import fapolicyd-1.1.3-6.el8
This commit is contained in:
parent
05e9ec2938
commit
a3b5a1f1de
|
@ -1,2 +1,2 @@
|
|||
1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz
|
||||
3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz
|
||||
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
SOURCES/fapolicyd-1.1.tar.gz
|
||||
SOURCES/fapolicyd-1.1.3.tar.gz
|
||||
SOURCES/fapolicyd-selinux-0.4.tar.gz
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
|
||||
--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500
|
||||
+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500
|
||||
@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
|
||||
# generate rules for python
|
||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
||||
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
||||
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
||||
|
||||
%build
|
||||
%configure \
|
||||
diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
|
||||
--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500
|
||||
+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500
|
||||
@@ -1,6 +1,10 @@
|
||||
AC_DEFUN([LD_SO_PATH],
|
||||
[
|
||||
- xpath=`realpath /usr/lib64/ld-2.*.so`
|
||||
+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
|
||||
+ xpath=`realpath $xpath1`
|
||||
+ if test ! -f "$xpath" ; then
|
||||
+ AC_MSG_ERROR([Cant find the dynamic linker])
|
||||
+ fi
|
||||
echo "dynamic linker is.....$xpath"
|
||||
AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
|
||||
])
|
|
@ -1,19 +0,0 @@
|
|||
diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
|
||||
--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500
|
||||
+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500
|
||||
@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
|
||||
|
||||
// We need to reset everything now that execve has finished
|
||||
if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
|
||||
- s->info->state = STATE_STATIC;
|
||||
+ // If the static app itself launches an app right
|
||||
+ // away, go back to collecting.
|
||||
+ if (e->type & FAN_OPEN_EXEC_PERM)
|
||||
+ s->info->state = STATE_COLLECTING;
|
||||
+ else {
|
||||
+ s->info->state = STATE_STATIC;
|
||||
+ skip_path = 1;
|
||||
+ }
|
||||
evict = 0;
|
||||
skip_path = 1;
|
||||
subject_reset(s, EXE);
|
|
@ -1,110 +0,0 @@
|
|||
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Thu, 24 Mar 2022 09:59:05 +0100
|
||||
Subject: [PATCH] Reorder loop holes with patterns in rules.d
|
||||
|
||||
- this keeps backwards compatibility with older wersions of rules
|
||||
- the ld_so pattern was applied to root
|
||||
- it caused problems with running ldd as root(previously unrestricted)
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
fapolicyd.spec | 6 +++---
|
||||
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
|
||||
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
|
||||
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
|
||||
rules.d/Makefile.am | 4 ++--
|
||||
rules.d/README-rules | 16 ++++++++--------
|
||||
6 files changed, 13 insertions(+), 13 deletions(-)
|
||||
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
|
||||
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
|
||||
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
|
||||
|
||||
diff --git a/fapolicyd.spec b/fapolicyd.spec
|
||||
index c2aae21..261b780 100644
|
||||
--- a/fapolicyd.spec
|
||||
+++ b/fapolicyd.spec
|
||||
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
||||
if [ "$files" -eq 0 ] ; then
|
||||
## Install the known libs policy
|
||||
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
|
||||
similarity index 100%
|
||||
rename from rules.d/30-dracut.rules
|
||||
rename to rules.d/20-dracut.rules
|
||||
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
|
||||
similarity index 100%
|
||||
rename from rules.d/30-updaters.rules
|
||||
rename to rules.d/21-updaters.rules
|
||||
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
|
||||
similarity index 100%
|
||||
rename from rules.d/20-patterns.rules
|
||||
rename to rules.d/30-patterns.rules
|
||||
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
|
||||
index 76b5377..9bb61a7 100644
|
||||
--- a/rules.d/Makefile.am
|
||||
+++ b/rules.d/Makefile.am
|
||||
@@ -23,8 +23,8 @@
|
||||
|
||||
CONFIG_CLEAN_FILES = *.rej *.orig
|
||||
|
||||
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
|
||||
- 30-dracut.rules 30-updaters.rules \
|
||||
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
|
||||
+ 21-updaters.rules 30-patterns.rules \
|
||||
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
|
||||
43-known-elf.rules \
|
||||
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
|
||||
diff --git a/rules.d/README-rules b/rules.d/README-rules
|
||||
index c03c02b..30fcd01 100644
|
||||
--- a/rules.d/README-rules
|
||||
+++ b/rules.d/README-rules
|
||||
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
|
||||
organized into groups with the following meanings:
|
||||
|
||||
