Rebase fapolicyd to 1.0.0

- release now has 3 integrity modes: file size, IMA, and sha256 based
- it can now send event information to syslog
- the syslog event information is tailorable to how you'd like to see it
- there is now the ability to create sets of words that can be matched
  against in the rules engine
- there are now 2 policies shipped: known-libs and restrictive
- fapolicyd-cli can now dump the trust db for inspection
- the integrity system needs sha256 hashes,
  it will print a warning for files in rpms that do not have them

.gitignore

@@ -10,3 +10,4 @@
 /fapolicyd-0.9.2.tar.gz
 /fapolicyd-0.9.3.tar.gz
 /fapolicyd-0.9.4.tar.gz
+/fapolicyd-1.0.tar.gz

fapolicyd.spec

@@ -4,12 +4,13 @@
 
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 0.9.4
+Version: 1.0
 Release: 1%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
 Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+BuildRequires: gcc
 BuildRequires: kernel-headers
 BuildRequires: autoconf automake make gcc libtool
 BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
@@ -48,9 +49,9 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 # selinux
 %setup -q -D -T -a 1
 
-sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
-sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
+sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
+sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
 
 %patch1 -p1 -b .selinux
 
@@ -80,6 +81,7 @@ make DESTDIR="%{buildroot}" INSTALL='install -p' install
 mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
 install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
 install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
 mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
 mkdir -p %{buildroot}/run/%{name}
 
@@ -108,10 +110,12 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
 %doc README.md
 %{!?_licensedir:%global license %%doc}
 %license COPYING
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}
+%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
-%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
 %attr(755,root,root) %{_sbindir}/%{name}
@@ -148,6 +152,10 @@ fi
 
 
 %changelog
+* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
+- rebase fapolicyd to 1.0
+- allowed sys_ptrace for user namespace
+
 * Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
 - rebase fapolicyd to 0.9.4
 - polished the pattern detection engine

selinux.patch

@@ -1,20 +1,15 @@
-From 93d7fc7decfdca3a0622ecc5e0ae3fe5880a836a Mon Sep 17 00:00:00 2001
-From: Lukas Vrabec <lvrabec@redhat.com>
-Date: Tue, 4 Feb 2020 09:33:01 +0100
-Subject: [PATCH] Allow fapolicyd create fifo files with own label
-
-- Label all fifo_file as fapolicyd_var_run_t in /var/run.
-- Allow fapolicyd_t domain to create fifo files labeled as
-  fapolicyd_var_run_t
----
- fapolicyd.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fapolicyd.te b/fapolicyd.te
-index 39f09f5..71eb6c0 100644
---- a/fapolicyd-selinux-0.2/fapolicyd.te
-+++ b/fapolicyd-selinux-0.2/fapolicyd.te
-@@ -48,7 +48,7 @@ manage_dirs_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
+diff -up ./fapolicyd-selinux-0.2/fapolicyd.te.selinux ./fapolicyd-selinux-0.2/fapolicyd.te
+--- ./fapolicyd-selinux-0.2/fapolicyd.te.selinux	2019-11-05 14:17:08.000000000 +0100
++++ ./fapolicyd-selinux-0.2/fapolicyd.te	2020-05-25 15:02:37.196991039 +0200
+@@ -30,6 +30,7 @@ files_pid_file(fapolicyd_var_run_t)
+ # fapolicyd local policy
+ #
+ allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
++allow fapolicyd_t self:cap_userns sys_ptrace;
+ allow fapolicyd_t self:fifo_file rw_fifo_file_perms;
+ allow fapolicyd_t self:process { setcap setsched };
+ allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -48,7 +49,7 @@ manage_dirs_pattern(fapolicyd_t, fapolic
  manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
  manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t)
  manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)

sources

@@ -1,2 +1,2 @@
-SHA512 (fapolicyd-0.9.4.tar.gz) = 79825905132100ef8156a01ef5b5b35c08a9e8e32cbb1e1d212951e17b3618b25a57624986c81e5a04b1fc3b5e516151b05ca43d1fba9388ead6feb2a3da0207
+SHA512 (fapolicyd-1.0.tar.gz) = 7fbaca0774223fefb0ed553fdd1591b6a46c8939983fe2e9c98a3fc067b4f09257a65a6039434e196c09baa62a324f85cd74afa80182c9cad84e316af4aeae19
 SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad