import fapolicyd-1.0.2-6.el8
This commit is contained in:
parent
93f8e76c68
commit
a40b0c24cc
@ -1,2 +1,2 @@
|
||||
9ddfe0d72d06235cad610072fd8fc9e539b03021 SOURCES/fapolicyd-1.0.tar.gz
|
||||
593c345068a10b67b353f137378f97bc6aab9111 SOURCES/fapolicyd-selinux-0.2.tar.gz
|
||||
f3b2418bcbea4b2208de429e5fa449666af84b6e SOURCES/fapolicyd-1.0.2.tar.gz
|
||||
30a587d8d696846ac05fbae206a8f563b2945189 SOURCES/fapolicyd-selinux-0.3.tar.gz
|
||||
|
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/fapolicyd-1.0.tar.gz
|
||||
SOURCES/fapolicyd-selinux-0.2.tar.gz
|
||||
SOURCES/fapolicyd-1.0.2.tar.gz
|
||||
SOURCES/fapolicyd-selinux-0.3.tar.gz
|
||||
|
@ -1,54 +0,0 @@
|
||||
diff -urp fapolicyd-0.9.5.orig/doc/fapolicyd.conf.5 fapolicyd-0.9.5/doc/fapolicyd.conf.5
|
||||
--- fapolicyd-0.9.5.orig/doc/fapolicyd.conf.5 2020-05-22 10:03:14.000000000 -0400
|
||||
+++ fapolicyd-0.9.5/doc/fapolicyd.conf.5 2020-05-22 10:04:32.583100229 -0400
|
||||
@@ -55,26 +55,6 @@ This is a comma separated list of file s
|
||||
This is a comma separated list of trust back-ends. If this is not configured, rpmdb is default. Fapolicyd supports \fBfile\fP back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it as a list of trusted files. The second option is \fBrpmdb\fP backend that generates list of trusted files from rpmdb.
|
||||
|
||||
.TP
|
||||
-.B integrity
|
||||
-This option tells fapolicyd which integrity strategy it should use. It can be one of 4 values:
|
||||
-.RS
|
||||
-.TP 12
|
||||
-.B none
|
||||
-This is the
|
||||
-.IR default
|
||||
-and does no integrity checking.
|
||||
-.TP
|
||||
-.B size
|
||||
-Selecting this option will compare the size of the file with what it was knows to be. This is better than nothing and very fast since fapolicyd already collects size information during normal processing. However, an attacker could replace the file and as long as the size matches, it will not be detected.
|
||||
-.TP
|
||||
-.B ima
|
||||
-Selecting this option will use a SHA256 hash that the IMA subsystem places in a file's extended attributes in addition to the size check. This means that all file systems holding executable code must support extended attributes.
|
||||
-.RE
|
||||
-.TP
|
||||
-.B sha256
|
||||
-Selecting this option will calculate a SHA256 hash by cryptographic means. A size check will also be performed.
|
||||
-
|
||||
-.TP
|
||||
.B syslog_format
|
||||
This option controls how the output from the access decision is formatted. The format is a comma separated list of subject and object names from the rules. It does not allow the keyword "all". It also allows for rule, dec, and perm. The format must include a semi-colon to deliniate subject from object keywords. The typical use is to place information about the access decision, then subject information, a colon, and the object information. Also note that the more things being logged, the more it will impact system performance. Also, the event written is limited to 512 bytes.
|
||||
|
||||
diff -urp fapolicyd-0.9.5.orig/init/fapolicyd.conf fapolicyd-0.9.5/init/fapolicyd.conf
|
||||
--- fapolicyd-0.9.5.orig/init/fapolicyd.conf 2020-05-22 10:03:14.000000000 -0400
|
||||
+++ fapolicyd-0.9.5/init/fapolicyd.conf 2020-05-22 10:04:46.801098703 -0400
|
||||
@@ -15,5 +15,4 @@ subj_cache_size = 1549
|
||||
obj_cache_size = 8191
|
||||
watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660
|
||||
trust = rpmdb,file
|
||||
-integrity = none
|
||||
syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype
|
||||
diff -urp fapolicyd-0.9.5.orig/src/daemon/daemon-config.c fapolicyd-0.9.5/src/daemon/daemon-config.c
|
||||
--- fapolicyd-0.9.5.orig/src/daemon/daemon-config.c 2020-05-22 10:03:14.000000000 -0400
|
||||
+++ fapolicyd-0.9.5/src/daemon/daemon-config.c 2020-05-22 10:05:35.103093520 -0400
|
||||
@@ -538,9 +538,9 @@ static int trust_parser(const struct nv_
|
||||
static const struct nv_list integrity_schemes[] =
|
||||
{
|
||||
{"none", IN_NONE },
|
||||
- {"size", IN_SIZE },
|
||||
+/* {"size", IN_SIZE },
|
||||
{"ima", IN_IMA },
|
||||
- {"sha256", IN_SHA256 },
|
||||
+ {"sha256", IN_SHA256 }, */
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
@ -1,13 +0,0 @@
|
||||
diff -up ./src/cli/fapolicyd-cli.c.args ./src/cli/fapolicyd-cli.c
|
||||
--- ./src/cli/fapolicyd-cli.c.args 2020-05-24 19:23:27.000000000 +0200
|
||||
+++ ./src/cli/fapolicyd-cli.c 2020-06-01 11:58:01.397204265 +0200
|
||||
@@ -232,6 +232,9 @@ static int do_manage_files(int argc, cha
|
||||
else
|
||||
rc = file_update("/");
|
||||
|
||||
+ } else {
|
||||
+ fprintf(stderr, "Missing operation option add|delete|update\n\n");
|
||||
+ goto args_err;
|
||||
}
|
||||
|
||||
return rc;
|
@ -1,39 +0,0 @@
|
||||
From 98768e7d2b3736a7924d8e17de206fd25071e395 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 2 Jun 2020 17:11:19 -0400
|
||||
Subject: [PATCH] Make fapolicyd-cli buffer bigger for rule listing
|
||||
|
||||
---
|
||||
ChangeLog | 2 ++
|
||||
src/cli/fapolicyd-cli.c | 5 +++--
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
|
||||
index feb9e71..8783547 100644
|
||||
--- a/src/cli/fapolicyd-cli.c
|
||||
+++ b/src/cli/fapolicyd-cli.c
|
||||
@@ -41,6 +41,7 @@
|
||||
#include "database.h"
|
||||
#include "file-backend.h"
|
||||
#include "fapolicyd-backend.h"
|
||||
+#include "string-util.h"
|
||||
|
||||
|
||||
static const char *usage =
|
||||
@@ -318,14 +319,14 @@ static int do_ftype(const char *path)
|
||||
static int do_list(void)
|
||||
{
|
||||
unsigned count = 1, lineno = 0;
|
||||
- char buf[160];
|
||||
+ char buf[BUFFER_MAX+1];
|
||||
FILE *f = fopen(RULES_FILE, "rm");
|
||||
if (f == NULL) {
|
||||
fprintf(stderr, "Cannot open rules file (%s)\n",
|
||||
strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
- while (get_line(f, buf, sizeof(buf), &lineno)) {
|
||||
+ while (get_line(f, buf, BUFFER_MAX, &lineno)) {
|
||||
char *str = buf;
|
||||
lineno++;
|
||||
while (*str) {
