Auto sync2gitlab import of fapolicyd-1.1-4.el8.src.rpm

.gitignore

@@ -0,0 +1,2 @@
+/fapolicyd-1.1.tar.gz
+/fapolicyd-selinux-0.4.tar.gz

EMPTY

@@ -1 +0,0 @@
- 

fagenrules-group.patch

@@ -0,0 +1,13 @@
+diff -up ./init/fagenrules.fix ./init/fagenrules
+--- ./init/fagenrules.fix	2022-04-01 16:12:50.512164904 +0200
++++ ./init/fagenrules	2022-04-01 16:21:07.924712100 +0200
+@@ -117,7 +117,8 @@ fi
+ 
+ # We copy the file so that it gets the right selinux label
+ cp ${TmpRules} ${DestinationFile}
+-chmod 0640 ${DestinationFile}
++chmod 0644 ${DestinationFile}
++chgrp fapolicyd ${DestinationFile}
+ 
+ # Restore context on MLS system.
+ # /tmp is SystemLow & fapolicyd.rules is SystemHigh

fapolicyd-dnf-plugin.patch

@@ -0,0 +1,35 @@
+diff --color -ru a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py
+--- a/dnf/fapolicyd-dnf-plugin.py	2021-11-12 20:21:54.000000000 +0100
++++ b/dnf/fapolicyd-dnf-plugin.py	2021-11-18 16:29:03.919237116 +0100
+@@ -8,29 +8,9 @@
+ class Fapolicyd(dnf.Plugin):
+ 
+     name = "fapolicyd"
+-    pipe = "/var/run/fapolicyd/fapolicyd.fifo"
+-    file = None
+ 
+     def __init__(self, base, cli):
+         pass
+ 
+     def transaction(self):
+-
+-        if not os.path.exists(self.pipe):
+-            sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n")
+-            sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n")
+-            sys.stderr.write("or fapolicyd is not running...\n")
+-            return
+-
+-        if not stat.S_ISFIFO(os.stat(self.pipe).st_mode):
+-            sys.stderr.write(self.pipe + ": is not a pipe!\n")
+-            return
+-
+-        try:
+-            self.file = open(self.pipe, "w")
+-        except PermissionError:
+-            sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
+-            return
+-
+-        self.file.write("1")
+-        self.file.close()
++        pass
+Only in b/dnf: fapolicyd-dnf-plugin.py.plugin

fapolicyd-reorder-rules.patch

@@ -0,0 +1,110 @@
+From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Thu, 24 Mar 2022 09:59:05 +0100
+Subject: [PATCH] Reorder loop holes with patterns in rules.d
+
+- this keeps backwards compatibility with older wersions of rules
+- the ld_so pattern was applied to root
+- it caused problems with running ldd as root(previously unrestricted)
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ fapolicyd.spec                                   |  6 +++---
+ rules.d/{30-dracut.rules => 20-dracut.rules}     |  0
+ rules.d/{30-updaters.rules => 21-updaters.rules} |  0
+ rules.d/{20-patterns.rules => 30-patterns.rules} |  0
+ rules.d/Makefile.am                              |  4 ++--
+ rules.d/README-rules                             | 16 ++++++++--------
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+ rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
+ rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
+ rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
+
+diff --git a/fapolicyd.spec b/fapolicyd.spec
+index c2aae21..261b780 100644
+--- a/fapolicyd.spec
++++ b/fapolicyd.spec
+@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
+ 	if [ "$files" -eq 0 ] ; then
+ 		## Install the known libs policy
+ cp %{_datadir}/%{name}/sample-rules/10-languages.rules  %{_sysconfdir}/%{name}/rules.d/
+-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
+-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
+-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules  %{_sysconfdir}/%{name}/rules.d/
++cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
++cp %{_datadir}/%{name}/sample-rules/21-updaters.rules  %{_sysconfdir}/%{name}/rules.d/
++cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
+ cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules  %{_sysconfdir}/%{name}/rules.d/
+ cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules  %{_sysconfdir}/%{name}/rules.d/
+ cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules  %{_sysconfdir}/%{name}/rules.d/
+diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
+similarity index 100%
+rename from rules.d/30-dracut.rules
+rename to rules.d/20-dracut.rules
+diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
+similarity index 100%
+rename from rules.d/30-updaters.rules
+rename to rules.d/21-updaters.rules
+diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
+similarity index 100%
+rename from rules.d/20-patterns.rules
+rename to rules.d/30-patterns.rules
+diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
+index 76b5377..9bb61a7 100644
+--- a/rules.d/Makefile.am
++++ b/rules.d/Makefile.am
+@@ -23,8 +23,8 @@
+ 
+ CONFIG_CLEAN_FILES = *.rej *.orig
+ 
+-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
+-	30-dracut.rules 30-updaters.rules \
++EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
++	21-updaters.rules 30-patterns.rules \
+ 	40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
+ 	43-known-elf.rules \
+ 	70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
+diff --git a/rules.d/README-rules b/rules.d/README-rules
+index c03c02b..30fcd01 100644
+--- a/rules.d/README-rules
++++ b/rules.d/README-rules
+@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
+ organized into groups with the following meanings:
+ 
+ 10 - macros
+-20 - patterns
+-30 - loop holes
++20 - loop holes
++30 - patterns
+ 40 - ELF rules
+ 50 - user/group access rules
+ 60 - application access rules
+@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
+ fapolicyd.rules.known-libs
+ --------------------------
+ 10-languages.rules
+-20-patterns.rules
+-30-dracut.rules
+-30-updaters.rules
++20-dracut.rules
++21-updaters.rules
++30-patterns.rules
+ 40-bad-elf.rules
+ 41-shared-obj.rules
+ 42-trusted-elf.rules
+@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
+ fapolicyd.rules.restrictive
+ ---------------------------
+ 10-languages.rules
+-20-patterns.rules
+-30-dracut.rules
+-30-updaters.rules
++20-dracut.rules
++21-updaters.rules
++30-patterns.rules
+ 40-bad-elf.rules
+ 41-shared-obj.rules
+ 43-known-elf.rules
+-- 
+2.35.1
+

