RHEL 9.3.0 ERRATUM

- Rebase fapolicyd to the latest stable version Resolves: RHEL-430 - fapolicyd can leak FDs and never answer request, causing target process to hang forever Resolves: RHEL-621 - RFE: send rule number to fanotify so it gets audited Resolves: RHEL-624 - fapolicyd needs to make sure the FD limit is never reached Resolves: RHEL-623 - fapolicyd still allows execution of a program after "untrusting" it Resolves: RHEL-622 - Default q_size doesn't match manpage's one Resolves: RHEL-627 - fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D') Resolves: RHEL-817 - Fix broken backwards compatibility backend numbers Resolves: RHEL-730 - SELinux prevents the fapolicyd from reading symlink (cert_t) Resolves: RHEL-816 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
2023-07-19 14:07:37 +02:00 · 2023-07-19 14:07:37 +02:00 · 57dfd7b96f
commit 57dfd7b96f
parent 6bd1af3f3c
7 changed files with 117 additions and 87 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,4 @@
 /fapolicyd-1.1.3.tar.gz
 /fapolicyd-1.3.1.tar.gz
 /fapolicyd-selinux-0.6.tar.gz
+/fapolicyd-1.3.2.tar.gz
--- a/fapolicyd-leaks.patch
+++ b/fapolicyd-leaks.patch
@ -0,0 +1,78 @@
+From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Tue, 18 Jul 2023 17:05:11 +0200
+Subject: [PATCH] Fix multiple leaks
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/filter.c |  3 +++
+ src/library/policy.c | 13 +++++++++++--
+ src/library/rules.c  |  3 ---
+ 3 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/library/filter.c b/src/library/filter.c
+index d5d8cca..eb378ca 100644
+--- a/src/library/filter.c
+++ b/src/library/filter.c
+@@ -472,9 +472,12 @@ int filter_load_file(void)
+ 			msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
+ 			filter_destroy_obj(filter);
+ 			free(line);
+			line = NULL;
+ 			goto bad;
+ 		}
+	}
+ 
+	if (line) {
+ 		free(line);
+ 		line = NULL;
+ 	}
+diff --git a/src/library/policy.c b/src/library/policy.c
+index 7fe1210..31ff6e2 100644
+--- a/src/library/policy.c
+++ b/src/library/policy.c
+@@ -23,6 +23,7 @@
+  *   Radovan Sroka <rsroka@redhat.com>
+  */
+ 
+#include "attr-sets.h"
+ #include "config.h"
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
+ 		return 1;
+ 
+ 	FILE * f = open_file();
+-	if (f == NULL)
+	if (f == NULL) {
+		destroy_attr_sets();
+ 		return 1;
+	}
+ 
+ 	int res = _load_rules(_config, f);
+ 	fclose(f);
+-	return res;
+
+	if (res) {
+		destroy_attr_sets();
+		return 1;
+	}
+
+	return 0;
+ }
+ 
+ void destroy_rules(void)
+diff --git a/src/library/rules.c b/src/library/rules.c
+index 5ffa40e..4a8b098 100644
+--- a/src/library/rules.c
+++ b/src/library/rules.c
+@@ -65,9 +65,6 @@ int rules_create(llist *l)
+ 	l->cur = NULL;
+ 	l->cnt = 0;
+ 
+-	if (init_attr_sets())
+-		return 1;
+-
+ 	return  0;
+ }
+ 
--- a/fapolicyd-q-size-default.patch
+++ b/fapolicyd-q-size-default.patch
@ -1,23 +0,0 @@
-From f36592179308967fcbd19a20e8338cfdf0b87697 Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Thu, 22 Jun 2023 20:37:05 +0200
-Subject: [PATCH] Sync the default q_size value with manpage
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
- init/fapolicyd.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/init/fapolicyd.conf b/init/fapolicyd.conf
-index 8363b89a..933595e9 100644
--- a/init/fapolicyd.conf
-+++ b/init/fapolicyd.conf
-@@ -5,7 +5,7 @@
- 
- permissive = 0
- nice_val = 14
-q_size = 640
-+q_size = 800
- uid = fapolicyd
- gid = fapolicyd
- do_stat_report = 1
--- a/fapolicyd-rlimit-change.patch
+++ b/fapolicyd-rlimit-change.patch
@ -1,55 +0,0 @@
-From 00ebdf8b45f83019dd0c00d741ce99cdb4b177ba Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Wed, 21 Jun 2023 10:49:27 -0400
-Subject: [PATCH] Change how rlimit is set
-
-Last release changed to using the systemd LimitNOFILE=16384. This also
-has the effect of changing the hard rlimit to the same number. If we
-instead call getrlimit and set the soft limit to the hard limit, we
-can have more descriptors available.
-
-Also correct the error detection of failed nice syscalls.
---
- init/fapolicyd.service |  1 -
- src/daemon/fapolicyd.c | 11 ++++++++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/init/fapolicyd.service b/init/fapolicyd.service
-index 831b5ff8..a5a6a3fc 100644
--- a/init/fapolicyd.service
-+++ b/init/fapolicyd.service
-@@ -6,7 +6,6 @@ Documentation=man:fapolicyd(8)
- 
- [Service]
- OOMScoreAdjust=-1000
-LimitNOFILE=16384
- Type=forking
- PIDFile=/run/fapolicyd.pid
- ExecStartPre=/usr/sbin/fagenrules
-diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
-index 454e43b4..173f41c4 100644
--- a/src/daemon/fapolicyd.c
-+++ b/src/daemon/fapolicyd.c
-@@ -516,12 +516,21 @@ int main(int argc, const char *argv[])
- 	limit.rlim_cur = RLIM_INFINITY;
- 	limit.rlim_max = RLIM_INFINITY;
- 	setrlimit(RLIMIT_FSIZE, &limit);
-+	getrlimit(RLIMIT_NOFILE, &limit);
-+	if (limit.rlim_max >= 16384)
-+		limit.rlim_cur = limit.rlim_max;
-+	else
-+		limit.rlim_cur = 16834;
- 	if (setrlimit(RLIMIT_NOFILE, &limit))
- 		msg(LOG_WARNING, "Can't increase file number rlimit - %s",
- 		    strerror(errno));
-+	else
-+		msg(LOG_INFO, "Can handle %u file descriptors", limit.rlim_cur);
- 
- 	// get more time slices because everything is waiting on us
-	if (nice(-config.nice_val))
-+	errno = 0;
-+	nice(-config.nice_val);
-+	if (errno)
- 		msg(LOG_WARNING, "Couldn't adjust priority (%s)",
- 				strerror(errno));
- 
--- a/fapolicyd-selinux-links.patch
+++ b/fapolicyd-selinux-links.patch
@ -0,0 +1,23 @@
+From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Wed, 19 Jul 2023 16:00:13 +0200
+Subject: [PATCH] Allow links
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ fapolicyd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
+index daf31bd..5d6f9aa 100644
+--- a/fapolicyd-selinux-0.6/fapolicyd.te
+++ b/fapolicyd-selinux-0.6/fapolicyd.te
+@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
+     files_watch_sb_all_mountpoints(fapolicyd_t)
+ ')
+ 
+allow fapolicyd_t file_type : lnk_file { getattr read };
+
+ manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
+ logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
+ 
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -4,7 +4,7 @@

