From 6ffcda905386463452dccb50a55a20fbea1d2bea Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 26 Jul 2022 12:12:19 +0000
Subject: [PATCH] Auto sync2gitlab import of fapolicyd-1.1.3-6.el8.src.rpm

---
 .gitignore                    |   1 +
 fapolicyd-1.1.1-ld_so.patch   |  27 ---------
 fapolicyd-reorder-rules.patch | 110 ----------------------------------
 fapolicyd-selinux.patch       |  13 ++--
 fapolicyd.spec                |  40 +++++++------
 sources                       |   2 +-
 6 files changed, 32 insertions(+), 161 deletions(-)
 delete mode 100644 fapolicyd-1.1.1-ld_so.patch
 delete mode 100644 fapolicyd-reorder-rules.patch

diff --git a/.gitignore b/.gitignore
index 4b85315..845a295 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /fapolicyd-1.1.tar.gz
 /fapolicyd-selinux-0.4.tar.gz
+/fapolicyd-1.1.3.tar.gz
diff --git a/fapolicyd-1.1.1-ld_so.patch b/fapolicyd-1.1.1-ld_so.patch
deleted file mode 100644
index a79cca7..0000000
--- a/fapolicyd-1.1.1-ld_so.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
---- fapolicyd-1.1.1.orig/fapolicyd.spec	2022-01-28 15:17:55.000000000 -0500
-+++ fapolicyd-1.1.1/fapolicyd.spec	2022-01-28 15:19:31.594155397 -0500
-@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
- # generate rules for python
- sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
- sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
--sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev  | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
- 
- %build
- %configure \
-diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
---- fapolicyd-1.1.1.orig/m4/dyn_linker.m4	2022-01-28 15:17:55.000000000 -0500
-+++ fapolicyd-1.1.1/m4/dyn_linker.m4	2022-01-28 15:20:02.048609672 -0500
-@@ -1,6 +1,10 @@
- AC_DEFUN([LD_SO_PATH],
- [
--  xpath=`realpath /usr/lib64/ld-2.*.so`
-+  xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
-+  xpath=`realpath $xpath1`
-+  if test ! -f "$xpath" ; then
-+    AC_MSG_ERROR([Cant find the dynamic linker])
-+  fi
-   echo "dynamic linker is.....$xpath"
-   AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
- ])
diff --git a/fapolicyd-reorder-rules.patch b/fapolicyd-reorder-rules.patch
deleted file mode 100644
index 53a797c..0000000
--- a/fapolicyd-reorder-rules.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Thu, 24 Mar 2022 09:59:05 +0100
-Subject: [PATCH] Reorder loop holes with patterns in rules.d
-
-- this keeps backwards compatibility with older wersions of rules
-- the ld_so pattern was applied to root
-- it caused problems with running ldd as root(previously unrestricted)
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- fapolicyd.spec                                   |  6 +++---
- rules.d/{30-dracut.rules => 20-dracut.rules}     |  0
- rules.d/{30-updaters.rules => 21-updaters.rules} |  0
- rules.d/{20-patterns.rules => 30-patterns.rules} |  0
- rules.d/Makefile.am                              |  4 ++--
- rules.d/README-rules                             | 16 ++++++++--------
- 6 files changed, 13 insertions(+), 13 deletions(-)
- rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
- rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
- rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
-
-diff --git a/fapolicyd.spec b/fapolicyd.spec
-index c2aae21..261b780 100644
---- a/fapolicyd.spec
-+++ b/fapolicyd.spec
-@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
- 	if [ "$files" -eq 0 ] ; then
- 		## Install the known libs policy
- cp %{_datadir}/%{name}/sample-rules/10-languages.rules  %{_sysconfdir}/%{name}/rules.d/
--cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
--cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
--cp %{_datadir}/%{name}/sample-rules/30-updaters.rules  %{_sysconfdir}/%{name}/rules.d/
-+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
-+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules  %{_sysconfdir}/%{name}/rules.d/
-+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
- cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules  %{_sysconfdir}/%{name}/rules.d/
- cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules  %{_sysconfdir}/%{name}/rules.d/
- cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules  %{_sysconfdir}/%{name}/rules.d/
-diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
-similarity index 100%
-rename from rules.d/30-dracut.rules
-rename to rules.d/20-dracut.rules
-diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
-similarity index 100%
-rename from rules.d/30-updaters.rules
-rename to rules.d/21-updaters.rules
-diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
-similarity index 100%
-rename from rules.d/20-patterns.rules
-rename to rules.d/30-patterns.rules
-diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
-index 76b5377..9bb61a7 100644
---- a/rules.d/Makefile.am
-+++ b/rules.d/Makefile.am
-@@ -23,8 +23,8 @@
- 
- CONFIG_CLEAN_FILES = *.rej *.orig
- 
--EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
--	30-dracut.rules 30-updaters.rules \
-+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
-+	21-updaters.rules 30-patterns.rules \
- 	40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
- 	43-known-elf.rules \
- 	70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
-diff --git a/rules.d/README-rules b/rules.d/README-rules
-index c03c02b..30fcd01 100644
---- a/rules.d/README-rules
-+++ b/rules.d/README-rules
-@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
- organized into groups with the following meanings:
- 
- 10 - macros
--20 - patterns
--30 - loop holes
-+20 - loop holes
-+30 - patterns
- 40 - ELF rules
- 50 - user/group access rules
- 60 - application access rules
-@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
- fapolicyd.rules.known-libs
- --------------------------
- 10-languages.rules
--20-patterns.rules
--30-dracut.rules
--30-updaters.rules
-+20-dracut.rules
-+21-updaters.rules
-+30-patterns.rules
- 40-bad-elf.rules
- 41-shared-obj.rules
- 42-trusted-elf.rules
-@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
- fapolicyd.rules.restrictive
- ---------------------------
- 10-languages.rules
--20-patterns.rules
--30-dracut.rules
--30-updaters.rules
-+20-dracut.rules
-+21-updaters.rules
-+30-patterns.rules
- 40-bad-elf.rules
- 41-shared-obj.rules
- 43-known-elf.rules
--- 
-2.35.1
-
diff --git a/fapolicyd-selinux.patch b/fapolicyd-selinux.patch
index 26fafeb..2ece2d2 100644
--- a/fapolicyd-selinux.patch
+++ b/fapolicyd-selinux.patch
@@ -1,9 +1,12 @@
-diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
---- a/fapolicyd-selinux-0.4/fapolicyd.te	2021-03-23 10:21:31.000000000 +0100
-+++ b/fapolicyd-selinux-0.4/fapolicyd.te	2021-11-19 10:24:20.000002248 +0100
-@@ -63,23 +63,13 @@
+diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te
+--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux	2021-03-23 10:21:31.000000000 +0100
++++ ./fapolicyd-selinux-0.4/fapolicyd.te	2022-06-29 12:06:57.958124735 +0200
+@@ -61,25 +61,15 @@ corecmd_exec_bin(fapolicyd_t)
  