|
@ -1,30 +0,0 @@
|
||||
diff -U0 ./ChangeLog.cli-empty-db ./ChangeLog
|
||||
diff -up ./src/cli/fapolicyd-cli.c.cli-empty-db ./src/cli/fapolicyd-cli.c
|
||||
--- ./src/cli/fapolicyd-cli.c.cli-empty-db 2020-06-05 17:12:49.010948664 +0200
|
||||
+++ ./src/cli/fapolicyd-cli.c 2020-06-05 17:12:49.016948738 +0200
|
||||
@@ -112,6 +112,7 @@ static int do_dump_db(void)
|
||||
MDB_env *env;
|
||||
MDB_txn *txn;
|
||||
MDB_dbi dbi;
|
||||
+ MDB_stat status;
|
||||
MDB_cursor *cursor;
|
||||
MDB_val key, val;
|
||||
|
||||
@@ -129,6 +130,17 @@ static int do_dump_db(void)
|
||||
rc = 1;
|
||||
goto env_close;
|
||||
}
|
||||
+ rc = mdb_env_stat(env, &status);
|
||||
+ if (rc) {
|
||||
+ fprintf(stderr, "mdb_env_stat failed, error %d %s\n", rc,
|
||||
+ mdb_strerror(rc));
|
||||
+ rc = 1;
|
||||
+ goto env_close;
|
||||
+ }
|
||||
+ if (status.ms_entries == 0) {
|
||||
+ printf("Trust database is empty\n");
|
||||
+ goto env_close; // Note: rc is 0 to get here
|
||||
+ }
|
||||
rc = mdb_txn_begin(env, NULL, MDB_RDONLY, &txn);
|
||||
if (rc) {
|
||||
fprintf(stderr, "mdb_txn_begin failed, error %d %s\n", rc,
|
25
SOURCES/fapolicyd-cli-hang.patch
Normal file
25
SOURCES/fapolicyd-cli-hang.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From 3f43b262b1c5b9841fd0f387cac442aefeb84da9 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Sun, 31 Jan 2021 18:49:10 +0100
|
||||
Subject: [PATCH] Added MDB_NOLOCK to cli mdb_env_open() (#114)
|
||||
|
||||
- MDB_NOLOCK option resolves the issue with --dump-db hang
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
src/cli/fapolicyd-cli.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
|
||||
index fe47948..befb8ce 100644
|
||||
--- a/src/cli/fapolicyd-cli.c
|
||||
+++ b/src/cli/fapolicyd-cli.c
|
||||
@@ -114,7 +114,7 @@ static int do_dump_db(void)
|
||||
return 1;
|
||||
}
|
||||
mdb_env_set_maxdbs(env, 2);
|
||||
- rc = mdb_env_open(env, DB_DIR, MDB_RDONLY, 0660);
|
||||
+ rc = mdb_env_open(env, DB_DIR, MDB_RDONLY|MDB_NOLOCK, 0660);
|
||||
if (rc) {
|
||||
fprintf(stderr, "mdb_env_open failed, error %d %s\n", rc,
|
||||
mdb_strerror(rc));
|
@ -1,49 +0,0 @@
|
||||
From 8b7ea120670525d9ac7f1698ae7482d691e840a4 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Mon, 9 Nov 2020 17:02:22 +0100
|
||||
Subject: [PATCH] Added check for " (deleted)" suffix in get_program_from_fd()
|
||||
(#97)
|
||||
|
||||
- get rid of this suffix
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
|
||||
Removed strstr (#102)
|
||||
---
|
||||
src/library/process.c | 18 ++++++++++++++++--
|
||||
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/library/process.c b/src/library/process.c
|
||||
index edd2cca..6406610 100644
|
||||
--- a/src/library/process.c
|
||||
+++ b/src/library/process.c
|
||||
@@ -146,10 +146,24 @@ char *get_program_from_pid(pid_t pid, size_t blen, char *buf)
|
||||
|
||||
return buf;
|
||||
}
|
||||
+
|
||||
+ size_t len = 0;
|
||||
if ((size_t)path_len < blen)
|
||||
- buf[path_len] = 0;
|
||||
+ len = path_len;
|
||||
else
|
||||
- buf[blen-1] = '\0';
|
||||
+ len = blen-1;
|
||||
+
|
||||
+ buf[len] = '\0';
|
||||
+ // some binaries can be deleted after execution
|
||||
+ // then we need to delete the suffix so they are
|
||||
+ // trusted even after deletion
|
||||
+
|
||||
+ // strlen(" deleted") == 10
|
||||
+ if (buf[len-1] == ')' && len > 10) {
|
||||
+
|
||||
+ if (strcmp(&buf[len - 10], " (deleted)") == 0)
|
||||
+ buf[len - 10] = '\0';
|
||||
+ }
|
||||
|
||||
return buf;
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
35
SOURCES/fapolicyd-dnf-plugin.patch
Normal file
35
SOURCES/fapolicyd-dnf-plugin.patch
Normal file
@ -0,0 +1,35 @@
|
||||
diff -up ./dnf/fapolicyd-dnf-plugin.py.plugin ./dnf/fapolicyd-dnf-plugin.py
|
||||
--- ./dnf/fapolicyd-dnf-plugin.py.plugin 2021-02-11 13:41:27.837534982 +0100
|
||||
+++ ./dnf/fapolicyd-dnf-plugin.py 2021-02-11 13:41:50.750225335 +0100
|
||||
@@ -7,30 +7,8 @@ import sys
|
||||
|
||||
class Fapolicyd(dnf.Plugin):
|
||||
|
||||
- name = "fapolicyd"
|
||||
- pipe = "/var/run/fapolicyd/fapolicyd.fifo"
|
||||
- file = None
|
||||
-
|
||||
def __init__(self, base, cli):
|
||||
pass
|
||||
|
||||
def transaction(self):
|
||||
-
|
||||
- if not os.path.exists(self.pipe):
|
||||
- sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n")
|
||||
- sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n")
|
||||
- sys.stderr.write("or fapolicyd is not running...\n")
|
||||
- return
|
||||
-
|
||||
- if not stat.S_ISFIFO(os.stat(self.pipe).st_mode):
|
||||
- sys.stderr.write(self.pipe + ": is not a pipe!\n")
|
||||
- return
|
||||
-
|
||||
- try:
|
||||
- self.file = open(self.pipe, "w")
|
||||
- except PermissionError:
|
||||
- sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
|
||||
- return
|
||||
-
|
||||
- self.file.write("1")
|
||||
- self.file.close()
|
||||
+ pass
|
30
SOURCES/fapolicyd-fanotify-read-error.patch
Normal file
30
SOURCES/fapolicyd-fanotify-read-error.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From d12dde7f3fdeb82a9fb064e26d260f40fb2036c0 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Mon, 22 Mar 2021 10:38:31 -0400
|
||||
Subject: [PATCH] Do not exit on fanotify_event read failure
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
src/daemon/notify.c | 11 ++++++++---
|
||||
2 files changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
|
||||
index 3e42b92..a83db39 100644
|
||||
--- a/src/daemon/notify.c
|
||||
+++ b/src/daemon/notify.c
|
||||
@@ -337,8 +337,13 @@ void handle_events(void)
|
||||
len = read(fd, (void *) buf, sizeof(buf));
|
||||
} while (len == -1 && errno == EINTR && stop == 0);
|
||||
if (len == -1 && errno != EAGAIN) {
|
||||
- msg(LOG_ERR,"Error reading (%s)", strerror(errno));
|
||||
- exit(1);
|
||||
+ // If we get this, we have no access to the file. We
|
||||
+ // cannot formulate a reply either to deny it because
|
||||
+ // we have nothing to work with.
