Rebase to 1.0.3

- sync fedora spec with rhel Signed-off-by: Radovan Sroka <rsroka@redhat.com>
2021-03-31 15:07:54 +02:00 · 2021-03-31 15:07:54 +02:00 · 907e9a087e
commit 907e9a087e
parent ed495d07ce
7 changed files with 128 additions and 65 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,3 +14,6 @@
 /fapolicyd-selinux-0.3.tar.gz
 /fapolicyd-1.0.1.tar.gz
 /fapolicyd-1.0.2.tar.gz
+/fapolicyd-selinux-0.4.tar.gz
+/uthash-2.3.0.tar.gz
+/fapolicyd-1.0.3.tar.gz
--- a/fapolicyd-magic-override.patch
+++ b/fapolicyd-magic-override.patch
@ -1,40 +0,0 @@
-diff -up ./init/fapolicyd-magic.magic-override ./init/fapolicyd-magic
--- ./init/fapolicyd-magic.magic-override	2020-11-16 20:16:10.764346043 +0100
-+++ ./init/fapolicyd-magic	2020-11-16 20:18:30.354528379 +0100
-@@ -1,9 +1,17 @@
- 0	string/w	#!\ /usr/bin/bash	Bourne-Again shell script text executable
- !:mime	text/x-shellscript
- 
-+0  search/1/w  #!\ /usr/bin/env\ bash  Bourne-Again shell script text executable
-+!:strength + 15
-+!:mime text/x-shellscript
-+
- 0	string/w	#!\ /usr/bin/sh		Shell script text executable
- !:mime	text/x-shellscript
- 
-+0   search/1/w  #!\ /usr/bin/env\ bash  Bourne-Again shell script text executable
-+!:strength + 15
-+!:mime text/x-shellscript
-+
- 0	string/wt	#!\ /bin/rc		Plan 9 shell script text executable
- !:mime	text/x-plan9-shellscript
- 
-@@ -47,10 +55,18 @@
- !:strength + 15
- !:mime text/x-python
- 
-+0   search/1/w  #!\ /usr/bin/env\ python3   Python script text executable
-+!:strength + 15
-+!:mime text/x-python
-+
- 0	search/1/wt	#!\ /usr/bin/python2	Python script text executable
- !:strength + 15
- !:mime text/x-python
- 
-+0  search/1/w  #!\ /usr/bin/env\ python2   Python script text executable
-+!:strength + 15
-+!:mime text/x-python
-+
- 0	search/1/wt	#!\ /usr/bin/python	Python script text executable
- !:strength + 15
- !:mime text/x-python
--- a/fapolicyd-revert-watch-selinux.patch
+++ b/fapolicyd-revert-watch-selinux.patch
@ -0,0 +1,39 @@
+From c61dbd615b73c1fa0d66943e35ce6475f64ef7a9 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Thu, 25 Mar 2021 21:38:45 +0100
+Subject: [PATCH] Revert "Allow fapolicyd watch directories"
+
+This reverts commit ed8aac4ef057fc7e5051041bbf7e9bb6dfb12915.
+---
+ fapolicyd.te | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
+index f5d0052..bd71e0f 100644
+--- a/fapolicyd-selinux-0.4/fapolicyd.te
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
+@@ -63,21 +63,11 @@ domain_read_all_domains_state(fapolicyd_t)
+ 
+ files_mmap_usr_files(fapolicyd_t)
+ files_read_all_files(fapolicyd_t)
+-files_watch_mount_generic_tmp_dirs(fapolicyd_t)
+-files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
+-files_watch_mount_root_dirs(fapolicyd_t)
+-files_watch_with_perm_root_dirs(fapolicyd_t)
+-
+ fs_getattr_xattr_fs(fapolicyd_t)
+-fs_watch_mount_tmpfs_dirs(fapolicyd_t)
+-fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
+ 
+ logging_send_syslog_msg(fapolicyd_t)
+ dbus_system_bus_client(fapolicyd_t)
+ 
+-userdom_watch_mount_tmp_dirs(fapolicyd_t)
+-userdom_watch_with_perm_tmp_dirs(fapolicyd_t)
+-
+ optional_policy(`
+         rpm_read_db(fapolicyd_t)
+         allow fapolicyd_t rpm_var_lib_t:file { create };
+-- 
+2.26.3
+
--- a/fapolicyd-uthash-bundle.patch
+++ b/fapolicyd-uthash-bundle.patch
@ -0,0 +1,39 @@
+diff -up ./configure.ac.uthash ./configure.ac
+--- ./configure.ac.uthash	2021-03-25 22:12:48.164450403 +0100
+++ ./configure.ac	2021-03-25 22:13:01.067282788 +0100
+@@ -67,10 +67,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
+ ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
+ AC_CHECK_FUNCS(fexecve, [], [])
+ 
+-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
+-["Couldn't find uthash.h...uthash-devel is missing"] )])
+-
+-
+ echo .
+ echo Checking for required libraries
+ AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
+diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
+--- ./src/library/rpm-backend.c.uthash	2021-01-05 16:27:53.000000000 +0100
+++ ./src/library/rpm-backend.c	2021-03-25 22:12:33.212644641 +0100
+@@ -32,7 +32,7 @@
+ #include <rpm/rpmdb.h>
+ #include <fnmatch.h>
+ 
+-#include <uthash.h>
+#include "uthash.h"
+ 
+ #include "message.h"
+ 
+diff -up ./src/Makefile.am.uthash ./src/Makefile.am
+--- ./src/Makefile.am.uthash	2021-01-05 16:27:53.000000000 +0100
+++ ./src/Makefile.am	2021-03-25 22:12:33.212644641 +0100
+@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
+ 	-I${top_srcdir} \
+ 	-I${top_srcdir}/src/library
+ 
+AM_CPPFLAGS += \
+	-I${top_srcdir}/uthash-2.3.0/include
+
+ sbin_PROGRAMS = fapolicyd fapolicyd-cli
+ lib_LTLIBRARIES= libfapolicyd.la
+ 
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -1,22 +1,28 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.3
+%define semodule_version 0.4

