import fapolicyd-1.0-3.el8_3.2
This commit is contained in:
parent
3dd4bbb98c
commit
6166397a20
26
SOURCES/fapolicyd-rules-root.patch
Normal file
26
SOURCES/fapolicyd-rules-root.patch
Normal file
@ -0,0 +1,26 @@
|
||||
diff -up ./init/fapolicyd.rules.known-libs.root ./init/fapolicyd.rules.known-libs
|
||||
--- ./init/fapolicyd.rules.known-libs.root 2020-11-06 22:38:10.308866211 +0100
|
||||
+++ ./init/fapolicyd.rules.known-libs 2020-11-06 22:39:17.857469844 +0100
|
||||
@@ -6,8 +6,7 @@
|
||||
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
|
||||
# Carve out an exception for dracut initramfs building
|
||||
-allow perm=any uid=0 : dir=/var/tmp/
|
||||
-allow perm=any uid=0 trust=1 : all
|
||||
+allow perm=any uid=0 : all
|
||||
|
||||
# Prevent execution by ld.so
|
||||
deny_audit perm=any pattern=ld_so : all
|
||||
diff -up ./init/fapolicyd.rules.restrictive.root ./init/fapolicyd.rules.restrictive
|
||||
--- ./init/fapolicyd.rules.restrictive.root 2020-11-06 22:38:14.562904224 +0100
|
||||
+++ ./init/fapolicyd.rules.restrictive 2020-11-06 22:38:58.440296333 +0100
|
||||
@@ -18,8 +18,7 @@
|
||||
%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
|
||||
# Carve out an exception for dracut
|
||||
-allow perm=any uid=0 : dir=/var/tmp/
|
||||
-allow perm=any uid=0 trust=1 : all
|
||||
+allow perm=any uid=0 : all
|
||||
|
||||
# Prevent execution by ld.so
|
||||
deny_audit perm=any pattern=ld_so : all
|
@ -6,7 +6,7 @@
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 1.0
|
||||
Release: 3%{?dist}
|
||||
Release: 3%{?dist}.2
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||
@ -38,6 +38,8 @@ Patch10: fapolicyd-cli-big-buffer.patch
|
||||
Patch11: fapolicyd-get-line.patch
|
||||
Patch12: fapolicyd-man-page-trust.patch
|
||||
|
||||
Patch13: fapolicyd-rules-root.patch
|
||||
|
||||
%description
|
||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||
to decide file access rights. Applications that are known via a reputation
|
||||
@ -51,7 +53,21 @@ Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: selinux-policy
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildArch: noarch
|
||||
%{?selinux_requires}
|
||||
#%%{?selinux_requires}
|
||||
Requires: selinux-policy >= 3.14.3-54.el8
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: selinux-policy
|
||||
BuildRequires: selinux-policy-devel
|
||||
Requires(post): selinux-policy-base >= 3.14.3-54.el8
|
||||
Requires(post): libselinux-utils
|
||||
Requires(post): policycoreutils
|
||||
%if 032 || 0 > 7
|
||||
Requires(post): policycoreutils-python-utils
|
||||
%else
|
||||
Requires(post): policycoreutils-python
|
||||
%endif
|
||||
|
||||
|
||||
|
||||
%description selinux
|
||||
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
@ -82,6 +98,10 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
|
||||
%patch11 -p1 -b .get-line
|
||||
%patch12 -p1 -b .man-page-trust
|
||||
|
||||
|
||||
# zstream
|
||||
%patch13 -p1 -b .root
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
%configure \
|
||||
@ -121,8 +141,33 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
||||
%pre
|
||||
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
|
||||
|
||||
%pretrans
|
||||
c=/etc/fapolicyd/fapolicyd.rules
|
||||
if test -e $c; then
|
||||
cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || {
|
||||
if systemctl is-active fapolicyd &> dev/null; then
|
||||
tmp=`mktemp`
|
||||
rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup
|
||||
cat $c > $tmp
|
||||
echo "allow perm=any uid=0 : all" > $c
|
||||
cat $tmp >> $c
|
||||
rm -f $tmp
|
||||
systemctl restart fapolicyd
|
||||
fi
|
||||
}
|
||||
fi
|
||||
|
||||
|
||||
%post
|
||||
%systemd_post %{name}.service
|
||||
c=/etc/fapolicyd/fapolicyd.rules
|
||||
if test -e /tmp/fapolicyd-cleanup; then
|
||||
cat ${c}.rpmnew > $c
|
||||
touch -d "`stat -c %y ${c}.rpmnew`" $c
|
||||
rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew
|
||||
systemctl restart fapolicyd
|
||||
fi
|
||||
|
||||
|
||||
%preun
|
||||
%systemd_preun %{name}.service
|
||||
@ -175,6 +220,17 @@ fi
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%changelog
|
||||
* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.2
|
||||
RHEL 8.3.Z ERRATUM
|
||||
- selinux requires inlined
|
||||
Resolves: rhbz#1895513
|
||||
|
||||
* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.1
|
||||
RHEL 8.3.Z ERRATUM
|
||||
- allow root everything
|
||||
- ensure that root rule is in .rules
|
||||
Resolves: rhbz#1895513
|
||||
|
||||
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
|
||||
RHEL 8.3 ERRATUM
|
||||
- fixed manpage fapolicyd-conf
|
||||
|
Loading…
Reference in New Issue
Block a user