rpms/fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fapolicyd-1.1-103.el9_0

Browse Source
This commit is contained in:
CentOS Sources 2022-05-17 04:54:42 -04:00 committed by Stepan Oksanichenko
commit b4398e8698
8 changed files with 816 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.fapolicyd.metadata Normal file
View File

@ -0,0 +1,3 @@
1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
SOURCES/fapolicyd-1.1.tar.gz
SOURCES/fapolicyd-selinux-0.4.tar.gz
SOURCES/uthash-2.3.0.tar.gz

13
SOURCES/fagenrules-group.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up ./init/fagenrules.fix ./init/fagenrules
--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200
+++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200
@@ -117,7 +117,8 @@ fi
# We copy the file so that it gets the right selinux label
cp ${TmpRules} ${DestinationFile}
-chmod 0640 ${DestinationFile}
+chmod 0644 ${DestinationFile}
+chgrp fapolicyd ${DestinationFile}
# Restore context on MLS system.
# /tmp is SystemLow & fapolicyd.rules is SystemHigh

27
SOURCES/fapolicyd-1.1.1-ld_so.patch Normal file
View File

@ -0,0 +1,27 @@
diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500
@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
%build
%configure \
diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500
@@ -1,6 +1,10 @@
AC_DEFUN([LD_SO_PATH],
[
- xpath=`realpath /usr/lib64/ld-2.*.so`
+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
+ xpath=`realpath $xpath1`
+ if test ! -f "$xpath" ; then
+ AC_MSG_ERROR([Cant find the dynamic linker])
+ fi
echo "dynamic linker is.....$xpath"
AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
])

109
SOURCES/fapolicyd-reorder-rules.patch Normal file
View File

@ -0,0 +1,109 @@
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 24 Mar 2022 09:59:05 +0100
Subject: [PATCH] Reorder loop holes with patterns in rules.d
- this keeps backwards compatibility with older wersions of rules
- the ld_so pattern was applied to root
- it caused problems with running ldd as root(previously unrestricted)
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.spec | 6 +++---
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
rules.d/Makefile.am | 4 ++--
rules.d/README-rules | 16 ++++++++--------
6 files changed, 13 insertions(+), 13 deletions(-)
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
diff --git a/fapolicyd.spec b/fapolicyd.spec
index c2aae21..261b780 100644
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
similarity index 100%
rename from rules.d/30-dracut.rules
rename to rules.d/20-dracut.rules
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
similarity index 100%
rename from rules.d/30-updaters.rules
rename to rules.d/21-updaters.rules
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
similarity index 100%
rename from rules.d/20-patterns.rules
rename to rules.d/30-patterns.rules
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
index 76b5377..9bb61a7 100644
--- a/rules.d/Makefile.am
+++ b/rules.d/Makefile.am
@@ -23,8 +23,8 @@
CONFIG_CLEAN_FILES = *.rej *.orig
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
- 30-dracut.rules 30-updaters.rules \
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
+ 21-updaters.rules 30-patterns.rules \
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
43-known-elf.rules \
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
diff --git a/rules.d/README-rules b/rules.d/README-rules
index c03c02b..30fcd01 100644
--- a/rules.d/README-rules
+++ b/rules.d/README-rules
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
organized into groups with the following meanings:
10 - macros
-20 - patterns
-30 - loop holes
+20 - loop holes
+30 - patterns
40 - ELF rules
50 - user/group access rules
60 - application access rules
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
fapolicyd.rules.known-libs
--------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
42-trusted-elf.rules
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
fapolicyd.rules.restrictive
---------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
43-known-elf.rules
--
2.35.1

