import fapolicyd-1.0-3.el8_3.4

SOURCES/fapolicyd-java1.patch

@@ -0,0 +1,23 @@
+From 6810b42e04dd1f450862a647f05c62706f3a1c40 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 12 Nov 2020 22:21:36 -0500
+Subject: [PATCH] Add application/x-java-applet to languages in known.libs
+
+---
+ ChangeLog                       | 1 +
+ init/fapolicyd.rules.known-libs | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/init/fapolicyd.rules.known-libs b/init/fapolicyd.rules.known-libs
+index a847f71..d7ce529 100644
+--- a/init/fapolicyd.rules.known-libs
++++ b/init/fapolicyd.rules.known-libs
+@@ -3,7 +3,7 @@
+ # performance while ensuring that there is not much interference by
+ # the daemon.
+ 
+-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
++%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+ 
+ # Carve out an exception for dracut initramfs building
+ allow perm=any uid=0 : dir=/var/tmp/

SOURCES/fapolicyd-java2.patch

@@ -0,0 +1,65 @@
+From 32a47ce0557c9b38ee59acec97d8f5bd01b4751d Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 10 Nov 2020 11:47:37 -0500
+Subject: [PATCH] Pickup more languages in /usr/share
+
+It turns out that there is a lot of languages placing code for execution
+in /usr/share. This patch widens the filter so that more file extensions
+are included in the trust database. Without this, access to pki-ca.jar,
+for example, is denied access.
+---
+ src/library/rpm-backend.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
+index 25f867a..6ce8a2d 100644
+--- a/src/library/rpm-backend.c
++++ b/src/library/rpm-backend.c
+@@ -183,6 +183,7 @@ static int drop_path(const char *file_name)
+ 			// Drop anything in /usr/share that's
+ 			// not python, javascript, or has a libexec dir
+ 			if (file_name[6] == 'h' ) {
++				// These are roughly ordered by quantity
+ 				if (fnmatch("*.py?",
+ 						 file_name, 0) == 0)
+ 					return 0;
+@@ -192,9 +193,39 @@ static int drop_path(const char *file_name)
+ 				else if (fnmatch("*/libexec/*",
+ 						file_name, 0) == 0)
+ 					return 0;
++				else if (fnmatch("*.rb",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.pl",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.stp",
++						 file_name, 0) == 0)
++					return 0;
+ 				else if (fnmatch("*.js",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				else if (fnmatch("*.jar",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.m4",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.php",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.el",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.pm",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.lua",
++						 file_name, 0) == 0)
++					return 0;
++				else if (fnmatch("*.java",
++						 file_name, 0) == 0)
++					return 0;
+ 				return 1;
+ 			// Akmod need scripts in /usr/src/kernel
+ 			} else if (file_name[6] == 'r' ) {

SOURCES/fapolicyd-java3.patch

@@ -0,0 +1,74 @@
+From 006a656205765ce26327d176b4ca07e44bd55422 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 10 Nov 2020 16:44:25 -0500
+Subject: [PATCH] Add comments about what each file extension is looking for in
+ the /usr/share filter
+
+---
+ src/library/rpm-backend.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
+index 6ce8a2d..ba648d3 100644
+--- a/src/library/rpm-backend.c
++++ b/src/library/rpm-backend.c
+@@ -184,45 +184,59 @@ static int drop_path(const char *file_name)
+ 			// not python, javascript, or has a libexec dir
+ 			if (file_name[6] == 'h' ) {
+ 				// These are roughly ordered by quantity
++				// Python byte code
+ 				if (fnmatch("*.py?",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Python text files
+ 				else if (fnmatch("*.py",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Some apps have a private libexec
+ 				else if (fnmatch("*/libexec/*",
+ 						file_name, 0) == 0)
+ 					return 0;
++				// Ruby
+ 				else if (fnmatch("*.rb",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Perl
+ 				else if (fnmatch("*.pl",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// System Tap
+ 				else if (fnmatch("*.stp",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Javascript
+ 				else if (fnmatch("*.js",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Java
+ 				else if (fnmatch("*.jar",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// M4
+ 				else if (fnmatch("*.m4",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// PHP
+ 				else if (fnmatch("*.php",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Lisp
+ 				else if (fnmatch("*.el",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Perl Modules
+ 				else if (fnmatch("*.pm",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Lua
+ 				else if (fnmatch("*.lua",
+ 						 file_name, 0) == 0)
+ 					return 0;
++				// Java
+ 				else if (fnmatch("*.java",
+ 						 file_name, 0) == 0)
+ 					return 0;