 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.3.1
+Version: 1.3.2
 Release: 100%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
@ -32,8 +32,8 @@ Requires(postun): systemd-units

 Patch1: fapolicyd-uthash-bundle.patch
 Patch2: selinux.patch
-Patch3: fapolicyd-rlimit-change.patch
-Patch4: fapolicyd-q-size-default.patch
+Patch3: fapolicyd-leaks.patch
+Patch4: fapolicyd-selinux-links.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -67,8 +67,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 %endif

 %patch -P 2 -p1 -b .selinux
-%patch -P 3 -p1 -b .rlimit
-%patch -P 4 -p1 -b .q-size
+%patch -P 3 -p1 -b .leaks
+%patch -P 4 -p1 -b .links

 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -255,7 +255,7 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %changelog
-* Fri Jun 16 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.1-100
+* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
 RHEL 9.3.0 ERRATUM
 - Rebase fapolicyd to the latest stable version
 Resolves: RHEL-430
@ -268,7 +268,13 @@ Resolves: RHEL-623
 - fapolicyd still allows execution of a program after "untrusting" it
 Resolves: RHEL-622
 - Default q_size doesn't match manpage's one
-Resolves: TBD
+Resolves: RHEL-627
+- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
+Resolves: RHEL-817
+- Fix broken backwards compatibility backend numbers
+Resolves: RHEL-730
+- SELinux prevents the fapolicyd from reading symlink (cert_t)
+Resolves: RHEL-816

 * Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
 RHEL 9.2.0 ERRATUM
--- a/4
+++ b/4
@ -1,3 +1,3 @@
-SHA512 (fapolicyd-1.3.1.tar.gz) = 319b793db0f59ef49d67c0734aa379501f2ceec206eeedbd5f193c6148bb4f2327a00546c6eeccc38500ef3be60354fee2ca643e7a2c2e668dea5a93034ce69c
-SHA512 (fapolicyd-selinux-0.6.tar.gz) = db3fb9fce2146cd9137585eae271e727aee4d774e385bbffa10ae70c6e40cf58f2e7aecd8ff8bc3ae446d75089f3ab1bd615237866d600df4acef6747a0c77c7
+SHA512 (fapolicyd-1.3.2.tar.gz) = b10e4e1e5068a67e7b36f876552de86404db09f768113773eb35d2b166818ece9098af5c38b2930c54feae8b4be80de6f3e7dbd96b94932b86e008d47c89506f
 SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294
+SHA512 (fapolicyd-selinux-0.6.tar.gz) = db3fb9fce2146cd9137585eae271e727aee4d774e385bbffa10ae70c6e40cf58f2e7aecd8ff8bc3ae446d75089f3ab1bd615237866d600df4acef6747a0c77c7