|
||||
+ msg(LOG_ERR,
|
||||
+ "Error receiving fanotify_event (%s)",
|
||||
+ strerror(errno));
|
||||
+ return;
|
||||
}
|
||||
if (stop)
|
||||
return;
|
@ -1,36 +0,0 @@
|
||||
From 84916944b481d5c478202f6c4239e4aed0731406 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 2 Jun 2020 17:27:58 -0400
|
||||
Subject: [PATCH] Return only valid lines
|
||||
|
||||
If fapolicyd_get_line does not find a 0x0A, then we have an unterminated
|
||||
string because its too long. Only return terminated strings, otherwise
|
||||
pass NULL back.
|
||||
---
|
||||
src/library/string-util.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/library/string-util.c b/src/library/string-util.c
|
||||
index f991f5f..ffdc645 100644
|
||||
--- a/src/library/string-util.c
|
||||
+++ b/src/library/string-util.c
|
||||
@@ -53,15 +53,16 @@ char * fapolicyd_strtrim(char * s)
|
||||
return s;
|
||||
}
|
||||
|
||||
-char * fapolicyd_get_line(FILE *f, char *buf)
|
||||
+char *fapolicyd_get_line(FILE *f, char *buf)
|
||||
{
|
||||
if (fgets_unlocked(buf, BUFFER_MAX-1, f)) {
|
||||
|
||||
/* remove newline */
|
||||
char *ptr = strchr(buf, 0x0a);
|
||||
- if (ptr)
|
||||
+ if (ptr) {
|
||||
*ptr = 0;
|
||||
- return buf;
|
||||
+ return buf;
|
||||
+ }
|
||||
}
|
||||
|
||||
return NULL;
|
@ -1,23 +0,0 @@
|
||||
From 6810b42e04dd1f450862a647f05c62706f3a1c40 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Thu, 12 Nov 2020 22:21:36 -0500
|
||||
Subject: [PATCH] Add application/x-java-applet to languages in known.libs
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
init/fapolicyd.rules.known-libs | 2 +-
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/init/fapolicyd.rules.known-libs b/init/fapolicyd.rules.known-libs
|
||||
index a847f71..d7ce529 100644
|
||||
--- a/init/fapolicyd.rules.known-libs
|
||||
+++ b/init/fapolicyd.rules.known-libs
|
||||
@@ -3,7 +3,7 @@
|
||||
# performance while ensuring that there is not much interference by
|
||||
# the daemon.
|
||||
|
||||
-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
+%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
|
||||
# Carve out an exception for dracut initramfs building
|
||||
allow perm=any uid=0 : dir=/var/tmp/
|
@ -1,65 +0,0 @@
|
||||
From 32a47ce0557c9b38ee59acec97d8f5bd01b4751d Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 10 Nov 2020 11:47:37 -0500
|
||||
Subject: [PATCH] Pickup more languages in /usr/share
|
||||
|
||||
It turns out that there is a lot of languages placing code for execution
|
||||
in /usr/share. This patch widens the filter so that more file extensions
|
||||
are included in the trust database. Without this, access to pki-ca.jar,
|
||||
for example, is denied access.
|
||||
---
|
||||
src/library/rpm-backend.c | 31 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
|
||||
index 25f867a..6ce8a2d 100644
|
||||
--- a/src/library/rpm-backend.c
|
||||
+++ b/src/library/rpm-backend.c
|
||||
@@ -183,6 +183,7 @@ static int drop_path(const char *file_name)
|
||||
// Drop anything in /usr/share that's
|
||||
// not python, javascript, or has a libexec dir
|
||||
if (file_name[6] == 'h' ) {
|
||||
+ // These are roughly ordered by quantity
|
||||
if (fnmatch("*.py?",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
@@ -192,9 +193,39 @@ static int drop_path(const char *file_name)
|
||||
else if (fnmatch("*/libexec/*",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ else if (fnmatch("*.rb",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.pl",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.stp",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
else if (fnmatch("*.js",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ else if (fnmatch("*.jar",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.m4",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.php",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.el",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.pm",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.lua",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
+ else if (fnmatch("*.java",
|
||||
+ file_name, 0) == 0)
|
||||
+ return 0;
|
||||
return 1;
|
||||
// Akmod need scripts in /usr/src/kernel
|
||||
} else if (file_name[6] == 'r' ) {
|
@ -1,74 +0,0 @@
|
||||
From 006a656205765ce26327d176b4ca07e44bd55422 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 10 Nov 2020 16:44:25 -0500
|
||||
Subject: [PATCH] Add comments about what each file extension is looking for in
|
||||
the /usr/share filter
|
||||
|
||||
---
|
||||
src/library/rpm-backend.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
|
||||
index 6ce8a2d..ba648d3 100644
|
||||
--- a/src/library/rpm-backend.c
|
||||
+++ b/src/library/rpm-backend.c
|
||||
@@ -184,45 +184,59 @@ static int drop_path(const char *file_name)
|
||||
// not python, javascript, or has a libexec dir
|
||||
if (file_name[6] == 'h' ) {
|
||||
// These are roughly ordered by quantity
|
||||
+ // Python byte code
|
||||
if (fnmatch("*.py?",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Python text files
|
||||
else if (fnmatch("*.py",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Some apps have a private libexec
|
||||
else if (fnmatch("*/libexec/*",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Ruby
|
||||
else if (fnmatch("*.rb",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Perl
|
||||
else if (fnmatch("*.pl",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // System Tap
|
||||
else if (fnmatch("*.stp",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Javascript
|
||||
else if (fnmatch("*.js",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Java
|
||||
else if (fnmatch("*.jar",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // M4
|
||||
else if (fnmatch("*.m4",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // PHP
|
||||
else if (fnmatch("*.php",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Lisp
|
||||
else if (fnmatch("*.el",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Perl Modules
|
||||
else if (fnmatch("*.pm",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Lua
|
||||
else if (fnmatch("*.lua",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
+ // Java
|
||||
else if (fnmatch("*.java",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
@ -1,32 +0,0 @@
|
||||
From 2ac23e04f3f14716cf4493fc30eb6ad63760d945 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <alexander.m.scheel@gmail.com>
|
||||
Date: Wed, 11 Nov 2020 07:26:29 -0500
|
||||
Subject: [PATCH] Allow .class files instead of .java files (#101)
|
||||
|
||||
.java files themselves aren't directly executable using the default java
|
||||
program; instead, they must first be compiled to .class files (using
|
||||
javac) before they can be executed via java. This means that .java files
|
||||
shipped in RPMs (as say, API usage examples) won't be executed and don't
|
||||
necessarily need to be. They could however, be compiled first and then
|
||||
executed as .class; however, this resulting .class file should likely be
|
||||
somewhere other than /usr/share if it wasn't distributed by the RPM
|
||||
itself.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/library/rpm-backend.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
|
||||
index ba648d3..111e9f2 100644
|
||||
--- a/src/library/rpm-backend.c
|
||||
+++ b/src/library/rpm-backend.c
|
||||
@@ -237,7 +237,7 @@ static int drop_path(const char *file_name)
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
// Java
|
||||
- else if (fnmatch("*.java",
|
||||
+ else if (fnmatch("*.class",
|
||||
file_name, 0) == 0)
|
||||
return 0;
|
||||
return 1;
|
@ -1,24 +0,0 @@
|
||||
From 26fd69ab1df5025a4445ac533c2b273a2f1dda3b Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Wed, 2 Dec 2020 16:01:54 +0100
