From 5edde88663140d555a67f4de89f6792cb7541377 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 25 May 2020 15:16:14 +0200 Subject: [PATCH] Rebase fapolicyd to 1.0.0 - release now has 3 integrity modes: file size, IMA, and sha256 based - it can now send event information to syslog - the syslog event information is tailorable to how you'd like to see it - there is now the ability to create sets of words that can be matched against in the rules engine - there are now 2 policies shipped: known-libs and restrictive - fapolicyd-cli can now dump the trust db for inspection - the integrity system needs sha256 hashes, it will print a warning for files in rpms that do not have them --- .gitignore | 1 + fapolicyd.spec | 18 +++++++++++++----- selinux.patch | 29 ++++++++++++----------------- sources | 2 +- 4 files changed, 27 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 98f69b9..01a464a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /fapolicyd-0.9.2.tar.gz /fapolicyd-0.9.3.tar.gz /fapolicyd-0.9.4.tar.gz +/fapolicyd-1.0.tar.gz diff --git a/fapolicyd.spec b/fapolicyd.spec index bfa6a4f..071a3fc 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -4,12 +4,13 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 0.9.4 +Version: 1.0 Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz +BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file @@ -48,9 +49,9 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. # selinux %setup -q -D -T -a 1 -sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules -sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules -sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* %patch1 -p1 -b .selinux @@ -80,6 +81,7 @@ make DESTDIR="%{buildroot}" INSTALL='install -p' install mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} @@ -108,10 +110,12 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam %doc README.md %{!?_licensedir:%global license %%doc} %license COPYING +%attr(755,root,%{name}) %dir %{_datadir}/%{name} +%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.* %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} -%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} @@ -148,6 +152,10 @@ fi %changelog +* Mon May 25 2020 Radovan Sroka - 1.0-1 +- rebase fapolicyd to 1.0 +- allowed sys_ptrace for user namespace + * Mon Mar 23 2020 Radovan Sroka - 0.9.4-1 - rebase fapolicyd to 0.9.4 - polished the pattern detection engine diff --git a/selinux.patch b/selinux.patch index c398ba4..b579906 100644 --- a/selinux.patch +++ b/selinux.patch @@ -1,20 +1,15 @@ -From 93d7fc7decfdca3a0622ecc5e0ae3fe5880a836a Mon Sep 17 00:00:00 2001 -From: Lukas Vrabec -Date: Tue, 4 Feb 2020 09:33:01 +0100 -Subject: [PATCH] Allow fapolicyd create fifo files with own label - -- Label all fifo_file as fapolicyd_var_run_t in /var/run. -- Allow fapolicyd_t domain to create fifo files labeled as - fapolicyd_var_run_t ---- - fapolicyd.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fapolicyd.te b/fapolicyd.te -index 39f09f5..71eb6c0 100644 ---- a/fapolicyd-selinux-0.2/fapolicyd.te -+++ b/fapolicyd-selinux-0.2/fapolicyd.te -@@ -48,7 +48,7 @@ manage_dirs_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t) +diff -up ./fapolicyd-selinux-0.2/fapolicyd.te.selinux ./fapolicyd-selinux-0.2/fapolicyd.te +--- ./fapolicyd-selinux-0.2/fapolicyd.te.selinux 2019-11-05 14:17:08.000000000 +0100 ++++ ./fapolicyd-selinux-0.2/fapolicyd.te 2020-05-25 15:02:37.196991039 +0200 +@@ -30,6 +30,7 @@ files_pid_file(fapolicyd_var_run_t) + # fapolicyd local policy + # + allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace }; ++allow fapolicyd_t self:cap_userns sys_ptrace; + allow fapolicyd_t self:fifo_file rw_fifo_file_perms; + allow fapolicyd_t self:process { setcap setsched }; + allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; +@@ -48,7 +49,7 @@ manage_dirs_pattern(fapolicyd_t, fapolic manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t) manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t) manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t) diff --git a/sources b/sources index e476256..ceecd7b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (fapolicyd-0.9.4.tar.gz) = 79825905132100ef8156a01ef5b5b35c08a9e8e32cbb1e1d212951e17b3618b25a57624986c81e5a04b1fc3b5e516151b05ca43d1fba9388ead6feb2a3da0207 +SHA512 (fapolicyd-1.0.tar.gz) = 7fbaca0774223fefb0ed553fdd1591b6a46c8939983fe2e9c98a3fc067b4f09257a65a6039434e196c09baa62a324f85cd74afa80182c9cad84e316af4aeae19 SHA512 (fapolicyd-selinux-0.2.tar.gz) = 9ffefab4102168be672a9e84b2fff3c4fbabf65b77432a4b4e6f9619b13e23dba27c2fb5e5015830b90104aff50d7ef21337de137d14d622970c1f17accf23ad