170
SOURCES/fapolicyd-selinux.patch Normal file
View File

@ -0,0 +1,170 @@
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fapolicyd.if
--- a/fapolicyd-selinux-0.4/fapolicyd.if 2021-03-23 10:21:31.000000000 +0100
+++ b/fapolicyd-selinux-0.4/fapolicyd.if 2021-12-14 13:35:17.842430123 +0100
@@ -2,6 +2,122 @@
########################################
## <summary>
+## Watch_mount directories in /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+ifndef(`files_watch_mount_boot_dirs',`
+ interface(`files_watch_mount_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir watch_mount_dir_perms;
+ ')
+')
+
+
+########################################
+## <summary>
+## Watch_mount home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+ifndef(`files_watch_mount_home',`
+ interface(`files_watch_mount_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir watch_mount_dir_perms;
+ ')
+')
+
+
+########################################
+## <summary>
+## Watch_with_perm home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+ifndef(`files_watch_with_perm_home',`
+interface(`files_watch_with_perm_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir watch_with_perm_dir_perms;
+')
+')
+
+
+########################################
+## <summary>
+## Watch_mount dirs on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+ifndef(`fs_watch_mount_dos_dirs',`
+interface(`fs_watch_mount_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ watch_mount_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+')
+
+
+
+########################################
+## <summary>
+## Watch_with_perm dirs on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+ifndef(`fs_watch_with_perm_dos_dirs',`
+interface(`fs_watch_with_perm_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+')
+
+
+###################################################################################################
+
+
+
+
+########################################
+## <summary>
## Execute fapolicyd_exec_t in the fapolicyd domain.
## </summary>
## <param name="domain">
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100
+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-12-14 13:35:17.842430123 +0100
@@ -1,5 +1,6 @@
policy_module(fapolicyd, 1.0.0)
+
########################################
#
# Declarations
@@ -36,6 +37,12 @@
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
+gen_require(`
+ attribute file_type;
+')
+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
+allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
+
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
@@ -63,14 +70,20 @@
files_mmap_usr_files(fapolicyd_t)
files_read_all_files(fapolicyd_t)
+files_watch_mount_boot_dirs(fapolicyd_t)
+files_watch_with_perm_boot_dirs(fapolicyd_t)
files_watch_mount_generic_tmp_dirs(fapolicyd_t)
files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
+files_watch_mount_home(fapolicyd_t)
+files_watch_with_perm_home(fapolicyd_t)
files_watch_mount_root_dirs(fapolicyd_t)
files_watch_with_perm_root_dirs(fapolicyd_t)
fs_getattr_xattr_fs(fapolicyd_t)
fs_watch_mount_tmpfs_dirs(fapolicyd_t)
fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
+fs_watch_mount_dos_dirs(fapolicyd_t)
+fs_watch_with_perm_dos_dirs(fapolicyd_t)
logging_send_syslog_msg(fapolicyd_t)
dbus_system_bus_client(fapolicyd_t)

39
SOURCES/fapolicyd-uthash-bundle.patch Normal file
View File

@ -0,0 +1,39 @@
diff --color -ru a/configure.ac b/configure.ac
--- a/configure.ac 2021-11-12 20:21:54.000000000 +0100
+++ b/configure.ac 2021-12-14 13:47:11.890649552 +0100
@@ -67,10 +67,6 @@
["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
AC_CHECK_FUNCS(fexecve, [], [])
-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
-["Couldn't find uthash.h...uthash-devel is missing"] )])
-
-
echo .
echo Checking for required libraries
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
diff --color -ru a/src/library/rpm-backend.c b/src/library/rpm-backend.c
--- a/src/library/rpm-backend.c 2021-11-12 20:21:54.000000000 +0100
+++ b/src/library/rpm-backend.c 2021-12-14 13:47:26.833926203 +0100
@@ -32,7 +32,7 @@
#include <rpm/rpmdb.h>
#include <fnmatch.h>
-#include <uthash.h>
+#include "uthash.h"
#include "message.h"
#include "gcc-attributes.h"
diff --color -ru a/src/Makefile.am b/src/Makefile.am
--- a/src/Makefile.am 2021-11-12 20:21:54.000000000 +0100
+++ b/src/Makefile.am 2021-12-14 13:48:03.218599808 +0100
@@ -5,6 +5,9 @@
-I${top_srcdir} \
-I${top_srcdir}/src/library
+AM_CPPFLAGS += \
+ -I${top_srcdir}/uthash-2.3.0/include
+
sbin_PROGRAMS = fapolicyd fapolicyd-cli
lib_LTLIBRARIES= libfapolicyd.la

452
SPECS/fapolicyd.spec Normal file
View File

@ -0,0 +1,452 @@
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.4
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.1
Release: 103%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
# we bundle uthash for rhel9
Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
%if 0%{?rhel} == 0
BuildRequires: uthash-devel
%endif
Requires: %{name}-plugin
Recommends: %{name}-selinux
Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch
Patch2: fapolicyd-selinux.patch
Patch3: fapolicyd-reorder-rules.patch
Patch4: fagenrules-group.patch
# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
Patch5: fapolicyd-1.1.1-ld_so.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation
source are allowed access while unknown applications are not. The daemon
makes use of the kernel's fanotify interface to determine file access rights.
%package selinux
Summary: Fapolicyd selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
%description selinux
The %{name}-selinux package contains selinux policy for the %{name} daemon.
%package dnf-plugin
Summary: Fapolicyd dnf plugin
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
Provides: %{name}-plugin
%description dnf-plugin
The %{name}-dnf-plugin notifies %{name} daemon about dnf update.
The dnf plugin will be replaced with rpm plugin later.
Don't use dnf and rpm plugin together.
%prep
%setup -q
# selinux
%setup -q -D -T -a 1
%if 0%{?rhel} != 0
# uthash
%setup -q -D -T -a 2
%patch1 -p1 -b .uthash
%endif
%patch2 -p1 -b .selinux
%patch3 -p1 -b .reorder
%patch4 -p1 -b .group
%patch5 -p1 -b .ld_so
# generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
interpret=`readelf -e /usr/bin/bash \
| grep Requesting \
| sed 's/.$//' \
| rev | cut -d" " -f1 \
| rev`
sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules
%build
./autogen.sh
%configure \
--with-audit \
--with-rpm \
--disable-shared
make CFLAGS="%{optflags}" %{?_smp_mflags}
# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd
%check
make check
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
%make_install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
# get list of file names between known-libs and restrictive from sample-rules/README-rules
cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \
| grep -A 100 'known-libs' \
| grep -B 100 'restrictive' \
| grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
#cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
%define manage_default_rules default_changed=0 \
# check changed fapolicyd.rules \
if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \
diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \
default_changed=1; \
#echo "change detected in fapolicyd.rules"; \
} \
fi \
if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \
default_ruleset='' \
# get listing of default rule files in known-libs \
[ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \
# check for removed or added files \
default_count=`echo "$default_ruleset" | wc -l` \
current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \
[ $default_count -eq $current_count ] || { \
default_changed=1; \
#echo "change detected in number of rule files d:$default_count vs c:$current_count"; \
} \
for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \
if echo "$default_ruleset" | grep -q "`basename $file`"; then \
# compare content of the rule files \
diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \
default_changed=1; \
#echo "change detected in `basename $file`"; \
} \
else \
# added file detected \
default_changed=1 \
#echo "change detected in added rules file `basename $file`"; \
fi \
done \
fi \
# remove files if no change against default rules detected \
[ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \
%pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
if [ $1 -eq 2 ]; then
# detect changed default rules in case of upgrade
%manage_default_rules
fi
%post
# if no pre-existing rule file
if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w`
# Only if no pre-existing component rules
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do
cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/
done
chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
if [ -x /usr/sbin/restorecon ] ; then
# restore correct label
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
fi
fagenrules > /dev/null 2>&1
fi
fi
%systemd_post %{name}.service
%preun
%systemd_preun %{name}.service
if [ $1 -eq 0 ]; then
# detect changed default rules in case of uninstall
%manage_default_rules
else
[ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || :
fi
%postun
%systemd_postun_with_restart %{name}.service
%files
%doc README.md
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(755,root,root) %{_sbindir}/%{name}
%attr(755,root,root) %{_sbindir}/%{name}-cli
%attr(755,root,root) %{_sbindir}/fagenrules
%attr(644,root,root) %{_mandir}/man8/*
%attr(644,root,root) %{_mandir}/man5/*
%attr(644,root,root) %{_mandir}/man1/*