fapolicyd-selinux.patch

@@ -0,0 +1,28 @@
+diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
+--- a/fapolicyd-selinux-0.4/fapolicyd.te	2021-03-23 10:21:31.000000000 +0100
++++ b/fapolicyd-selinux-0.4/fapolicyd.te	2021-11-19 10:24:20.000002248 +0100
+@@ -63,23 +63,13 @@
+ 
+ files_mmap_usr_files(fapolicyd_t)
+ files_read_all_files(fapolicyd_t)
+-files_watch_mount_generic_tmp_dirs(fapolicyd_t)
+-files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
+-files_watch_mount_root_dirs(fapolicyd_t)
+-files_watch_with_perm_root_dirs(fapolicyd_t)
+ 
+ fs_getattr_xattr_fs(fapolicyd_t)
+-fs_watch_mount_tmpfs_dirs(fapolicyd_t)
+-fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
+ 
+ logging_send_syslog_msg(fapolicyd_t)
+ dbus_system_bus_client(fapolicyd_t)
+ 
+-userdom_watch_mount_tmp_dirs(fapolicyd_t)
+-userdom_watch_with_perm_tmp_dirs(fapolicyd_t)
+-
+ optional_policy(`
+         rpm_read_db(fapolicyd_t)
+-        allow fapolicyd_t rpm_var_lib_t:file { create };
+-        allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
++        rpm_manage_db(fapolicyd_t)
+ ')

