Rebase to 1.0.3

- sync fedora spec with rhel Signed-off-by: Radovan Sroka <rsroka@redhat.com>
2021-03-31 15:07:54 +02:00 · 2021-03-31 15:07:54 +02:00 · 907e9a087e
commit 907e9a087e
parent ed495d07ce
7 changed files with 128 additions and 65 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,3 +14,6 @@
 /fapolicyd-selinux-0.3.tar.gz
 /fapolicyd-1.0.1.tar.gz
 /fapolicyd-1.0.2.tar.gz
 /fapolicyd-selinux-0.4.tar.gz
 /uthash-2.3.0.tar.gz
 /fapolicyd-1.0.3.tar.gz
--- a/fapolicyd-magic-override.patch
+++ b/fapolicyd-magic-override.patch
@ -1,40 +0,0 @@
 diff -up ./init/fapolicyd-magic.magic-override ./init/fapolicyd-magic
 --- ./init/fapolicyd-magic.magic-override	2020-11-16 20:16:10.764346043 +0100
 +++ ./init/fapolicyd-magic	2020-11-16 20:18:30.354528379 +0100
@@ -1,9 +1,17 @@
 0	string/w	#!\ /usr/bin/bash	Bourne-Again shell script text executable
 !:mime	text/x-shellscript
 +0  search/1/w  #!\ /usr/bin/env\ bash  Bourne-Again shell script text executable
 +!:strength + 15
 +!:mime text/x-shellscript
 +
 0	string/w	#!\ /usr/bin/sh		Shell script text executable
 !:mime	text/x-shellscript
 +0   search/1/w  #!\ /usr/bin/env\ bash  Bourne-Again shell script text executable
 +!:strength + 15
 +!:mime text/x-shellscript
 +
 0	string/wt	#!\ /bin/rc		Plan 9 shell script text executable
 !:mime	text/x-plan9-shellscript
@@ -47,10 +55,18 @@
 !:strength + 15
 !:mime text/x-python
 +0   search/1/w  #!\ /usr/bin/env\ python3   Python script text executable
 +!:strength + 15
 +!:mime text/x-python
 +
 0	search/1/wt	#!\ /usr/bin/python2	Python script text executable
 !:strength + 15
 !:mime text/x-python
 +0  search/1/w  #!\ /usr/bin/env\ python2   Python script text executable
 +!:strength + 15
 +!:mime text/x-python
 +
 0	search/1/wt	#!\ /usr/bin/python	Python script text executable
 !:strength + 15
 !:mime text/x-python
--- a/fapolicyd-revert-watch-selinux.patch
+++ b/fapolicyd-revert-watch-selinux.patch
@ -0,0 +1,39 @@
 From c61dbd615b73c1fa0d66943e35ce6475f64ef7a9 Mon Sep 17 00:00:00 2001
 From: Radovan Sroka <rsroka@redhat.com>
 Date: Thu, 25 Mar 2021 21:38:45 +0100
 Subject: [PATCH] Revert "Allow fapolicyd watch directories"
 This reverts commit ed8aac4ef057fc7e5051041bbf7e9bb6dfb12915.
 ---
 fapolicyd.te | 10 ----------
 1 file changed, 10 deletions(-)
 diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
 index f5d0052..bd71e0f 100644
 --- a/fapolicyd-selinux-0.4/fapolicyd.te
 +++ b/fapolicyd-selinux-0.4/fapolicyd.te
@@ -63,21 +63,11 @@ domain_read_all_domains_state(fapolicyd_t)
 files_mmap_usr_files(fapolicyd_t)
 files_read_all_files(fapolicyd_t)
 -files_watch_mount_generic_tmp_dirs(fapolicyd_t)
 -files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
 -files_watch_mount_root_dirs(fapolicyd_t)
 -files_watch_with_perm_root_dirs(fapolicyd_t)
 -
 fs_getattr_xattr_fs(fapolicyd_t)
 -fs_watch_mount_tmpfs_dirs(fapolicyd_t)
 -fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
 logging_send_syslog_msg(fapolicyd_t)
 dbus_system_bus_client(fapolicyd_t)
 -userdom_watch_mount_tmp_dirs(fapolicyd_t)
 -userdom_watch_with_perm_tmp_dirs(fapolicyd_t)
 -
 optional_policy(`
         rpm_read_db(fapolicyd_t)
         allow fapolicyd_t rpm_var_lib_t:file { create };
 -- 
 2.26.3
--- a/fapolicyd-uthash-bundle.patch
+++ b/fapolicyd-uthash-bundle.patch
@ -0,0 +1,39 @@
 diff -up ./configure.ac.uthash ./configure.ac
 --- ./configure.ac.uthash	2021-03-25 22:12:48.164450403 +0100
 +++ ./configure.ac	2021-03-25 22:13:01.067282788 +0100
@@ -67,10 +67,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
 ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
 AC_CHECK_FUNCS(fexecve, [], [])
 -AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
 -["Couldn't find uthash.h...uthash-devel is missing"] )])
 -
 -
 echo .