- files_mmap_usr_files(fapolicyd_t)
+ domain_read_all_domains_state(fapolicyd_t)
+ 
+-files_mmap_usr_files(fapolicyd_t)
++files_mmap_all_files(fapolicyd_t)
  files_read_all_files(fapolicyd_t)
 -files_watch_mount_generic_tmp_dirs(fapolicyd_t)
 -files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
diff --git a/fapolicyd.spec b/fapolicyd.spec
index 0dbbc56..5848518 100644
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@@ -2,10 +2,9 @@
 %global moduletype contrib
 %define semodule_version 0.4
 
-
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.1
+Version: 1.1.3
 Release: 6%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
@@ -32,10 +31,7 @@ Requires(postun): systemd-units
 # the fapolicyd package because it provides safe upgrade path
 Patch1: fapolicyd-dnf-plugin.patch
 Patch2: fapolicyd-selinux.patch
-Patch3: fapolicyd-reorder-rules.patch
-Patch4: fagenrules-group.patch
-# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
-Patch5: fapolicyd-1.1.1-ld_so.patch
+Patch3: fagenrules-group.patch
 
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@@ -64,9 +60,7 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 
 %patch1 -p1 -b .plugin
 %patch2 -p1 -b .selinux
-%patch3 -p1 -b .rules
-%patch4 -p1 -b .group
-%patch5 -p1 -b .ld_so
+%patch3 -p1 -b .group
 
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@@ -185,7 +179,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
    # restore correct label
    /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
   fi
-  fagenrules > /dev/null 2>&1
+  fagenrules --load
  fi
 fi
 %systemd_post %{name}.service
@@ -255,14 +249,24 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
-* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-6
-- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
-Resolves: rhbz#2069120
-
-* Sat Apr 02 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-4
-RHEL 8.6.0 ERRATUM
-- fapolicyd denies access to /usr/lib64/ld-2.28.so
-Resolves: rhbz#2066300
+* Wed Jun 22 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-6
+RHEL 8.7.0 ERRATUM
+- rebase fapolicyd to the latest stable vesion
+Resolves: rhbz#2100087
+- fapolicyd gets way too easily killed by OOM killer
+Resolves: rhbz#2100089
+- compiled.rules file ownership and mode
+Resolves: rhbz#2066653
+- Faulty handling of static applications
+Resolves: rhbz#2084497
+- fapolicyd does not correctly handle SIGHUP
+Resolves: rhbz#2070639
+- Introduce ppid rule attribute
+Resolves: rhbz#2102563
+- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]
+Resolves: rhbz#2069121
+- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0]
+Resolves: rhbz#2068105
 
 * Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
 RHEL 8.6.0 ERRATUM
diff --git a/sources b/sources
index 20e8223..3f0742b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (fapolicyd-1.1.tar.gz) = d8478a5e55f8ab3b40ab881795d391d6edd8c4149e743f3685afedf561f853f46f80e49f7b0f05e20c86d71442e286c7db9b289049b5314047d14d8d1b9f3b4e
+SHA512 (fapolicyd-1.1.3.tar.gz) = c2bf7d49a555d2c158764d6c9360ce40692d2f8ea0f0d3e21408c45318bae8a34233f5a468039bfceafb140e069605ea010a64b784fd1b0e3ad71f5f1753ca25
 SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2