fapolicyd.spec

@@ -0,0 +1,388 @@
+%global selinuxtype targeted
+%global moduletype contrib
+%define semodule_version 0.4
+
+
+Summary: Application Whitelisting Daemon
+Name: fapolicyd
+Version: 1.1
+Release: 4%{?dist}
+License: GPLv3+
+URL: http://people.redhat.com/sgrubb/fapolicyd
+Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
+Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+BuildRequires: gcc
+BuildRequires: kernel-headers
+BuildRequires: autoconf automake make gcc libtool
+BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
+BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
+BuildRequires: python3-devel
+BuildRequires: python2-devel
+BuildRequires: uthash-devel
+Requires: rpm-plugin-fapolicyd >= 4.14.3-12
+Recommends: %{name}-selinux
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+
+# we are making the dnf-plugin completelly dummy because of
+# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
+# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
+# the fapolicyd package because it provides safe upgrade path
+Patch1: fapolicyd-dnf-plugin.patch
+Patch2: fapolicyd-selinux.patch
+Patch3: fapolicyd-reorder-rules.patch
+Patch4: fagenrules-group.patch
+
+%description
+Fapolicyd (File Access Policy Daemon) implements application whitelisting
+to decide file access rights. Applications that are known via a reputation
+source are allowed access while unknown applications are not. The daemon
+makes use of the kernel's fanotify interface to determine file access rights.
+
+%package        selinux
+Summary:        Fapolicyd selinux
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description    selinux
+The %{name}-selinux package contains selinux policy for the %{name} daemon.
+
+%prep
+
+%setup -q
+
+# selinux
+%setup -q -D -T -a 1
+
+%patch1 -p1 -b .plugin
+%patch2 -p1 -b .selinux
+%patch3 -p1 -b .rules
+%patch4 -p1 -b .group
+
+# generate rules for python
+sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+
+%build
+./autogen.sh
+%configure \
+    --with-audit \
+    --with-rpm \
+    --disable-shared
+
+%make_build
+
+# selinux
+pushd %{name}-selinux-%{semodule_version}
+make
+popd
+
+%check
+make check
+
+# selinux
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%install
+%make_install
+mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
+install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
+install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
+mkdir -p %{buildroot}/run/%{name}
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
+# get list of file names between known-libs and restrictive from sample-rules/README-rules
+cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \
+  | grep -A 100 'known-libs' \
+  | grep -B 100 'restrictive' \
+  | grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
+chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
+
+# selinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+#cleanup
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
+
+%define manage_default_rules   default_changed=0 \
+  # check changed fapolicyd.rules \
+  if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \
+    diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \
+      default_changed=1; \
+      #echo "change detected in fapolicyd.rules"; \
+      } \
+  fi \
+  if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \
+    default_ruleset='' \
+    # get listing of default rule files in known-libs \
+    [ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \
+    # check for removed or added files \
+    default_count=`echo "$default_ruleset" | wc -l` \
+    current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \
+    [ $default_count -eq $current_count ] || { \
+      default_changed=1; \
+      #echo "change detected in number of rule files d:$default_count vs c:$current_count"; \
+      } \
+    for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \
+      if echo "$default_ruleset" | grep -q "`basename $file`"; then \
+        # compare content of the rule files \
+        diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \
+          default_changed=1; \
+          #echo "change detected in `basename $file`"; \
+          } \
+      else \
+        # added file detected \
+        default_changed=1 \
+        #echo "change detected in added rules file `basename $file`"; \
+      fi \
+    done \
+  fi \
+  # remove files if no change against default rules detected \
+  [ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \
+
+
+%pre
+getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
+if [ $1 -eq 2 ]; then
+# detect changed default rules in case of upgrade
+%manage_default_rules
+fi
+
+%post
+# if no pre-existing rule file
+if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
+ files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w`
+ # Only if no pre-existing component rules
+ if [ "$files" -eq 0 ] ; then
+  ## Install the known libs policy
+  for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do
+    cp %{_datadir}/%{name}/sample-rules/$rulesfile  %{_sysconfdir}/%{name}/rules.d/
+  done
+  chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
+  if [ -x /usr/sbin/restorecon ] ; then
+   # restore correct label
+   /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
+  fi
+  fagenrules > /dev/null 2>&1
+ fi
+fi
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+if [ $1 -eq 0 ]; then
+# detect changed default rules in case of uninstall
+%manage_default_rules
+else
+  [ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || :
+fi
+
+%postun
+%systemd_postun_with_restart %{name}.service
+
+%files
+%doc README.md
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
+%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
+%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
