Rebase fapolicyd to 1.0.0
- release now has 3 integrity modes: file size, IMA, and sha256 based - it can now send event information to syslog - the syslog event information is tailorable to how you'd like to see it - there is now the ability to create sets of words that can be matched against in the rules engine - there are now 2 policies shipped: known-libs and restrictive - fapolicyd-cli can now dump the trust db for inspection - the integrity system needs sha256 hashes, it will print a warning for files in rpms that do not have them
This commit is contained in:
parent
9f13f29104
commit
5edde88663
1
.gitignore
vendored
1
.gitignore
vendored
@ -10,3 +10,4 @@
|
||||
/fapolicyd-0.9.2.tar.gz
|
||||
/fapolicyd-0.9.3.tar.gz
|
||||
/fapolicyd-0.9.4.tar.gz
|
||||
/fapolicyd-1.0.tar.gz
|
||||
|
||||
@ -4,12 +4,13 @@
|
||||
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 0.9.4
|
||||
Version: 1.0
|
||||
Release: 1%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
|
||||
BuildRequires: gcc
|
||||
BuildRequires: kernel-headers
|
||||
BuildRequires: autoconf automake make gcc libtool
|
||||
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
|
||||
@ -48,9 +49,9 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
# selinux
|
||||
%setup -q -D -T -a 1
|
||||
|
||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
||||
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules
|
||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||
|
||||
%patch1 -p1 -b .selinux
|
||||
|
||||
@ -80,6 +81,7 @@ make DESTDIR="%{buildroot}" INSTALL='install -p' install
|
||||
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
||||
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
||||
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
|
||||
install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
|
||||
mkdir -p %{buildroot}/run/%{name}
|
||||
|
||||
@ -108,10 +110,12 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
|
||||
%doc README.md
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
|
||||
%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
|
||||
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
||||
%attr(644,root,root) %{_unitdir}/%{name}.service
|
||||
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
|
||||
%attr(755,root,root) %{_sbindir}/%{name}
|
||||
@ -148,6 +152,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
|
||||
- rebase fapolicyd to 1.0
|
||||
- allowed sys_ptrace for user namespace
|
||||
|
||||
* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
|
||||
- rebase fapolicyd to 0.9.4
|
||||
- polished the pattern detection engine
|
||||
|
||||
@ -1,20 +1,15 @@
|
||||
From 93d7fc7decfdca3a0622ecc5e0ae3fe5880a836a Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Date: Tue, 4 Feb 2020 09:33:01 +0100
|
||||
Subject: [PATCH] Allow fapolicyd create fifo files with own label
|
||||
|
||||
- Label all fifo_file as fapolicyd_var_run_t in /var/run.
|
||||
- Allow fapolicyd_t domain to create fifo files labeled as
|
||||
fapolicyd_var_run_t
|
||||
---
|
||||
fapolicyd.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fapolicyd.te b/fapolicyd.te
|
||||
index 39f09f5..71eb6c0 100644
|
||||
--- a/fapolicyd-selinux-0.2/fapolicyd.te
|
||||
+++ b/fapolicyd-selinux-0.2/fapolicyd.te
|
||||
@@ -48,7 +48,7 @@ manage_dirs_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
|
||||
diff -up ./fapolicyd-selinux-0.2/fapolicyd.te.selinux ./fapolicyd-selinux-0.2/fapolicyd.te
|
||||
--- ./fapolicyd-selinux-0.2/fapolicyd.te.selinux 2019-11-05 14:17:08.000000000 +0100
|
||||
+++ ./fapolicyd-selinux-0.2/fapolicyd.te 2020-05-25 15:02:37.196991039 +0200
|
||||
@@ -30,6 +30,7 @@ files_pid_file(fapolicyd_var_run_t)
|
||||
# fapolicyd local policy
|
||||
#
|
||||
allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
|
||||
+allow fapolicyd_t self:cap_userns sys_ptrace;
|
||||
allow fapolicyd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow fapolicyd_t self:process { setcap setsched };
|
||||
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -48,7 +49,7 @@ manage_dirs_pattern(fapolicyd_t, fapolic
|
||||
manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
|
||||
manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t)
|
||||
manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
|
||||
|
||||
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (fapolicyd-0.9.4.tar.gz) = 79825905132100ef8156a01ef5b5b35c08a9e8e32cbb1e1d212951e17b3618b25a57624986c81e5a04b1fc3b5e516151b05ca43d1fba9388ead6feb2a3da0207
|
||||
SHA512 (fapolicyd-1.0.tar.gz) = 7fbaca0774223fefb0ed553fdd1591b6a46c8939983fe2e9c98a3fc067b4f09257a65a6039434e196c09baa62a324f85cd74afa80182c9cad84e316af4aeae19
|
||||
SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad
|
||||
|
||||
Loading…
Reference in New Issue
Block a user