|
||||
Subject: [PATCH] Sync languages list
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
init/fapolicyd.rules.restrictive | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/init/fapolicyd.rules.restrictive b/init/fapolicyd.rules.restrictive
|
||||
index 1635ef3..50944f1 100644
|
||||
--- a/init/fapolicyd.rules.restrictive
|
||||
+++ b/init/fapolicyd.rules.restrictive
|
||||
@@ -14,8 +14,7 @@
|
||||
# %python=/usr/bin/python2.7,/usr/bin/python3.6
|
||||
# allow perm=open exe=%python : all
|
||||
#
|
||||
-
|
||||
-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
+%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
|
||||
# Carve out an exception for dracut
|
||||
allow perm=any uid=0 : dir=/var/tmp/
|
@ -1,60 +1,47 @@
|
||||
diff -up ./init/fapolicyd-magic.magic-override ./init/fapolicyd-magic
|
||||
--- ./init/fapolicyd-magic.magic-override 2020-06-01 12:19:03.714672865 +0200
|
||||
+++ ./init/fapolicyd-magic 2020-06-01 12:19:52.754376249 +0200
|
||||
@@ -13,6 +13,12 @@
|
||||
0 string/wt #!\ /usr/bin/lua Lua script text executable
|
||||
!:mime text/x-lua
|
||||
diff -up ./init/fapolicyd-magic.magic ./init/fapolicyd-magic
|
||||
--- ./init/fapolicyd-magic.magic 2021-01-05 16:27:53.000000000 +0100
|
||||
+++ ./init/fapolicyd-magic 2021-02-17 15:51:41.420604805 +0100
|
||||
@@ -1,9 +1,17 @@
|
||||
0 string/w #!\ /usr/bin/bash Bourne-Again shell script text executable
|
||||
!:mime text/x-shellscript
|
||||
|
||||
+0 string/wt #!\ /usr/bin/texlua LuaTex script text executable
|
||||
+!:mime text/x-luatex
|
||||
+0 search/1/w #!\ /usr/bin/env\ bash Bourne-Again shell script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-shellscript
|
||||
+
|
||||
+0 string/wt #!\ /usr/bin/luatex LuaTex script text executable
|
||||
+!:mime text/x-luatex
|
||||
+
|
||||
0 string/wt #!\ /usr/bin/Rscript R script text executable
|
||||
!:mime text/x-R
|
||||
0 string/w #!\ /usr/bin/sh Shell script text executable
|
||||
!:mime text/x-shellscript
|
||||
|
||||
@@ -53,8 +59,19 @@
|
||||
+0 search/1/w #!\ /usr/bin/env\ sh Shell script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-shellscript
|
||||
+
|
||||
0 string/wt #!\ /bin/rc Plan 9 shell script text executable
|
||||
!:mime text/x-plan9-shellscript
|
||||
|
||||
@@ -47,10 +55,18 @@
|
||||
!:strength + 15
|
||||
!:mime text/x-python
|
||||
|
||||
+0 search/1/w #!\ /usr/bin/env\ python Python script text executable
|
||||
+0 search/1/w #!\ /usr/bin/env\ python3 Python script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-python
|
||||
+
|
||||
0 string/wt #!\ /usr/bin/guile Guile script text executable
|
||||
!:mime text/x-script.guile
|
||||
0 search/1/wt #!\ /usr/bin/python2 Python script text executable
|
||||
!:strength + 15
|
||||
!:mime text/x-python
|
||||
|
||||
0 string \223NUMPY NumPy data file
|
||||
!:mime application/x-numpy-data
|
||||
+0 search/1/w #!\ /usr/bin/env\ python2 Python script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-python
|
||||
+
|
||||
+0 search/1/w #!\ /usr/bin/tclsh Tcl/Tk script text executable
|
||||
+!:mime text/x-tcl
|
||||
+
|
||||
+
|
||||
+0 search/1/w #!\ /usr/bin/stap Systemtap script text executable
|
||||
+!:mime text/x-systemtap
|
||||
diff -up ./init/fapolicyd.rules.known-libs.magic-override ./init/fapolicyd.rules.known-libs
|
||||
--- ./init/fapolicyd.rules.known-libs.magic-override 2020-06-01 12:20:56.498290540 +0200
|
||||
+++ ./init/fapolicyd.rules.known-libs 2020-06-01 12:23:17.220324490 +0200
|
||||
@@ -3,7 +3,7 @@
|
||||
# performance while ensuring that there is not much interference by
|
||||
# the daemon.
|
||||
0 search/1/wt #!\ /usr/bin/python Python script text executable
|
||||
!:strength + 15
|
||||
!:mime text/x-python
|
||||
@@ -72,6 +88,5 @@
|
||||
0 search/1/wt #!\ /usr/bin/tclsh Tcl/Tk script text executable
|
||||
!:mime text/x-tcl
|
||||
|
||||
-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl
|
||||
+%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
|
||||
# Carve out an exception for dracut initramfs building
|
||||
allow perm=any uid=0 : dir=/var/tmp/
|
||||
diff -up ./init/fapolicyd.rules.restrictive.magic-override ./init/fapolicyd.rules.restrictive
|
||||
--- ./init/fapolicyd.rules.restrictive.magic-override 2020-06-01 12:22:55.144002314 +0200
|
||||
+++ ./init/fapolicyd.rules.restrictive 2020-06-01 12:23:55.860888398 +0200
|
||||
@@ -15,7 +15,7 @@
|
||||
# allow perm=open exe=%python : all
|
||||
#
|
||||
|
||||
-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl
|
||||
+%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
|
||||
|
||||
# Carve out an exception for dracut
|
||||
allow perm=any uid=0 : dir=/var/tmp/
|
||||
-
|
||||
0 search/1/wt #!\ /usr/bin/stap Systemtap script text executable
|
||||
!:mime text/x-systemtap
|
||||
|
@ -1,61 +0,0 @@
|
||||
From 598d167f1d3e774104fc8b75ca6525351fbc4558 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Mon, 1 Jun 2020 14:34:17 +0200
|
||||
Subject: [PATCH] Added few python and shell magic entries
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
init/fapolicyd-magic | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/init/fapolicyd-magic b/init/fapolicyd-magic
|
||||
index 3128545..703625e 100644
|
||||
--- a/init/fapolicyd-magic
|
||||
+++ b/init/fapolicyd-magic
|
||||
@@ -1,9 +1,17 @@
|
||||
0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable
|
||||
!:mime text/x-shellscript
|
||||
|
||||
+0 search/1/w #!\ /usr/bin/env\ bash Bourne-Again shell script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-shellscript
|
||||
+
|
||||
0 string/w #!\ /usr/bin/sh Shell script text executable
|
||||
!:mime text/x-shellscript
|
||||
|
||||
+0 search/1/w #!\ /usr/bin/env\ sh Shell script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-shellscript
|
||||
+
|
||||
0 string/wt #!\ /bin/rc Plan 9 shell script text executable
|
||||
!:mime text/x-plan9-shellscript
|
||||
|
||||
@@ -47,10 +55,18 @@
|
||||
!:strength + 15
|
||||
!:mime text/x-python
|
||||
|
||||
+0 search/1/w #!\ /usr/bin/env\ python3 Python script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-python
|
||||
+
|
||||
0 search/1/w #!\ /usr/bin/python2 Python script text executable
|
||||
!:strength + 15
|
||||
!:mime text/x-python
|
||||
|
||||
+0 search/1/w #!\ /usr/bin/env\ python2 Python script text executable
|
||||
+!:strength + 15
|
||||
+!:mime text/x-python
|
||||
+
|
||||
0 search/1/w #!\ /usr/bin/python Python script text executable
|
||||
!:strength + 15
|
||||
!:mime text/x-python
|
||||
@@ -72,6 +88,5 @@
|
||||
0 search/1/w #!\ /usr/bin/tclsh Tcl/Tk script text executable
|
||||
!:mime text/x-tcl
|
||||
|
||||
-
|
||||
0 search/1/w #!\ /usr/bin/stap Systemtap script text executable
|
||||
!:mime text/x-systemtap
|
||||
--
|
||||
2.25.4
|
||||
|
@ -1,24 +0,0 @@
|
||||
From 00e7b498cac2cdb7e82075b6328b313b420120d6 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Tue, 2 Jun 2020 21:25:12 +0200
|
||||
Subject: [PATCH] Sync fapolicyd.conf man page trust option with the real
|
||||
default. (#71)
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
doc/fapolicyd.conf.5 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/doc/fapolicyd.conf.5 b/doc/fapolicyd.conf.5
|
||||
index 5ed657e..0f28081 100644
|
||||
--- a/doc/fapolicyd.conf.5
|
||||
+++ b/doc/fapolicyd.conf.5
|
||||
@@ -52,7 +52,7 @@ This is a comma separated list of file systems that should be watched for access
|
||||
|
||||
.TP
|
||||
.B trust
|
||||
-This is a comma separated list of trust back-ends. If this is not configured, rpmdb is default. Fapolicyd supports \fBfile\fP back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it as a list of trusted files. The second option is \fBrpmdb\fP backend that generates list of trusted files from rpmdb.
