = check_trust_database(path->o, o->info, e->fd);
+ 
++				// ignore -1
++				if (res == 1)
++					obj.val = 1;
++				else
++					obj.val = 0;
++			}
+ 			}
+ 			break;
+ 		case FMODE:

fapolicyd.spec

@@ -0,0 +1,277 @@
+%global selinuxtype targeted
+%global moduletype contrib
+%define semodule_version 0.3
+
+Summary: Application Whitelisting Daemon
+Name: fapolicyd
+Version: 1.0
+Release: 4%{?dist}
+License: GPLv3+
+URL: http://people.redhat.com/sgrubb/fapolicyd
+Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
+Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+BuildRequires: gcc
+BuildRequires: kernel-headers
+BuildRequires: autoconf automake make gcc libtool
+BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
+BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
+BuildRequires: python3-devel
+Recommends: %{name}-selinux
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+
+Patch1: fapolicyd-cli-args.patch
+Patch2: fapolicyd-magic-override.patch
+Patch3: fapolicyd-magic-override2.patch
+Patch4: fapolicyd-man-page.patch
+Patch5: fapolicyd-trust.patch
+Patch6: fapolicyd-cli-empty-db.patch
+Patch7: fapolicyd-cli-big-buffer.patch
+Patch8: fapolicyd-get-line.patch
+
+%description
+Fapolicyd (File Access Policy Daemon) implements application whitelisting
+to decide file access rights. Applications that are known via a reputation
+source are allowed access while unknown applications are not. The daemon
+makes use of the kernel's fanotify interface to determine file access rights.
+
+%package        selinux
+Summary:        Fapolicyd selinux
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description    selinux
+The %{name}-selinux package contains selinux policy for the %{name} daemon.
+
+%prep
+
+%setup -q
+
+# selinux
+%setup -q -D -T -a 1
+
+%patch1 -p1 -b .cli-args
+%patch2 -p1 -b .magic-override
+%patch3 -p1 -b .magic-override2
+%patch4 -p1 -b .man-page
+%patch5 -p1 -b .trust
+%patch6 -p1 -b .cli-empty-db
+%patch7 -p1 -b .cli-big-buffer
+%patch8 -p1 -b .get-line
+
+sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+
+%build
+
+./autogen.sh
+
+%configure \
+    --with-audit \
+    --with-rpm \
+    --disable-shared
+
+
+make CFLAGS="%{optflags}" %{?_smp_mflags}
+
+# selinux
+pushd %{name}-selinux-%{semodule_version}
+make
+popd
+
+# selinux
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%install
+make DESTDIR="%{buildroot}" INSTALL='install -p' install
+mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
+install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
+install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
+mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
+mkdir -p %{buildroot}/run/%{name}
+
+# selinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+#cleanup
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
+
+%pre
+getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
+
+%post
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+%systemd_postun_with_restart %{name}.service
+
+%files
+%doc README.md
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}
+%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
+%attr(644,root,root) %{_unitdir}/%{name}.service
+%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+%attr(755,root,root) %{_sbindir}/%{name}
+%attr(755,root,root) %{_sbindir}/%{name}-cli
+%attr(644,root,root) %{_mandir}/man8/*
+%attr(644,root,root) %{_mandir}/man5/*
+%attr(644,root,root) %{_mandir}/man1/*
+%attr(644,root,root) %{_datadir}/%{name}/*
+%ghost %{_localstatedir}/log/%{name}-access.log
+%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
+%attr(770,root,%{name}) %dir /run/%{name}
+%ghost /run/%{name}/%{name}.fifo
+%ghost %{_localstatedir}/lib/%{name}/data.mdb
+%ghost %{_localstatedir}/lib/%{name}/lock.mdb
+%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
+%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
+
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+
+%changelog
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
+- backported few cosmetic small patches from upstream master
+- rebase selinux tarbal to v0.3
+- file context pattern for /run/fapolicyd.pid is missing
+Resolves: rhbz#1834674
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
+- Rebuilt for Python 3.9
+
+* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
+- rebase fapolicyd to 1.0
+- allowed sys_ptrace for user namespace
+
+* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
+- rebase fapolicyd to 0.9.4
+- polished the pattern detection engine
+- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
+  memory consumption and improve startup speed
+- the commandline utility can now delete the lmdb trust database and manage
+  the file trust source
+
+* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
+- rebase fapolicyd to 0.9.3
+- dramatically improved startup time
+- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
+- file type identification has been improved
+- trust database statistics have been added to the reports
+
+* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
+- Label all fifo_file as fapolicyd_var_run_t in /var/run.
+- Allow fapolicyd_t domain to create fifo files labeled as
+  fapolicyd_var_run_t
+
+* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
+- rebase fapolicyd to 0.9.2
+- allows watched mount points to be specified by file system types
+- ELF file detection was improved
+- the rules have been rewritten to express the policy based on subject
+  object trust for better performance and reliability
+- exceptions for dracut and ansible were added to the rules to avoid problems
+  under normal system use
+- adds an admin defined trust database (fapolicyd.trust)
+- setting boost, queue, user, and group on the daemon
+  command line are deprecated
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
+- Updated fapolicyd-selinux subpackage to v0.2
+  Selinux subpackage is recommended for fapolicyd.
+
+* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
+- Added fapolicyd-selinux subpackage
+
+* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
+- rebase to v0.9
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
+- rebase to 0.8.10
+- generate python paths dynamically
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
+- Rebuild for RPM 4.15
+
+* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
+- Rebuild for RPM 4.15
+
+* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
+- New upstream release
+
+* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
+- backport some patches to resolve dac_override for fapolicyd
+
+* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1
+- New upstream release
+- Added new DNF plugin that can update the trust database when rpms are installed
+- Added support for FAN_OPEN_EXEC_PERM
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+
+* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1
+- New upstream bugfix release
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1
+- New upstream feature release
+
+* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2
+- Add dist tag (#1579362)
+
+* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1
+- New release

selinux.patch

@@ -0,0 +1,20 @@
+diff -up ./fapolicyd-selinux-0.2/fapolicyd.te.selinux ./fapolicyd-selinux-0.2/fapolicyd.te
+--- ./fapolicyd-selinux-0.2/fapolicyd.te.selinux	2019-11-05 14:17:08.000000000 +0100
++++ ./fapolicyd-selinux-0.2/fapolicyd.te	2020-05-25 15:02:37.196991039 +0200
+@@ -30,6 +30,7 @@ files_pid_file(fapolicyd_var_run_t)
+ # fapolicyd local policy
+ #
+ allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
++allow fapolicyd_t self:cap_userns sys_ptrace;
+ allow fapolicyd_t self:fifo_file rw_fifo_file_perms;
+ allow fapolicyd_t self:process { setcap setsched };
+ allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -48,7 +49,7 @@ manage_dirs_pattern(fapolicyd_t, fapolic
+ manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
+ manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t)
+ manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
+-files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file lnk_file })
++files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file fifo_file lnk_file })
+ 
+ kernel_dgram_send(fapolicyd_t)
+ 

sources

@@ -0,0 +1,2 @@
+SHA512 (fapolicyd-selinux-0.3.tar.gz) = 29895ee587294a275b3dbc712f915466758a3aabf7a692ed410ff91ae5d7dea936c231cde6aca5adf4edb9d9160450b65317ca9d1d6e76d687066d17d18495cd
+SHA512 (fapolicyd-1.0.tar.gz) = 7fbaca0774223fefb0ed553fdd1591b6a46c8939983fe2e9c98a3fc067b4f09257a65a6039434e196c09baa62a324f85cd74afa80182c9cad84e316af4aeae19