 echo Checking for required libraries
 AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
 diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
 --- ./src/library/rpm-backend.c.uthash	2021-01-05 16:27:53.000000000 +0100
 +++ ./src/library/rpm-backend.c	2021-03-25 22:12:33.212644641 +0100
@@ -32,7 +32,7 @@
 #include <rpm/rpmdb.h>
 #include <fnmatch.h>
 -#include <uthash.h>
 +#include "uthash.h"
 #include "message.h"
 diff -up ./src/Makefile.am.uthash ./src/Makefile.am
 --- ./src/Makefile.am.uthash	2021-01-05 16:27:53.000000000 +0100
 +++ ./src/Makefile.am	2021-03-25 22:12:33.212644641 +0100
@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
 	-I${top_srcdir} \
 	-I${top_srcdir}/src/library
 +AM_CPPFLAGS += \
 +	-I${top_srcdir}/uthash-2.3.0/include
 +
 sbin_PROGRAMS = fapolicyd fapolicyd-cli
 lib_LTLIBRARIES= libfapolicyd.la
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -1,22 +1,28 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.3
+%define semodule_version 0.4
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.0.2
+Version: 1.0.3
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
 Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
 # we bundle uthash for rhel9
 Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
 BuildRequires: gcc
 BuildRequires: kernel-headers
 BuildRequires: autoconf automake make gcc libtool
 BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
 BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
 BuildRequires: python3-devel
 %if 0%{?rhel} == 0
 BuildRequires: uthash-devel
 %endif
 Requires: %{name}-plugin
 Recommends: %{name}-selinux
 Requires(pre): shadow-utils
@ -24,8 +30,8 @@ Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-Patch1: fapolicyd-magic-override.patch
+Patch1: fapolicyd-uthash-bundle.patch
-Patch2: selinux.patch
+Patch2: fapolicyd-revert-watch-selinux.patch
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -65,7 +71,12 @@ Don't use dnf and rpm plugin together.
 # selinux
 %setup -q -D -T -a 1
-%patch1 -p1 -b .magic-override
+%if 0%{?rhel} != 0
 # uthash
 %setup -q -D -T -a 2
 %patch1 -p1 -b .uthash
 %endif
 %patch2 -p1 -b .selinux
 sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
@ -73,9 +84,7 @@ sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" ini
 sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
 %build
 ./autogen.sh
 %configure \
    --with-audit \
    --with-rpm \
@ -116,6 +125,28 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
 %pretrans -p <lua>
 if posix.access("/run/fapolicyd.pid", "f") then
  os.execute([[
    c=/etc/fapolicyd/fapolicyd.rules
    rule="allow perm=any uid=0 : all"
    if test -e $c; then
       if systemctl is-active fapolicyd &> /dev/null; then
          tmp=`mktemp`
          cat $c > $tmp
          echo "$rule" > $c
          cat $tmp >> $c
          systemctl restart fapolicyd || true
          sleep 10
          cat $tmp > $c
          rm -f $tmp
        fi
    fi
    ]])
 end
 %post
 %systemd_post %{name}.service
@ -157,6 +188,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
 %post selinux
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %selinux_relabel_post -s %{selinuxtype}
 %postun selinux
 if [ $1 -eq 0 ]; then
@ -172,6 +204,10 @@ fi
 %changelog
 * Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
 - rebase to 1.0.3
 - sync fedora with rhel
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.0.2-3
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
--- a/selinux.patch
+++ b/selinux.patch
@ -1,15 +0,0 @@
 diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te
 --- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux	2020-11-16 20:26:57.777902314 +0100
 +++ ./fapolicyd-selinux-0.3/fapolicyd.te	2020-11-16 20:28:17.659857140 +0100
@@ -64,7 +64,10 @@ files_read_all_files(fapolicyd_t)
 fs_getattr_xattr_fs(fapolicyd_t)
 logging_send_syslog_msg(fapolicyd_t)
 +dbus_system_bus_client(fapolicyd_t)
 optional_policy(`
 -        rpm_read_db(fapolicyd_t)        
 +        rpm_read_db(fapolicyd_t)
 +        allow fapolicyd_t rpm_var_lib_t:file { create };
 +        allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
 ')
--- a/5
+++ b/5
@ -1,2 +1,3 @@
-SHA512 (fapolicyd-1.0.2.tar.gz) = 02f9a1681a948eefd856ca7e09c8dd06c5c1f0004e5f1c6d1513f79c1cb5d6bd31fa118a147ef9244b2146a3da1f525a4a329a37c969ce175a221e05d198bd1a
+SHA512 (fapolicyd-1.0.3.tar.gz) = 5ec48d6c3ab6312c3ad4cc23e04fe03c5288baee9ee796ae944a539b082176f9fe03ad04edb8442af194d224b888e81addc5f84d4c1a368618a2a590a17c16a1
-SHA512 (fapolicyd-selinux-0.3.tar.gz) = 29895ee587294a275b3dbc712f915466758a3aabf7a692ed410ff91ae5d7dea936c231cde6aca5adf4edb9d9160450b65317ca9d1d6e76d687066d17d18495cd
+SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2
 SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294