|
||||
+This is a comma separated list of trust back-ends. If this is not configured, 'rpmdb,file' is default. Fapolicyd supports \fBfile\fP back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it as a list of trusted files. The second option is \fBrpmdb\fP backend that generates list of trusted files from rpmdb.
|
||||
|
||||
.TP
|
||||
.B syslog_format
|
@ -1,33 +0,0 @@
|
||||
diff -up ./doc/fapolicyd-cli.1.man-page ./doc/fapolicyd-cli.1
|
||||
--- ./doc/fapolicyd-cli.1.man-page 2020-06-01 14:20:55.720491113 +0200
|
||||
+++ ./doc/fapolicyd-cli.1 2020-06-01 14:20:59.684554153 +0200
|
||||
@@ -16,7 +16,7 @@ Deletes the trust database. Normally thi
|
||||
.B \-D, \-\-dump-db
|
||||
Dumps the trust db contents for inspection. This will print the original trust source, path, file size, and SHA256 sum of the file as known by the trust source the entry came from.
|
||||
.TP
|
||||
-.B \-f, \-\-file [add] [path]
|
||||
+.B \-f, \-\-file add|delete|update [path]
|
||||
Manage the file trust database.
|
||||
.RS
|
||||
.TP 12
|
||||
diff -up ./doc/fapolicyd.rules.5.man-page ./doc/fapolicyd.rules.5
|
||||
--- ./doc/fapolicyd.rules.5.man-page 2020-05-24 19:23:27.000000000 +0200
|
||||
+++ ./doc/fapolicyd.rules.5 2020-06-01 14:20:31.272102326 +0200
|
||||
@@ -14,7 +14,7 @@ for the access control decision. The col
|
||||
.SS Decision
|
||||
The decision is either
|
||||
.IR allow ", " deny ", " allow_audit ", " deny_audit ", " allow_syslog ", "deny_syslog ", " allow_log ", or " deny_log ".
|
||||
-If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event.
|
||||
+If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event. Regardless of the notification, any rule with a deny in the keyword will deny access and any with an allow in the keyword will allow access.
|
||||
|
||||
.SS Perm
|
||||
Perm describes what kind permission is being asked for. The permission is either
|
||||
@@ -132,7 +132,7 @@ This option matches against the sha256 h
|
||||
.RE
|
||||
|
||||
.SH SETS
|
||||
-Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for specific rule attribute. Definition is in key=value syntax and it starts with a set name. Set name has to start with % and the rest is alphanumeric. Value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. Assigned set has to match attribute type. It is not possible set groups for TRUST and PATTERN attributes.
|
||||
+Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for a specific rule attribute. The definition is in key=value syntax and starts with a set name. The set name has to start with % and the rest is alphanumeric. The value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. The assigned set has to match the attribute type. It is not possible set groups for TRUST and PATTERN attributes.
|
||||
|
||||
|
||||
.SS SETS EXAMPLES
|
32
SOURCES/fapolicyd-startup-message.patch
Normal file
32
SOURCES/fapolicyd-startup-message.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 54b0679719bf82e25b2b007a32f26b1654912fa2 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 26 Jan 2021 15:07:05 -0500
|
||||
Subject: [PATCH] Add startup and shutdown syslog message
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
src/daemon/fapolicyd.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
|
||||
index e0e01ae..55e085d 100644
|
||||
--- a/src/daemon/fapolicyd.c
|
||||
+++ b/src/daemon/fapolicyd.c
|
||||
@@ -491,7 +491,7 @@ int main(int argc, const char *argv[])
|
||||
pfd[1].fd = init_fanotify(&config, m);
|
||||
pfd[1].events = POLLIN;
|
||||
|
||||
- msg(LOG_DEBUG, "Starting to listen for events");
|
||||
+ msg(LOG_INFO, "Starting to listen for events");
|
||||
while (!stop) {
|
||||
rc = poll(pfd, 2, -1);
|
||||
|
||||
@@ -526,7 +526,7 @@ int main(int argc, const char *argv[])
|
||||
#endif
|
||||
}
|
||||
}
|
||||
- msg(LOG_DEBUG, "shutting down...");
|
||||
+ msg(LOG_INFO, "shutting down...");
|
||||
shutdown_fanotify(m);
|
||||
close(pfd[0].fd);
|
||||
mlist_clear(m);
|
@ -1,58 +0,0 @@
|
||||
From c7d409cebf86b1c71192fd79ec5f5582f4f00f30 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Tue, 2 Jun 2020 21:24:28 +0200
|
||||
Subject: [PATCH] Ignore db errors from check_trust_database() (#70)
|
||||
|
||||
- mark every subject and object as not trusted
|
||||
when it is not possible to do a query
|
||||
|
||||
- previously, when error occurred then subject or
|
||||
object was actually considered to be trusted
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
src/library/event.c | 23 +++++++++++++++++------
|
||||
1 file changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/library/event.c b/src/library/event.c
|
||||
index 564c120..2a4083b 100644
|
||||
--- a/src/library/event.c
|
||||
+++ b/src/library/event.c
|
||||
@@ -339,9 +339,15 @@ subject_attr_t *get_subj_attr(event_t *e, subject_type_t t)
|
||||
|
||||
subj.val = 0;
|
||||
if (exe) {
|
||||
- if (exe->str && check_trust_database(exe->str,
|
||||
- NULL, 0))
|
||||
- subj.val = 1;
|
||||
+ if (exe->str) {
|
||||
+ int res = check_trust_database(exe->str, NULL, 0);
|
||||
+
|
||||
+ // ignore -1
|
||||
+ if (res == 1)
|
||||
+ subj.val = 1;
|
||||
+ else
|
||||
+ subj.val = 0;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
break;
|
||||
@@ -422,10 +428,15 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t)
|
||||
case OBJ_TRUST: {
|
||||
object_attr_t *path = get_obj_attr(e, PATH);
|
||||
|
||||
- if (path && path->o && check_trust_database(path->o,
|
||||
- o->info, e->fd))
|
||||
- obj.val = 1;
|
||||
+ if (path && path->o) {
|
||||
+ int res = check_trust_database(path->o, o->info, e->fd);
|
||||
|
||||
+ // ignore -1
|
||||
+ if (res == 1)
|
||||
+ obj.val = 1;
|
||||
+ else
|
||||
+ obj.val = 0;
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
case FMODE:
|
50
SOURCES/fapolicyd-unlink-fifo1.patch
Normal file
50
SOURCES/fapolicyd-unlink-fifo1.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 8cf74e7f147836e81c3583a046e4dc2b4673a14c Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Thu, 11 Mar 2021 14:45:50 +0100
|
||||
Subject: [PATCH] Ensure that fifo will be removed after termination
|
||||
|
||||
- unlink_fifo() will be called after every succesful termination
|
||||
because dnf/yum can hang if the pipe exists after daemon termination
|
||||
|
||||
- move preconstruct_fifo() out of the scope because it is needed also
|
||||
when the daemon is configured to run as root
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
src/daemon/fapolicyd.c | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
|
||||
index 5dce666..c29611c 100644
|
||||
--- a/src/daemon/fapolicyd.c
|
||||
+++ b/src/daemon/fapolicyd.c
|
||||
@@ -446,6 +446,17 @@ int main(int argc, const char *argv[])
|
||||
openlog("fapolicyd", LOG_PID, LOG_DAEMON);
|
||||
}
|
||||
|
||||
+ // Set the exit function so there is always a fifo cleanup
|
||||
+ if (atexit(unlink_fifo)) {
|
||||
+ msg(LOG_ERR, "Cannot set exit function");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ if (preconstruct_fifo(&config)) {
|
||||
+ msg(LOG_ERR, "Cannot contruct a pipe");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
// Setup filesystem to watch list
|
||||
init_fs_list(config.watch_fs);
|
||||
|
||||
@@ -454,8 +465,6 @@ int main(int argc, const char *argv[])
|
||||
|
||||
// If we are not going to be root, then setup necessary capabilities
|
||||
if (config.uid != 0) {
|
||||
- if (preconstruct_fifo(&config))
|
||||
- exit(1);
|
||||
capng_clear(CAPNG_SELECT_BOTH);
|
||||
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||
CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
|
||||
--
|
||||
2.26.2
|
||||
|
35
SOURCES/fapolicyd-unlink-fifo2.patch
Normal file
35
SOURCES/fapolicyd-unlink-fifo2.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 7c2726e8d9c3aa5f8f6710a7ea147bf99877e1a5 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Tue, 16 Mar 2021 12:49:48 +0100
|
||||
Subject: [PATCH] Fixed problem with startup failed on unlink() (#120)
|
||||
|
||||
- introduced in 128e22d0c638aed81337a6dbbfa664e5bfc9ea06
|
||||
|
||||
- daemon does not start when unlinking non existing db
|
||||
- fapolicyd-cli returned error when there is no db to unlink
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
src/library/database.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/library/database.c b/src/library/database.c
|
||||
index a010923..59816cb 100644
|
||||
--- a/src/library/database.c
|
||||
+++ b/src/library/database.c
|
||||
@@ -718,13 +718,13 @@ int unlink_db(void)
|
||||
|
||||
snprintf(path, sizeof(path), "%s/data.mdb", data_dir);
|
||||
rc = unlink(path);
|
||||
- if (rc) {
|
||||
+ if (rc == -1 && errno != ENOENT) {
|
||||
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
|
||||
ret_val = 1;
|
||||
}
|
||||
snprintf(path, sizeof(path), "%s/lock.mdb", data_dir);
|
||||
rc = unlink(path);
|
||||
- if (rc) {
|
||||
+ if (rc == -1 && errno != ENOENT) {
|
||||
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
|
||||
ret_val = 1;
|
||||
}
|
25
SOURCES/fapolicyd-unlink1.patch
Normal file
25
SOURCES/fapolicyd-unlink1.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From a0d93349003100ec773c3253e515c7162737c4c2 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Wed, 3 Mar 2021 13:16:07 -0500
|
||||
Subject: [PATCH] Add error message for debugging
|
||||
|
||||
---
|
||||
src/library/database.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/library/database.c b/src/library/database.c
|
||||
index db52000..9497c06 100644
|
||||
--- a/src/library/database.c
|
||||
+++ b/src/library/database.c
|
||||
@@ -161,8 +161,10 @@ static int init_db(const conf_t *config)
|
||||
return 4;
|
||||
|
||||
int rc = mdb_env_open(env, data_dir, flags, 0660);
|
||||
- if (rc)
|
||||
+ if (rc) {
|
||||
+ msg(LOG_ERR, "env_open error: %s", mdb_strerror(rc));
|
||||
return 5;
|
||||
+ }
|
||||
|
||||
MDB_maxkeysize = mdb_env_get_maxkeysize(env);
|
||||
integrity = config->integrity;
|
33
SOURCES/fapolicyd-unlink2.patch
Normal file
33
SOURCES/fapolicyd-unlink2.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 1b862f3b7c489928f1861396cebb763ae0654371 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Wed, 3 Mar 2021 13:22:10 -0500
|
||||
Subject: [PATCH] Add error message for debugging
|
||||
|
||||
---
|
||||
src/library/database.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/library/database.c b/src/library/database.c
|
||||
index 9497c06..831ec74 100644
|
||||
--- a/src/library/database.c
|
||||
+++ b/src/library/database.c
|
||||
@@ -713,12 +713,17 @@ static int check_database_copy(void)
|
||||
*/
|
||||
void unlink_db(void)
|
||||
{
|
||||
+ int rc;
|
||||
char path[64];
|
||||
|
||||
snprintf(path, sizeof(path), "%s/data.mdb", data_dir);
|
||||
- unlink(path);
|
||||
+ rc = unlink(path);
|
||||
+ if (rc)
|
||||
+ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
|
||||
snprintf(path, sizeof(path), "%s/lock.mdb", data_dir);
|
||||
- unlink(path);
|
||||
+ rc = unlink(path);
|
||||
+ if (rc)
|
||||
+ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
|
||||
}
|
||||
|
||||
|
114
SOURCES/fapolicyd-unlink3.patch
Normal file
114
SOURCES/fapolicyd-unlink3.patch
Normal file
@ -0,0 +1,114 @@
|
||||
From 128e22d0c638aed81337a6dbbfa664e5bfc9ea06 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Wed, 3 Mar 2021 13:34:58 -0500
|
||||
Subject: [PATCH] If db migration fails due to unlinking problem, fail startup
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
src/cli/fapolicyd-cli.c | 5 +++--
|
||||
src/library/database.c | 22 ++++++++++++++++------
|
||||
src/library/database.h | 4 ++--
|
||||
4 files changed, 22 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
|
||||
index 994c9a6..fb9081b 100644
|
||||
--- a/src/cli/fapolicyd-cli.c
|
||||
+++ b/src/cli/fapolicyd-cli.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* fapolicy-cli.c - CLI tool for fapolicyd
|
||||
- * Copyright (c) 2019,2020 Red Hat Inc.