10 - macros
|
||||
-20 - patterns
|
||||
-30 - loop holes
|
||||
+20 - loop holes
|
||||
+30 - patterns
|
||||
40 - ELF rules
|
||||
50 - user/group access rules
|
||||
60 - application access rules
|
||||
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
|
||||
fapolicyd.rules.known-libs
|
||||
--------------------------
|
||||
10-languages.rules
|
||||
-20-patterns.rules
|
||||
-30-dracut.rules
|
||||
-30-updaters.rules
|
||||
+20-dracut.rules
|
||||
+21-updaters.rules
|
||||
+30-patterns.rules
|
||||
40-bad-elf.rules
|
||||
41-shared-obj.rules
|
||||
42-trusted-elf.rules
|
||||
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
|
||||
fapolicyd.rules.restrictive
|
||||
---------------------------
|
||||
10-languages.rules
|
||||
-20-patterns.rules
|
||||
-30-dracut.rules
|
||||
-30-updaters.rules
|
||||
+20-dracut.rules
|
||||
+21-updaters.rules
|
||||
+30-patterns.rules
|
||||
40-bad-elf.rules
|
||||
41-shared-obj.rules
|
||||
43-known-elf.rules
|
||||
--
|
||||
2.35.1
|
||||
|
|
@ -1,9 +1,12 @@
|
|||
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||
--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100
|
||||
+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-11-19 10:24:20.000002248 +0100
|
||||
@@ -63,23 +63,13 @@
|
||||
diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te
|
||||
--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100
|
||||
+++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-29 12:06:57.958124735 +0200
|
||||
@@ -61,25 +61,15 @@ corecmd_exec_bin(fapolicyd_t)
|
||||
|
||||
files_mmap_usr_files(fapolicyd_t)
|
||||
domain_read_all_domains_state(fapolicyd_t)
|
||||
|
||||
-files_mmap_usr_files(fapolicyd_t)
|
||||
+files_mmap_all_files(fapolicyd_t)
|
||||
files_read_all_files(fapolicyd_t)
|
||||
-files_watch_mount_generic_tmp_dirs(fapolicyd_t)
|
||||
-files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
|
||||
|
|
|
@ -2,11 +2,10 @@
|
|||
%global moduletype contrib
|
||||
%define semodule_version 0.4
|
||||
|
||||
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 1.1
|
||||
Release: 6%{?dist}.1
|
||||
Version: 1.1.3
|
||||
Release: 6%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||
|
@ -32,12 +31,7 @@ Requires(postun): systemd-units
|
|||
# the fapolicyd package because it provides safe upgrade path
|
||||
Patch1: fapolicyd-dnf-plugin.patch
|
||||
Patch2: fapolicyd-selinux.patch
|
||||
Patch3: fapolicyd-reorder-rules.patch
|
||||
Patch4: fagenrules-group.patch
|
||||
# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
|
||||
Patch5: fapolicyd-1.1.1-ld_so.patch
|
||||
# 2084548 - Faulty handling of static applications [rhel-8.6.0.z]
|
||||
Patch6: fapolicyd-1.1.1-static.patch
|
||||
Patch3: fagenrules-group.patch
|
||||
|
||||
%description
|
||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||
|
@ -66,10 +60,7 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
|||
|
||||
%patch1 -p1 -b .plugin
|
||||
%patch2 -p1 -b .selinux
|
||||
%patch3 -p1 -b .rules
|
||||
%patch4 -p1 -b .group
|
||||
%patch5 -p1 -b .ld_so
|
||||
%patch6 -p1 -b .static
|
||||
%patch3 -p1 -b .group
|
||||
|
||||
# generate rules for python
|
||||
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
|
||||
|
@ -188,7 +179,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
|||
# restore correct label
|
||||
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
|
||||
fi
|
||||
fagenrules > /dev/null 2>&1
|
||||
fagenrules --load
|
||||
fi
|
||||
fi
|
||||
%systemd_post %{name}.service
|
||||
|
@ -258,20 +249,24 @@ fi
|
|||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%changelog
|
||||
* Thu May 12 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-6.1
|
||||
RHEL 8.6.Z ERRATUM
|
||||
* Wed Jun 22 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-6
|
||||
RHEL 8.7.0 ERRATUM
|
||||
- rebase fapolicyd to the latest stable vesion
|
||||
Resolves: rhbz#2100087
|
||||
- fapolicyd gets way too easily killed by OOM killer
|
||||
Resolves: rhbz#2100089
|
||||
- compiled.rules file ownership and mode
|
||||
Resolves: rhbz#2066653
|
||||
- Faulty handling of static applications
|
||||
Resolves: rhbz#2084548
|
||||
|
||||
* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-6
|
||||
RHEL 8.6.0 ERRATUM
|
||||
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
|
||||
Resolves: rhbz#2069120
|
||||
|
||||
* Sat Apr 02 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-4
|
||||
RHEL 8.6.0 ERRATUM
|
||||
- fapolicyd denies access to /usr/lib64/ld-2.28.so
|
||||
Resolves: rhbz#2066300
|
||||
Resolves: rhbz#2084497
|
||||
- fapolicyd does not correctly handle SIGHUP
|
||||
Resolves: rhbz#2070639
|
||||
- Introduce ppid rule attribute
|
||||
Resolves: rhbz#2102563
|
||||
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]
|
||||
Resolves: rhbz#2069121
|
||||
- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0]
|
||||
Resolves: rhbz#2068105
|
||||
|
||||
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
|
||||
RHEL 8.6.0 ERRATUM
|
||||
|
|
Loading…
Reference in New Issue