%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
%attr(770,root,%{name}) %dir /run/%{name}
%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%files dnf-plugin
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
%changelog
* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103
RHEL 9.0.0 ERRATUM
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
Resolves: rhbz#2069122
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
RHEL 9.0.0 ERRATUM
- fapolicyd denies access to /usr/lib64/ld-2.28.so
Resolves: rhbz#2066904
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
RHEL 9.0.0 ERRATUM
- rebase to 1.1
Resolves: rhbz#2032408
- introduce rules.d
Resolves: rhbz#2054740
- remove pretrans scriptlet
Resolve: rhbz#2051481
* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
RHEL 9.0.0 ERRATUM
- rebase to 1.0.4
- added rpm_sha256_only option
- added trust.d directory
- allow file names with whitespaces in trust files
- use full paths in trust files
Resolves: rhbz#2032408
- fix libc.so getting identified as application/x-executable
Resolves: rhbz#2015307
- fix selinux DSP module definition in spec file
Resolves: rhbz#2014449
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
RHEL 9 BETA
- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
Resolves: rhbz#1932225
Resolves: rhbz#1977731
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
- rebase to 1.0.3
- sync fedora with rhel
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-1
- rebase to 1.0.2
- enabled make check
- dnf-plugin is now required subpackage
* Mon Nov 16 2020 Radovan Sroka <rsroka@redhat.com> - 1.0.1-1
- rebase to 1.0.1
- introduced uthash dependency
- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
Resolves: rhbz#1874491
- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
Resolves: rhbz#1876538
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
- backported few cosmetic small patches from upstream master
- rebase selinux tarbal to v0.3
- file context pattern for /run/fapolicyd.pid is missing
Resolves: rhbz#1834674
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
- Rebuilt for Python 3.9
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
- rebase fapolicyd to 1.0
- allowed sys_ptrace for user namespace
* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
- rebase fapolicyd to 0.9.4
- polished the pattern detection engine
- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
memory consumption and improve startup speed
- the commandline utility can now delete the lmdb trust database and manage
the file trust source
* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
- rebase fapolicyd to 0.9.3
- dramatically improved startup time
- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
- file type identification has been improved
- trust database statistics have been added to the reports
* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
- Label all fifo_file as fapolicyd_var_run_t in /var/run.
- Allow fapolicyd_t domain to create fifo files labeled as
fapolicyd_var_run_t
* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
- rebase fapolicyd to 0.9.2
- allows watched mount points to be specified by file system types
- ELF file detection was improved
- the rules have been rewritten to express the policy based on subject
object trust for better performance and reliability
- exceptions for dracut and ansible were added to the rules to avoid problems
under normal system use
- adds an admin defined trust database (fapolicyd.trust)
- setting boost, queue, user, and group on the daemon
command line are deprecated
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
- Updated fapolicyd-selinux subpackage to v0.2
Selinux subpackage is recommended for fapolicyd.
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
- Added fapolicyd-selinux subpackage
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
- rebase to v0.9
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- rebase to 0.8.10
- generate python paths dynamically
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
- Rebuilt for Python 3.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
- Rebuild for RPM 4.15
* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
- Rebuild for RPM 4.15
* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
- New upstream release
* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
- backport some patches to resolve dac_override for fapolicyd
* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1
- New upstream release
- Added new DNF plugin that can update the trust database when rpms are installed
- Added support for FAN_OPEN_EXEC_PERM
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1
- New upstream bugfix release
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1
- New upstream feature release
* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2
- Add dist tag (#1579362)
* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1
- New release