|
||||
+ * Copyright (c) 2019-2021 Red Hat Inc.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This software may be freely redistributed and/or modified under the
|
||||
@@ -89,7 +89,8 @@ static char *get_line(FILE *f, unsigned *lineno)
|
||||
|
||||
static int do_delete_db(void)
|
||||
{
|
||||
- unlink_db();
|
||||
+ if (unlink_db())
|
||||
+ return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/src/library/database.c b/src/library/database.c
|
||||
index 831ec74..a010923 100644
|
||||
--- a/src/library/database.c
|
||||
+++ b/src/library/database.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* database.c - Trust database
|
||||
- * Copyright (c) 2016,2018-20 Red Hat Inc.
|
||||
+ * Copyright (c) 2016,2018-21 Red Hat Inc.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This software may be freely redistributed and/or modified under the
|
||||
@@ -711,23 +711,32 @@ static int check_database_copy(void)
|
||||
/*
|
||||
* This function removes the trust database files.
|
||||
*/
|
||||
-void unlink_db(void)
|
||||
+int unlink_db(void)
|
||||
{
|
||||
- int rc;
|
||||
+ int rc, ret_val = 0;
|
||||
char path[64];
|
||||
|
||||
snprintf(path, sizeof(path), "%s/data.mdb", data_dir);
|
||||
rc = unlink(path);
|
||||
- if (rc)
|
||||
+ if (rc) {
|
||||
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
|
||||
+ ret_val = 1;
|
||||
+ }
|
||||
snprintf(path, sizeof(path), "%s/lock.mdb", data_dir);
|
||||
rc = unlink(path);
|
||||
- if (rc)
|
||||
+ if (rc) {
|
||||
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
|
||||
+ ret_val = 1;
|
||||
+ }
|
||||
+
|
||||
+ return ret_val;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
+ * DB version 1 = unique keys (0.8 - 0.9.2)
|
||||
+ * DB version 2 = allow duplicate keys (0.9.3 - )
|
||||
+ *
|
||||
* This function is used to detect if we are using version1 of the database.
|
||||
* If so, we have to delete the database and rebuild it. We cannot mix
|
||||
* database versions because lmdb doesn't do that.
|
||||
@@ -744,7 +753,8 @@ static int migrate_database(void)
|
||||
msg(LOG_INFO, "Database migration will be performed.");
|
||||
|
||||
// Then we have a version1 db since it does not track versions
|
||||
- unlink_db();
|
||||
+ if (unlink_db())
|
||||
+ return 1;
|
||||
|
||||
// Create the new, db version tracker and write current version
|
||||
fd = open(vpath, O_CREAT|O_EXCL|O_WRONLY, 0640);
|
||||
diff --git a/src/library/database.h b/src/library/database.h
|
||||
index e828503..f4516b2 100644
|
||||
--- a/src/library/database.h
|
||||
+++ b/src/library/database.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* database.h - Header file for trust database
|
||||
- * Copyright (c) 2018-20 Red Hat Inc.
|
||||
+ * Copyright (c) 2018-21 Red Hat Inc.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This software may be freely redistributed and/or modified under the
|
||||
@@ -41,7 +41,7 @@ int init_database(conf_t *config);
|
||||
int check_trust_database(const char *path, struct file_info *info, int fd);
|
||||
void close_database(void);
|
||||
void database_report(FILE *f);
|
||||
-void unlink_db(void);
|
||||
+int unlink_db(void);
|
||||
void unlink_fifo(void);
|
||||
|
||||
#endif
|
@ -1,9 +0,0 @@
|
||||
diff -up ./fapolicyd-selinux-0.2/fapolicyd.fc.pid ./fapolicyd-selinux-0.2/fapolicyd.fc
|
||||
--- ./fapolicyd-selinux-0.2/fapolicyd.fc.pid 2020-06-01 11:17:45.593683440 +0200
|
||||
+++ ./fapolicyd-selinux-0.2/fapolicyd.fc 2020-06-01 11:21:36.420409234 +0200
|
||||
@@ -9,3 +9,5 @@
|
||||
/var/log/fapolicyd-access.log -- gen_context(system_u:object_r:fapolicyd_log_t,s0)
|
||||
|
||||
/var/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
|
||||
+
|
||||
+/var/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
|
@ -1,20 +1,19 @@
|
||||
diff -up ./fapolicyd-selinux-0.2/fapolicyd.te.selinux ./fapolicyd-selinux-0.2/fapolicyd.te
|
||||
--- ./fapolicyd-selinux-0.2/fapolicyd.te.selinux 2019-11-05 14:17:08.000000000 +0100
|
||||
+++ ./fapolicyd-selinux-0.2/fapolicyd.te 2020-05-25 15:02:37.196991039 +0200
|
||||
@@ -30,6 +30,7 @@ files_pid_file(fapolicyd_var_run_t)
|
||||
# fapolicyd local policy
|
||||
#
|
||||
allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
|
||||
+allow fapolicyd_t self:cap_userns sys_ptrace;
|
||||
allow fapolicyd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow fapolicyd_t self:process { setcap setsched };
|
||||
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -48,7 +49,7 @@ manage_dirs_pattern(fapolicyd_t, fapolic
|
||||
manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
|
||||
manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t)
|
||||
manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
|
||||
-files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file lnk_file })
|
||||
+files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file fifo_file lnk_file })
|
||||
diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te
|
||||
--- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-06-01 14:41:37.000000000 +0200
|
||||
+++ ./fapolicyd-selinux-0.3/fapolicyd.te 2021-03-19 10:50:13.885358270 +0100
|
||||
@@ -62,9 +62,14 @@ domain_read_all_domains_state(fapolicyd_
|
||||
files_mmap_usr_files(fapolicyd_t)
|
||||
files_read_all_files(fapolicyd_t)
|
||||
fs_getattr_xattr_fs(fapolicyd_t)
|
||||
+kernel_read_all_sysctls(fapolicyd_t)
|
||||
+kernel_read_all_proc(fapolicyd_t)
|
||||
|
||||
kernel_dgram_send(fapolicyd_t)
|
||||
logging_send_syslog_msg(fapolicyd_t)
|
||||
+dbus_system_bus_client(fapolicyd_t)
|
||||
|
||||
optional_policy(`
|
||||
- rpm_read_db(fapolicyd_t)
|
||||
+ rpm_read_db(fapolicyd_t)
|
||||
+ allow fapolicyd_t rpm_var_lib_t:file { create };
|
||||
+ allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
|
||||
')
|
||||
|
@ -1,12 +1,12 @@
|
||||
%global selinuxtype targeted
|
||||
%global moduletype contrib
|
||||
%define semodule_version 0.2
|
||||
%define semodule_version 0.3
|
||||
|
||||
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 1.0
|
||||
Release: 3%{?dist}.4
|
||||
Version: 1.0.2
|
||||
Release: 6%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||
@ -14,37 +14,37 @@ Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/relea
|
||||
BuildRequires: gcc
|
||||
BuildRequires: kernel-headers
|
||||
BuildRequires: autoconf automake make gcc libtool
|
||||
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel
|
||||
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
|
||||
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python2-devel
|
||||
