From 6166397a20de780c5e5e35d38653ad841509ede8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sat, 7 Nov 2020 02:36:46 -0500 Subject: [PATCH] import fapolicyd-1.0-3.el8_3.2 --- SOURCES/fapolicyd-rules-root.patch | 26 +++++++++++++ SPECS/fapolicyd.spec | 60 +++++++++++++++++++++++++++++- 2 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 SOURCES/fapolicyd-rules-root.patch diff --git a/SOURCES/fapolicyd-rules-root.patch b/SOURCES/fapolicyd-rules-root.patch new file mode 100644 index 0000000..7870cec --- /dev/null +++ b/SOURCES/fapolicyd-rules-root.patch @@ -0,0 +1,26 @@ +diff -up ./init/fapolicyd.rules.known-libs.root ./init/fapolicyd.rules.known-libs +--- ./init/fapolicyd.rules.known-libs.root 2020-11-06 22:38:10.308866211 +0100 ++++ ./init/fapolicyd.rules.known-libs 2020-11-06 22:39:17.857469844 +0100 +@@ -6,8 +6,7 @@ + %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap + + # Carve out an exception for dracut initramfs building +-allow perm=any uid=0 : dir=/var/tmp/ +-allow perm=any uid=0 trust=1 : all ++allow perm=any uid=0 : all + + # Prevent execution by ld.so + deny_audit perm=any pattern=ld_so : all +diff -up ./init/fapolicyd.rules.restrictive.root ./init/fapolicyd.rules.restrictive +--- ./init/fapolicyd.rules.restrictive.root 2020-11-06 22:38:14.562904224 +0100 ++++ ./init/fapolicyd.rules.restrictive 2020-11-06 22:38:58.440296333 +0100 +@@ -18,8 +18,7 @@ + %languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap + + # Carve out an exception for dracut +-allow perm=any uid=0 : dir=/var/tmp/ +-allow perm=any uid=0 trust=1 : all ++allow perm=any uid=0 : all + + # Prevent execution by ld.so + deny_audit perm=any pattern=ld_so : all diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index ae1d6a9..d2602fd 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.0 -Release: 3%{?dist} +Release: 3%{?dist}.2 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -38,6 +38,8 @@ Patch10: fapolicyd-cli-big-buffer.patch Patch11: fapolicyd-get-line.patch Patch12: fapolicyd-man-page-trust.patch +Patch13: fapolicyd-rules-root.patch + %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation @@ -51,7 +53,21 @@ Requires: %{name} = %{version}-%{release} BuildRequires: selinux-policy BuildRequires: selinux-policy-devel BuildArch: noarch -%{?selinux_requires} +#%%{?selinux_requires} +Requires: selinux-policy >= 3.14.3-54.el8 +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires(post): selinux-policy-base >= 3.14.3-54.el8 +Requires(post): libselinux-utils +Requires(post): policycoreutils +%if 032 || 0 > 7 +Requires(post): policycoreutils-python-utils +%else +Requires(post): policycoreutils-python +%endif + + %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. @@ -82,6 +98,10 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\// %patch11 -p1 -b .get-line %patch12 -p1 -b .man-page-trust + +# zstream +%patch13 -p1 -b .root + %build ./autogen.sh %configure \ @@ -121,8 +141,33 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +%pretrans +c=/etc/fapolicyd/fapolicyd.rules +if test -e $c; then + cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || { + if systemctl is-active fapolicyd &> dev/null; then + tmp=`mktemp` + rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup + cat $c > $tmp + echo "allow perm=any uid=0 : all" > $c + cat $tmp >> $c + rm -f $tmp + systemctl restart fapolicyd + fi + } +fi + + %post %systemd_post %{name}.service +c=/etc/fapolicyd/fapolicyd.rules +if test -e /tmp/fapolicyd-cleanup; then + cat ${c}.rpmnew > $c + touch -d "`stat -c %y ${c}.rpmnew`" $c + rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew + systemctl restart fapolicyd +fi + %preun %systemd_preun %{name}.service @@ -175,6 +220,17 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Fri Nov 06 2020 Radovan Sroka - 1.0-3.2 +RHEL 8.3.Z ERRATUM +- selinux requires inlined +Resolves: rhbz#1895513 + +* Fri Nov 06 2020 Radovan Sroka - 1.0-3.1 +RHEL 8.3.Z ERRATUM +- allow root everything +- ensure that root rule is in .rules +Resolves: rhbz#1895513 + * Tue Jun 30 2020 Radovan Sroka - 1.0-3 RHEL 8.3 ERRATUM - fixed manpage fapolicyd-conf