+%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
+%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
+%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
+%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
+%attr(644,root,root) %{_unitdir}/%{name}.service
+%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+%attr(755,root,root) %{_sbindir}/%{name}
+%attr(755,root,root) %{_sbindir}/%{name}-cli
+%attr(755,root,root) %{_sbindir}/fagenrules
+%attr(644,root,root) %{_mandir}/man8/*
+%attr(644,root,root) %{_mandir}/man5/*
+%attr(644,root,root) %{_mandir}/man1/*
+%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
+%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
+%attr(770,root,%{name}) %dir /run/%{name}
+%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
+%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
+%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
+%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
+%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
+
+# selinux
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%changelog
+* Sat Apr 2 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-4
+RHEL 8.6.0 ERRATUM
+- fapolicyd denies access to /usr/lib64/ld-2.28.so
+Resolves: rhbz#2066300
+
+* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
+RHEL 8.6.0 ERRATUM
+- rebase to 1.1
+Resolves: rhbz#1939379
+- introduce rules.d feature
+Resolves: rhbz#2054741
+- remove pretrans scriptlet
+Resolves: rhbz#2051485
+
+* Mon Dec 13 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-2
+RHEL 8.6.0 ERRATUM
+- rebase to 1.0.4
+- added rpm_sha256_only option
+- added trust.d directory
+- allow file names with whitespace in trust files
+- use full paths in trust files
+Resolves: rhbz#1939379
+- fix libc.so getting identified as application/x-executable
+Resolves: rhbz#1989272
+- fix fapolicyd-dnf-plugin reporting as '<invalid>'
+Resolves: rhbz#1997414
+- fix selinux DSP module definition in spec file
+Resolves: rhbz#2014445
+
+* Thu Aug 19 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-7
+- fapolicyd abnormally exits by executing sosreport
+- fixed multiple problems with unlink()
+- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
+Resolves: rhbz#1943251
+
+* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
+RHEL 8.4.0 ERRATUM
+- rebase to 1.0.2
+- strong dependency on rpm/rpm-plugin-fapolicyd
+- installed dnf-plugin is dummy and we are not using it anymore
+- enabled integrity setting
+Resolves: rhbz#1887451
+- added make check
+- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail
+- fixed java detection
+Resolves: rhbz#1895435
+- dnf update fails when fapolicyd is enabled
+Resolves: rhbz#1876975
+- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
+Resolves: rhbz#1896875
+
+* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
+RHEL 8.3 ERRATUM
+- fixed manpage fapolicyd-conf
+Resolves: rhbz#1817413
+
+* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
+RHEL 8.3 ERRATUM
+- rebase to v1.0
+- installed multiple policies to /usr/share/fapolicyd
+  - known-libs (default)
+  - restrictive
+- installed fapolicyd.trust file
+- enhanced fapolicyd-cli
+Resolves: rhbz#1817413
+- introduced fapolicyd-selinux that provides SELinux policy module
+Resolves: rhbz#1714529
+
+* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
+RHEL 8.2 ERRATUM
+- fixed possible heap buffer overflow in elf parser
+Resolves: rhbz#1807912
+
+* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
+RHEL 8.2 ERRATUM
+- fixed build time python interpreter detection (spec)
+- added python2-devel as a BuildRequires (spec)
+- allow running bash scripts in home directories
+Resolves: rhbz#1801872
+
+* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
+RHEL 8.2 ERRATUM
+- rebase to v0.9.1
+- updated default configuration with new syntax
+- removed daemon mounts configuration
+Resolves: rhbz#1759895
+- default fapolicyd policy prevents Ansible from running
+- added ansible rule to default ruleset
+Resolves: rhbz#1746464
+- suspicious logs on service start
+Resolves: rhbz#1747494
+- fapolicyd blocks dracut from generating initramfs
+- added dracut rule to default configuration
+Resolves: rhbz#1757736
+- fapolicyd fails to identify perl interpreter
+Resolves: rhbz#1765039
+
+* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
+- added missing manpage for fapolicyd-cli
+Resolves: rhbz#1708015
+
+* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
+- Convert hashes to lowercase like sha256sum outputs
+- Stop littering STDOUT output for dnf plugin in fapolicyd
+Resolves: rhbz#1721496
+
+* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
+- new upstream release
+Resolves: rhbz#1673323
+
+* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
+- New upstream release
+- imported from fedora30
+  resolves: rhbz#1673323
+
+* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
+- backport some patches to resolve dac_override for fapolicyd
+
+* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1
+- New upstream release
+- Added new DNF plugin that can update the trust database when rpms are installed
+- Added support for FAN_OPEN_EXEC_PERM
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+
+* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1
+- New upstream bugfix release
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1
+- New upstream feature release
+
+* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2
+- Add dist tag (#1579362)
+
+* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1
+- New release

sources

@@ -0,0 +1,2 @@
+SHA512 (fapolicyd-1.1.tar.gz) = d8478a5e55f8ab3b40ab881795d391d6edd8c4149e743f3685afedf561f853f46f80e49f7b0f05e20c86d71442e286c7db9b289049b5314047d14d8d1b9f3b4e
+SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2