BuildRequires: uthash-devel
|
||||
Requires: rpm-plugin-fapolicyd >= 4.14.3-12
|
||||
Recommends: %{name}-selinux
|
||||
|
||||
Requires(pre): shadow-utils
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
Patch1: selinux.patch
|
||||
Patch2: fapolicyd-0.9.5-integrity.patch
|
||||
Patch3: selinux-pid.patch
|
||||
Patch4: fapolicyd-cli-args.patch
|
||||
Patch5: fapolicyd-magic-override.patch
|
||||
Patch6: fapolicyd-magic-override2.patch
|
||||
Patch7: fapolicyd-man-page.patch
|
||||
|
||||
Patch8: fapolicyd-trust.patch
|
||||
Patch9: fapolicyd-cli-empty-db.patch
|
||||
Patch10: fapolicyd-cli-big-buffer.patch
|
||||
Patch11: fapolicyd-get-line.patch
|
||||
Patch12: fapolicyd-man-page-trust.patch
|
||||
Patch1: fapolicyd-magic-override.patch
|
||||
Patch2: selinux.patch
|
||||
Patch3: fapolicyd-startup-message.patch
|
||||
Patch4: fapolicyd-cli-hang.patch
|
||||
|
||||
Patch13: fapolicyd-deleted-suffix.patch
|
||||
Patch14: fapolicyd-java1.patch
|
||||
Patch15: fapolicyd-java2.patch
|
||||
Patch16: fapolicyd-java3.patch
|
||||
Patch17: fapolicyd-java4.patch
|
||||
Patch18: fapolicyd-java5.patch
|
||||
# we are making the dnf-plugin completelly dummy because of
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
|
||||
# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
|
||||
# the fapolicyd package because it provides safe upgrade path
|
||||
Patch5: fapolicyd-dnf-plugin.patch
|
||||
|
||||
Patch6: fapolicyd-unlink1.patch
|
||||
Patch7: fapolicyd-unlink2.patch
|
||||
Patch8: fapolicyd-unlink3.patch
|
||||
Patch9: fapolicyd-unlink-fifo1.patch
|
||||
Patch10: fapolicyd-unlink-fifo2.patch
|
||||
|
||||
Patch11: fapolicyd-fanotify-read-error.patch
|
||||
|
||||
%description
|
||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||
@ -59,20 +59,7 @@ Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: selinux-policy
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildArch: noarch
|
||||
#%%{?selinux_requires}
|
||||
Requires: selinux-policy >= 3.14.3-54.el8
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: selinux-policy
|
||||
BuildRequires: selinux-policy-devel
|
||||
Requires(post): selinux-policy-base >= 3.14.3-54.el8
|
||||
Requires(post): libselinux-utils
|
||||
Requires(post): policycoreutils
|
||||
%if 032 || 0 > 7
|
||||
Requires(post): policycoreutils-python-utils
|
||||
%else
|
||||
Requires(post): policycoreutils-python
|
||||
%endif
|
||||
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
@ -84,33 +71,27 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
# selinux
|
||||
%setup -q -D -T -a 1
|
||||
|
||||
%patch1 -p1 -b .magic
|
||||
%patch2 -p1 -b .selinux
|
||||
%patch3 -p1 -b .startup
|
||||
%patch4 -p1 -b .cli-hang
|
||||
|
||||
%patch5 -p1 -b .plugin
|
||||
|
||||
%patch6 -p1 -b .unlink1
|
||||
%patch7 -p1 -b .unlink2
|
||||
%patch8 -p1 -b .unlink3
|
||||
|
||||
%patch9 -p1 -b .unlink_fifo1
|
||||
%patch10 -p1 -b .unlink_fifo2
|
||||
|
||||
%patch11 -p1 -b .fanotify_read
|
||||
|
||||
# generate rules for python
|
||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||
|
||||
%patch1 -p1 -b .selinux
|
||||
%patch2 -p1 -b .integrity
|
||||
%patch3 -p1 -b .pid
|
||||
%patch4 -p1 -b .args
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1 -b .man-page
|
||||
|
||||
%patch8 -p1 -b .trust
|
||||
%patch9 -p1 -b .cli-empty-db
|
||||
%patch10 -p1 -b .cli-big-buffer
|
||||
%patch11 -p1 -b .get-line
|
||||
%patch12 -p1 -b .man-page-trust
|
||||
|
||||
# zstream
|
||||
%patch13 -p1 -b .deleted
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
%configure \
|
||||
@ -129,6 +110,9 @@ popd
|
||||
%pre selinux
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%check
|
||||
make check
|
||||
|
||||
%install
|
||||
make DESTDIR="%{buildroot}" INSTALL='install -p' install
|
||||
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
||||
@ -169,6 +153,7 @@ if posix.access("/run/fapolicyd.pid", "f") then
|
||||
echo "$rule" > $c
|
||||
cat $tmp >> $c
|
||||
systemctl restart fapolicyd || true
|
||||
sleep 10
|
||||
cat $tmp > $c
|
||||
rm -f $tmp
|
||||
fi
|
||||
@ -212,6 +197,7 @@ end
|
||||
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
|
||||
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
|
||||
|
||||
|
||||
# selinux
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
@ -220,6 +206,7 @@ end
|
||||
|
||||
%post selinux
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
@ -230,28 +217,32 @@ fi
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%changelog
|
||||
* Thu Dec 10 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.4
|
||||
RHEL 8.3.Z ERRATUM
|
||||
- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail [rhel-8.3.0.z]
|
||||
* Tue Mar 23 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-6
|
||||
RHEL 8.4.0 ERRATUM
|
||||
- fapolicyd abnormally exits by executing sosreport
|
||||
Resolves: rhbz#1940289
|
||||
|
||||
* Thu Mar 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-5
|
||||
RHEL 8.4.0 ERRATUM
|
||||
- fixed multiple problems with unlink()
|
||||
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
|
||||
Resolves: rhbz#1896875
|
||||
|
||||
* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
|
||||
RHEL 8.4.0 ERRATUM
|
||||
- rebase to 1.0.2
|
||||
- strong dependency on rpm/rpm-plugin-fapolicyd
|
||||
- installed dnf-plugin is dummy and we are not using it anymore
|
||||
- enabled integrity setting
|
||||
Resolves: rhbz#1887451
|
||||
- added make check
|
||||
- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail
|
||||
- fixed java detection
|
||||
Resolves: rhbz#1905895
|
||||
- Erratum RHBA-2020:4969 is of no help when upgrading partially RHEL 8.2 systems [rhel-8.3.0.z]
|
||||
Resolves: rhbz#1906472
|
||||
|
||||
* Fri Nov 13 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.3
|
||||
RHEL 8.3.Z ERRATUM
|
||||
Resolves: rhbz#1897090
|
||||
|
||||
* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.2
|
||||
RHEL 8.3.Z ERRATUM
|
||||
- selinux requires inlined
|
||||
Resolves: rhbz#1895513
|
||||
|
||||
* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.1
|
||||
RHEL 8.3.Z ERRATUM
|
||||
- allow root everything
|
||||
- ensure that root rule is in .rules
|
||||
Resolves: rhbz#1895513
|
||||
Resolves: rhbz#1895435
|
||||
- dnf update fails when fapolicyd is enabled
|
||||
Resolves: rhbz#1876975
|
||||
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
|
||||
Resolves: rhbz#1896875
|
||||
|
||||
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
|
||||
RHEL 8.3 ERRATUM
|
||||
|
Loading…
Reference in New Issue
Block a user