rpms/fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fapolicyd-1.0-3.el8_3.2

Browse Source
This commit is contained in:
CentOS Sources 2020-11-07 02:36:46 -05:00 committed by Andrew Lukoshko
parent 3dd4bbb98c
commit 6166397a20
2 changed files with 84 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
SOURCES/fapolicyd-rules-root.patch Normal file
View File

@ -0,0 +1,26 @@
diff -up ./init/fapolicyd.rules.known-libs.root ./init/fapolicyd.rules.known-libs
--- ./init/fapolicyd.rules.known-libs.root 2020-11-06 22:38:10.308866211 +0100
+++ ./init/fapolicyd.rules.known-libs 2020-11-06 22:39:17.857469844 +0100
@@ -6,8 +6,7 @@
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
# Carve out an exception for dracut initramfs building
-allow perm=any uid=0 : dir=/var/tmp/
-allow perm=any uid=0 trust=1 : all
+allow perm=any uid=0 : all
# Prevent execution by ld.so
deny_audit perm=any pattern=ld_so : all
diff -up ./init/fapolicyd.rules.restrictive.root ./init/fapolicyd.rules.restrictive
--- ./init/fapolicyd.rules.restrictive.root 2020-11-06 22:38:14.562904224 +0100
+++ ./init/fapolicyd.rules.restrictive 2020-11-06 22:38:58.440296333 +0100
@@ -18,8 +18,7 @@
%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
# Carve out an exception for dracut
-allow perm=any uid=0 : dir=/var/tmp/
-allow perm=any uid=0 trust=1 : all
+allow perm=any uid=0 : all
# Prevent execution by ld.so
deny_audit perm=any pattern=ld_so : all

60
SPECS/fapolicyd.spec
View File

@ -6,7 +6,7 @@
Summary: Application Whitelisting Daemon Summary: Application Whitelisting Daemon
Name: fapolicyd Name: fapolicyd
Version: 1.0 Version: 1.0
Release: 3%{?dist} Release: 3%{?dist}.2
License: GPLv3+ License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -38,6 +38,8 @@ Patch10: fapolicyd-cli-big-buffer.patch
Patch11: fapolicyd-get-line.patch Patch11: fapolicyd-get-line.patch
Patch12: fapolicyd-man-page-trust.patch Patch12: fapolicyd-man-page-trust.patch
Patch13: fapolicyd-rules-root.patch
%description %description
Fapolicyd (File Access Policy Daemon) implements application whitelisting Fapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation to decide file access rights. Applications that are known via a reputation
@ -51,7 +53,21 @@ Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
BuildArch: noarch BuildArch: noarch
%{?selinux_requires} #%%{?selinux_requires}
Requires: selinux-policy >= 3.14.3-54.el8
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
Requires(post): selinux-policy-base >= 3.14.3-54.el8
Requires(post): libselinux-utils
Requires(post): policycoreutils
%if 032 || 0 > 7
Requires(post): policycoreutils-python-utils
%else
Requires(post): policycoreutils-python
%endif
%description selinux %description selinux
The %{name}-selinux package contains selinux policy for the %{name} daemon. The %{name}-selinux package contains selinux policy for the %{name} daemon.
@ -82,6 +98,10 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
%patch11 -p1 -b .get-line %patch11 -p1 -b .get-line
%patch12 -p1 -b .man-page-trust %patch12 -p1 -b .man-page-trust
# zstream
%patch13 -p1 -b .root
%build %build
./autogen.sh ./autogen.sh
%configure \ %configure \
@ -121,8 +141,33 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%pre %pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
%pretrans
c=/etc/fapolicyd/fapolicyd.rules
if test -e $c; then
cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || {
if systemctl is-active fapolicyd &> dev/null; then
tmp=`mktemp`
rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup
cat $c > $tmp
echo "allow perm=any uid=0 : all" > $c
cat $tmp >> $c
rm -f $tmp
systemctl restart fapolicyd
fi
}
fi
%post %post
%systemd_post %{name}.service %systemd_post %{name}.service
c=/etc/fapolicyd/fapolicyd.rules
if test -e /tmp/fapolicyd-cleanup; then
cat ${c}.rpmnew > $c
touch -d "`stat -c %y ${c}.rpmnew`" $c
rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew
systemctl restart fapolicyd
fi
%preun %preun
%systemd_preun %{name}.service %systemd_preun %{name}.service
@ -175,6 +220,17 @@ fi
%selinux_relabel_post -s %{selinuxtype} %selinux_relabel_post -s %{selinuxtype}
%changelog %changelog
* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.2
RHEL 8.3.Z ERRATUM
- selinux requires inlined
Resolves: rhbz#1895513
* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.1
RHEL 8.3.Z ERRATUM
- allow root everything
- ensure that root rule is in .rules
Resolves: rhbz#1895513
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3 * Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
RHEL 8.3 ERRATUM RHEL 8.3 ERRATUM
- fixed manpage fapolicyd-conf - fixed manpage fapolicyd-conf