 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.0.2
-Release: 3%{?dist}
+Version: 1.0.3
+Release: 1%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
 Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+# we bundle uthash for rhel9
+Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
 BuildRequires: gcc
 BuildRequires: kernel-headers
 BuildRequires: autoconf automake make gcc libtool
 BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
 BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
 BuildRequires: python3-devel
+
+%if 0%{?rhel} == 0
 BuildRequires: uthash-devel
+%endif
+
 Requires: %{name}-plugin
 Recommends: %{name}-selinux
 Requires(pre): shadow-utils
@ -24,8 +30,8 @@ Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units

-Patch1: fapolicyd-magic-override.patch
-Patch2: selinux.patch
+Patch1: fapolicyd-uthash-bundle.patch
+Patch2: fapolicyd-revert-watch-selinux.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -65,7 +71,12 @@ Don't use dnf and rpm plugin together.
 # selinux
 %setup -q -D -T -a 1

-%patch1 -p1 -b .magic-override
+%if 0%{?rhel} != 0
+# uthash
+%setup -q -D -T -a 2
+%patch1 -p1 -b .uthash
+%endif
+
 %patch2 -p1 -b .selinux

 sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
@ -73,9 +84,7 @@ sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" ini
 sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*

 %build
-
 ./autogen.sh
-
 %configure \
    --with-audit \
    --with-rpm \
@ -116,6 +125,28 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}

+%pretrans -p <lua>
+if posix.access("/run/fapolicyd.pid", "f") then
+  os.execute([[
+    c=/etc/fapolicyd/fapolicyd.rules
+    rule="allow perm=any uid=0 : all"
+
+    if test -e $c; then
+       if systemctl is-active fapolicyd &> /dev/null; then
+          tmp=`mktemp`
+          cat $c > $tmp
+          echo "$rule" > $c
+          cat $tmp >> $c
+          systemctl restart fapolicyd || true
+          sleep 10
+          cat $tmp > $c
+          rm -f $tmp
+        fi
+    fi
+    ]])
+end
+
+
 %post
 %systemd_post %{name}.service

@ -157,6 +188,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam

 %post selinux
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}

 %postun selinux
 if [ $1 -eq 0 ]; then
@ -172,6 +204,10 @@ fi


 %changelog
+* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
+- rebase to 1.0.3
+- sync fedora with rhel
+
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.0.2-3
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
--- a/selinux.patch
+++ b/selinux.patch
@ -1,15 +0,0 @@
-diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te
--- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux	2020-11-16 20:26:57.777902314 +0100
-+++ ./fapolicyd-selinux-0.3/fapolicyd.te	2020-11-16 20:28:17.659857140 +0100
-@@ -64,7 +64,10 @@ files_read_all_files(fapolicyd_t)
- fs_getattr_xattr_fs(fapolicyd_t)
- 
- logging_send_syslog_msg(fapolicyd_t)
-+dbus_system_bus_client(fapolicyd_t)
- 
- optional_policy(`
-        rpm_read_db(fapolicyd_t)        
-+        rpm_read_db(fapolicyd_t)
-+        allow fapolicyd_t rpm_var_lib_t:file { create };
-+        allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
- ')
--- a/5
+++ b/5
@ -1,2 +1,3 @@
-SHA512 (fapolicyd-1.0.2.tar.gz) = 02f9a1681a948eefd856ca7e09c8dd06c5c1f0004e5f1c6d1513f79c1cb5d6bd31fa118a147ef9244b2146a3da1f525a4a329a37c969ce175a221e05d198bd1a
-SHA512 (fapolicyd-selinux-0.3.tar.gz) = 29895ee587294a275b3dbc712f915466758a3aabf7a692ed410ff91ae5d7dea936c231cde6aca5adf4edb9d9160450b65317ca9d1d6e76d687066d17d18495cd
+SHA512 (fapolicyd-1.0.3.tar.gz) = 5ec48d6c3ab6312c3ad4cc23e04fe03c5288baee9ee796ae944a539b082176f9fe03ad04edb8442af194d224b888e81addc5f84d4c1a368618a2a590a17c16a1
+SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2
+SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294