SOURCES/fapolicyd-java4.patch

@@ -0,0 +1,32 @@
+From 2ac23e04f3f14716cf4493fc30eb6ad63760d945 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <alexander.m.scheel@gmail.com>
+Date: Wed, 11 Nov 2020 07:26:29 -0500
+Subject: [PATCH] Allow .class files instead of .java files (#101)
+
+.java files themselves aren't directly executable using the default java
+program; instead, they must first be compiled to .class files (using
+javac) before they can be executed via java. This means that .java files
+shipped in RPMs (as say, API usage examples) won't be executed and don't
+necessarily need to be. They could however, be compiled first and then
+executed as .class; however, this resulting .class file should likely be
+somewhere other than /usr/share if it wasn't distributed by the RPM
+itself.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/library/rpm-backend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
+index ba648d3..111e9f2 100644
+--- a/src/library/rpm-backend.c
++++ b/src/library/rpm-backend.c
+@@ -237,7 +237,7 @@ static int drop_path(const char *file_name)
+ 						 file_name, 0) == 0)
+ 					return 0;
+ 				// Java
+-				else if (fnmatch("*.java",
++				else if (fnmatch("*.class",
+ 						 file_name, 0) == 0)
+ 					return 0;
+ 				return 1;

SOURCES/fapolicyd-java5.patch

@@ -0,0 +1,24 @@
+From 26fd69ab1df5025a4445ac533c2b273a2f1dda3b Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Wed, 2 Dec 2020 16:01:54 +0100
+Subject: [PATCH] Sync languages list
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ init/fapolicyd.rules.restrictive | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/init/fapolicyd.rules.restrictive b/init/fapolicyd.rules.restrictive
+index 1635ef3..50944f1 100644
+--- a/init/fapolicyd.rules.restrictive
++++ b/init/fapolicyd.rules.restrictive
+@@ -14,8 +14,7 @@
+ # %python=/usr/bin/python2.7,/usr/bin/python3.6
+ # allow perm=open exe=%python : all
+ #
+-
+-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
++%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+ 
+ # Carve out an exception for dracut
+ allow perm=any uid=0 : dir=/var/tmp/

SPECS/fapolicyd.spec

@@ -6,7 +6,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.0
-Release: 3%{?dist}.3
+Release: 3%{?dist}.4
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@@ -19,6 +19,7 @@ BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
 BuildRequires: python3-devel
 BuildRequires: python2-devel
 Recommends: %{name}-selinux
+
 Requires(pre): shadow-utils
 Requires(post): systemd-units
 Requires(preun): systemd-units
@@ -39,6 +40,11 @@ Patch11: fapolicyd-get-line.patch
 Patch12: fapolicyd-man-page-trust.patch
 
 Patch13: fapolicyd-deleted-suffix.patch
+Patch14: fapolicyd-java1.patch
+Patch15: fapolicyd-java2.patch
+Patch16: fapolicyd-java3.patch
+Patch17: fapolicyd-java4.patch
+Patch18: fapolicyd-java5.patch
 
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@@ -99,6 +105,11 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
 
 # zstream
 %patch13 -p1 -b .deleted
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
 
 %build
 ./autogen.sh
@@ -219,6 +230,14 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
+* Thu Dec 10 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.4
+RHEL 8.3.Z ERRATUM
+- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail [rhel-8.3.0.z]
+- fixed java detection
+Resolves: rhbz#1905895
+- Erratum RHBA-2020:4969 is of no help when upgrading partially RHEL 8.2 systems [rhel-8.3.0.z]
+Resolves: rhbz#1906472
+
 * Fri Nov 13 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.3
 RHEL 8.3.Z ERRATUM
 Resolves: rhbz#1897090