From 6166397a20de780c5e5e35d38653ad841509ede8 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sat, 7 Nov 2020 02:36:46 -0500
Subject: [PATCH] import fapolicyd-1.0-3.el8_3.2

---
 SOURCES/fapolicyd-rules-root.patch | 26 +++++++++++++
 SPECS/fapolicyd.spec               | 60 +++++++++++++++++++++++++++++-
 2 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/fapolicyd-rules-root.patch

diff --git a/SOURCES/fapolicyd-rules-root.patch b/SOURCES/fapolicyd-rules-root.patch
new file mode 100644
index 0000000..7870cec
--- /dev/null
+++ b/SOURCES/fapolicyd-rules-root.patch
@@ -0,0 +1,26 @@
+diff -up ./init/fapolicyd.rules.known-libs.root ./init/fapolicyd.rules.known-libs
+--- ./init/fapolicyd.rules.known-libs.root	2020-11-06 22:38:10.308866211 +0100
++++ ./init/fapolicyd.rules.known-libs	2020-11-06 22:39:17.857469844 +0100
+@@ -6,8 +6,7 @@
+ %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+ 
+ # Carve out an exception for dracut initramfs building
+-allow perm=any uid=0 : dir=/var/tmp/
+-allow perm=any uid=0 trust=1 : all
++allow perm=any uid=0 : all
+ 
+ # Prevent execution by ld.so
+ deny_audit perm=any pattern=ld_so : all
+diff -up ./init/fapolicyd.rules.restrictive.root ./init/fapolicyd.rules.restrictive
+--- ./init/fapolicyd.rules.restrictive.root	2020-11-06 22:38:14.562904224 +0100
++++ ./init/fapolicyd.rules.restrictive	2020-11-06 22:38:58.440296333 +0100
+@@ -18,8 +18,7 @@
+ %languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+ 
+ # Carve out an exception for dracut
+-allow perm=any uid=0 : dir=/var/tmp/
+-allow perm=any uid=0 trust=1 : all
++allow perm=any uid=0 : all
+ 
+ # Prevent execution by ld.so
+ deny_audit perm=any pattern=ld_so : all
diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec
index ae1d6a9..d2602fd 100644
--- a/SPECS/fapolicyd.spec
+++ b/SPECS/fapolicyd.spec
@@ -6,7 +6,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.0
-Release: 3%{?dist}
+Release: 3%{?dist}.2
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@@ -38,6 +38,8 @@ Patch10: fapolicyd-cli-big-buffer.patch
 Patch11: fapolicyd-get-line.patch
 Patch12: fapolicyd-man-page-trust.patch
 
+Patch13: fapolicyd-rules-root.patch
+
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
 to decide file access rights. Applications that are known via a reputation
@@ -51,7 +53,21 @@ Requires:       %{name} = %{version}-%{release}
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
 BuildArch: noarch
-%{?selinux_requires}
+#%%{?selinux_requires}
+Requires: selinux-policy >= 3.14.3-54.el8
+BuildRequires: pkgconfig(systemd)
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+Requires(post): selinux-policy-base >= 3.14.3-54.el8
+Requires(post): libselinux-utils
+Requires(post): policycoreutils
+%if 032 || 0 > 7
+Requires(post): policycoreutils-python-utils
+%else
+Requires(post): policycoreutils-python
+%endif
+
+
 
 %description    selinux
 The %{name}-selinux package contains selinux policy for the %{name} daemon.
@@ -82,6 +98,10 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
 %patch11 -p1 -b .get-line
 %patch12 -p1 -b .man-page-trust
 
+
+# zstream
+%patch13 -p1 -b .root
+
 %build
 ./autogen.sh
 %configure \
@@ -121,8 +141,33 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
 
+%pretrans
+c=/etc/fapolicyd/fapolicyd.rules
+if test -e $c; then
+  cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || {
+    if systemctl is-active fapolicyd &> dev/null; then
+      tmp=`mktemp`
+      rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup
+      cat $c > $tmp
+      echo "allow perm=any uid=0 : all" > $c
+      cat $tmp >> $c
+      rm -f $tmp
+      systemctl restart fapolicyd
+    fi
+  }
+fi
+
+
 %post
 %systemd_post %{name}.service
+c=/etc/fapolicyd/fapolicyd.rules
+if test -e /tmp/fapolicyd-cleanup; then
+  cat ${c}.rpmnew > $c
+  touch -d "`stat -c %y ${c}.rpmnew`" $c
+  rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew
+  systemctl restart fapolicyd
+fi
+
 
 %preun
 %systemd_preun %{name}.service
@@ -175,6 +220,17 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
+* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.2
+RHEL 8.3.Z ERRATUM
+- selinux requires inlined
+Resolves: rhbz#1895513
+
+* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.1
+RHEL 8.3.Z ERRATUM
+- allow root everything
+- ensure that root rule is in .rules
+Resolves: rhbz#1895513
+
 * Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
 RHEL 8.3 ERRATUM
 - fixed manpage fapolicyd-conf