commit b4398e8698580316e525906ca66e964050fadf94 Author: CentOS Sources Date: Tue May 17 04:54:42 2022 -0400 import fapolicyd-1.1-103.el9_0 diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata new file mode 100644 index 0000000..6c6ff97 --- /dev/null +++ b/.fapolicyd.metadata @@ -0,0 +1,3 @@ +1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz +bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz +fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f9a4168 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/fapolicyd-1.1.tar.gz +SOURCES/fapolicyd-selinux-0.4.tar.gz +SOURCES/uthash-2.3.0.tar.gz diff --git a/SOURCES/fagenrules-group.patch b/SOURCES/fagenrules-group.patch new file mode 100644 index 0000000..744bb64 --- /dev/null +++ b/SOURCES/fagenrules-group.patch @@ -0,0 +1,13 @@ +diff -up ./init/fagenrules.fix ./init/fagenrules +--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200 ++++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200 +@@ -117,7 +117,8 @@ fi + + # We copy the file so that it gets the right selinux label + cp ${TmpRules} ${DestinationFile} +-chmod 0640 ${DestinationFile} ++chmod 0644 ${DestinationFile} ++chgrp fapolicyd ${DestinationFile} + + # Restore context on MLS system. + # /tmp is SystemLow & fapolicyd.rules is SystemHigh diff --git a/SOURCES/fapolicyd-1.1.1-ld_so.patch b/SOURCES/fapolicyd-1.1.1-ld_so.patch new file mode 100644 index 0000000..a79cca7 --- /dev/null +++ b/SOURCES/fapolicyd-1.1.1-ld_so.patch @@ -0,0 +1,27 @@ +diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec +--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500 ++++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500 +@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter + # generate rules for python + sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules + sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules ++sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules + + %build + %configure \ +diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4 +--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500 ++++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500 +@@ -1,6 +1,10 @@ + AC_DEFUN([LD_SO_PATH], + [ +- xpath=`realpath /usr/lib64/ld-2.*.so` ++ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev` ++ xpath=`realpath $xpath1` ++ if test ! -f "$xpath" ; then ++ AC_MSG_ERROR([Cant find the dynamic linker]) ++ fi + echo "dynamic linker is.....$xpath" + AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker]) + ]) diff --git a/SOURCES/fapolicyd-reorder-rules.patch b/SOURCES/fapolicyd-reorder-rules.patch new file mode 100644 index 0000000..7c44d85 --- /dev/null +++ b/SOURCES/fapolicyd-reorder-rules.patch @@ -0,0 +1,109 @@ +From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Thu, 24 Mar 2022 09:59:05 +0100 +Subject: [PATCH] Reorder loop holes with patterns in rules.d + +- this keeps backwards compatibility with older wersions of rules +- the ld_so pattern was applied to root +- it caused problems with running ldd as root(previously unrestricted) + +Signed-off-by: Radovan Sroka +--- + fapolicyd.spec | 6 +++--- + rules.d/{30-dracut.rules => 20-dracut.rules} | 0 + rules.d/{30-updaters.rules => 21-updaters.rules} | 0 + rules.d/{20-patterns.rules => 30-patterns.rules} | 0 + rules.d/Makefile.am | 4 ++-- + rules.d/README-rules | 16 ++++++++-------- + 6 files changed, 13 insertions(+), 13 deletions(-) + rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%) + rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%) + rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%) + +diff --git a/fapolicyd.spec b/fapolicyd.spec +index c2aae21..261b780 100644 +--- a/fapolicyd.spec ++++ b/fapolicyd.spec +@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ +-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ +-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ +-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ ++cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ ++cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ ++cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ +diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules +similarity index 100% +rename from rules.d/30-dracut.rules +rename to rules.d/20-dracut.rules +diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules +similarity index 100% +rename from rules.d/30-updaters.rules +rename to rules.d/21-updaters.rules +diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules +similarity index 100% +rename from rules.d/20-patterns.rules +rename to rules.d/30-patterns.rules +diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am +index 76b5377..9bb61a7 100644 +--- a/rules.d/Makefile.am ++++ b/rules.d/Makefile.am +@@ -23,8 +23,8 @@ + + CONFIG_CLEAN_FILES = *.rej *.orig + +-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \ +- 30-dracut.rules 30-updaters.rules \ ++EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \ ++ 21-updaters.rules 30-patterns.rules \ + 40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \ + 43-known-elf.rules \ + 70-trusted-lang.rules 71-known-python.rules 72-shell.rules \ +diff --git a/rules.d/README-rules b/rules.d/README-rules +index c03c02b..30fcd01 100644 +--- a/rules.d/README-rules ++++ b/rules.d/README-rules +@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are + organized into groups with the following meanings: + + 10 - macros +-20 - patterns +-30 - loop holes ++20 - loop holes ++30 - patterns + 40 - ELF rules + 50 - user/group access rules + 60 - application access rules +@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following: + fapolicyd.rules.known-libs + -------------------------- + 10-languages.rules +-20-patterns.rules +-30-dracut.rules +-30-updaters.rules ++20-dracut.rules ++21-updaters.rules ++30-patterns.rules + 40-bad-elf.rules + 41-shared-obj.rules + 42-trusted-elf.rules +@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs + fapolicyd.rules.restrictive + --------------------------- + 10-languages.rules +-20-patterns.rules +-30-dracut.rules +-30-updaters.rules ++20-dracut.rules ++21-updaters.rules ++30-patterns.rules + 40-bad-elf.rules + 41-shared-obj.rules + 43-known-elf.rules +-- +2.35.1 diff --git a/SOURCES/fapolicyd-selinux.patch b/SOURCES/fapolicyd-selinux.patch new file mode 100644 index 0000000..58b3146 --- /dev/null +++ b/SOURCES/fapolicyd-selinux.patch @@ -0,0 +1,170 @@ +diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fapolicyd.if +--- a/fapolicyd-selinux-0.4/fapolicyd.if 2021-03-23 10:21:31.000000000 +0100 ++++ b/fapolicyd-selinux-0.4/fapolicyd.if 2021-12-14 13:35:17.842430123 +0100 +@@ -2,6 +2,122 @@ + + ######################################## + ## ++## Watch_mount directories in /boot. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_mount_boot_dirs',` ++ interface(`files_watch_mount_boot_dirs',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir watch_mount_dir_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Watch_mount home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_mount_home',` ++ interface(`files_watch_mount_home',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ allow $1 home_root_t:dir watch_mount_dir_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Watch_with_perm home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_with_perm_home',` ++interface(`files_watch_with_perm_home',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ allow $1 home_root_t:dir watch_with_perm_dir_perms; ++') ++') ++ ++ ++######################################## ++## ++## Watch_mount dirs on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`fs_watch_mount_dos_dirs',` ++interface(`fs_watch_mount_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ watch_mount_dirs_pattern($1, dosfs_t, dosfs_t) ++') ++') ++ ++ ++ ++######################################## ++## ++## Watch_with_perm dirs on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`fs_watch_with_perm_dos_dirs',` ++interface(`fs_watch_with_perm_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t) ++') ++') ++ ++ ++################################################################################################### ++ ++ ++ ++ ++######################################## ++## + ## Execute fapolicyd_exec_t in the fapolicyd domain. + ## + ## +diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te +--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100 ++++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-12-14 13:35:17.842430123 +0100 +@@ -1,5 +1,6 @@ + policy_module(fapolicyd, 1.0.0) + ++ + ######################################## + # + # Declarations +@@ -36,6 +37,12 @@ + allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; + allow fapolicyd_t self:unix_dgram_socket create_socket_perms; + ++gen_require(` ++ attribute file_type; ++') ++allow fapolicyd_t file_type:dir { watch_mount watch_with_perm }; ++allow fapolicyd_t file_type:file { watch_mount watch_with_perm }; ++ + manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) + logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) + +@@ -63,14 +70,20 @@ + + files_mmap_usr_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) ++files_watch_mount_boot_dirs(fapolicyd_t) ++files_watch_with_perm_boot_dirs(fapolicyd_t) + files_watch_mount_generic_tmp_dirs(fapolicyd_t) + files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) ++files_watch_mount_home(fapolicyd_t) ++files_watch_with_perm_home(fapolicyd_t) + files_watch_mount_root_dirs(fapolicyd_t) + files_watch_with_perm_root_dirs(fapolicyd_t) + + fs_getattr_xattr_fs(fapolicyd_t) + fs_watch_mount_tmpfs_dirs(fapolicyd_t) + fs_watch_with_perm_tmpfs_dirs(fapolicyd_t) ++fs_watch_mount_dos_dirs(fapolicyd_t) ++fs_watch_with_perm_dos_dirs(fapolicyd_t) + + logging_send_syslog_msg(fapolicyd_t) + dbus_system_bus_client(fapolicyd_t) diff --git a/SOURCES/fapolicyd-uthash-bundle.patch b/SOURCES/fapolicyd-uthash-bundle.patch new file mode 100644 index 0000000..0131884 --- /dev/null +++ b/SOURCES/fapolicyd-uthash-bundle.patch @@ -0,0 +1,39 @@ +diff --color -ru a/configure.ac b/configure.ac +--- a/configure.ac 2021-11-12 20:21:54.000000000 +0100 ++++ b/configure.ac 2021-12-14 13:47:11.890649552 +0100 +@@ -67,10 +67,6 @@ + ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) + AC_CHECK_FUNCS(fexecve, [], []) + +-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( +-["Couldn't find uthash.h...uthash-devel is missing"] )]) +- +- + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +diff --color -ru a/src/library/rpm-backend.c b/src/library/rpm-backend.c +--- a/src/library/rpm-backend.c 2021-11-12 20:21:54.000000000 +0100 ++++ b/src/library/rpm-backend.c 2021-12-14 13:47:26.833926203 +0100 +@@ -32,7 +32,7 @@ + #include + #include + +-#include ++#include "uthash.h" + + #include "message.h" + #include "gcc-attributes.h" +diff --color -ru a/src/Makefile.am b/src/Makefile.am +--- a/src/Makefile.am 2021-11-12 20:21:54.000000000 +0100 ++++ b/src/Makefile.am 2021-12-14 13:48:03.218599808 +0100 +@@ -5,6 +5,9 @@ + -I${top_srcdir} \ + -I${top_srcdir}/src/library + ++AM_CPPFLAGS += \ ++ -I${top_srcdir}/uthash-2.3.0/include ++ + sbin_PROGRAMS = fapolicyd fapolicyd-cli + lib_LTLIBRARIES= libfapolicyd.la + diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec new file mode 100644 index 0000000..aeb1cba --- /dev/null +++ b/SPECS/fapolicyd.spec @@ -0,0 +1,452 @@ +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.4 + +Summary: Application Whitelisting Daemon +Name: fapolicyd +Version: 1.1 +Release: 103%{?dist} +License: GPLv3+ +URL: http://people.redhat.com/sgrubb/fapolicyd +Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz +Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz +# we bundle uthash for rhel9 +Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz +BuildRequires: gcc +BuildRequires: kernel-headers +BuildRequires: autoconf automake make gcc libtool +BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file +BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel +BuildRequires: python3-devel + +%if 0%{?rhel} == 0 +BuildRequires: uthash-devel +%endif + +Requires: %{name}-plugin +Recommends: %{name}-selinux +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Patch1: fapolicyd-uthash-bundle.patch +Patch2: fapolicyd-selinux.patch +Patch3: fapolicyd-reorder-rules.patch +Patch4: fagenrules-group.patch +# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] +Patch5: fapolicyd-1.1.1-ld_so.patch + +%description +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + +%package selinux +Summary: Fapolicyd selinux +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the %{name} daemon. + +%package dnf-plugin +Summary: Fapolicyd dnf plugin +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +Provides: %{name}-plugin + +%description dnf-plugin +The %{name}-dnf-plugin notifies %{name} daemon about dnf update. +The dnf plugin will be replaced with rpm plugin later. +Don't use dnf and rpm plugin together. + + +%prep + +%setup -q + +# selinux +%setup -q -D -T -a 1 + +%if 0%{?rhel} != 0 +# uthash +%setup -q -D -T -a 2 +%patch1 -p1 -b .uthash +%endif + +%patch2 -p1 -b .selinux +%patch3 -p1 -b .reorder +%patch4 -p1 -b .group +%patch5 -p1 -b .ld_so + +# generate rules for python +sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules +sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules + +interpret=`readelf -e /usr/bin/bash \ + | grep Requesting \ + | sed 's/.$//' \ + | rev | cut -d" " -f1 \ + | rev` + +sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules + +%build +./autogen.sh +%configure \ + --with-audit \ + --with-rpm \ + --disable-shared + +make CFLAGS="%{optflags}" %{?_smp_mflags} + +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +%check +make check + +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%install +%make_install +mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} +mkdir -p %{buildroot}/run/%{name} +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d +# get list of file names between known-libs and restrictive from sample-rules/README-rules +cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \ + | grep -A 100 'known-libs' \ + | grep -B 100 'restrictive' \ + | grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs +chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +#cleanup +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete + +%define manage_default_rules default_changed=0 \ + # check changed fapolicyd.rules \ + if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \ + diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in fapolicyd.rules"; \ + } \ + fi \ + if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \ + default_ruleset='' \ + # get listing of default rule files in known-libs \ + [ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \ + # check for removed or added files \ + default_count=`echo "$default_ruleset" | wc -l` \ + current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \ + [ $default_count -eq $current_count ] || { \ + default_changed=1; \ + #echo "change detected in number of rule files d:$default_count vs c:$current_count"; \ + } \ + for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \ + if echo "$default_ruleset" | grep -q "`basename $file`"; then \ + # compare content of the rule files \ + diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in `basename $file`"; \ + } \ + else \ + # added file detected \ + default_changed=1 \ + #echo "change detected in added rules file `basename $file`"; \ + fi \ + done \ + fi \ + # remove files if no change against default rules detected \ + [ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \ + + +%pre +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +if [ $1 -eq 2 ]; then +# detect changed default rules in case of upgrade +%manage_default_rules +fi + +%post +# if no pre-existing rule file +if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` + # Only if no pre-existing component rules + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do + cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/ + done + chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* + if [ -x /usr/sbin/restorecon ] ; then + # restore correct label + /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* + fi + fagenrules > /dev/null 2>&1 + fi +fi +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service +if [ $1 -eq 0 ]; then +# detect changed default rules in case of uninstall +%manage_default_rules +else + [ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || : +fi + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%doc README.md +%{!?_licensedir:%global license %%doc} +%license COPYING +%attr(755,root,%{name}) %dir %{_datadir}/%{name} +%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs +%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* +%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/* +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust +%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules +%attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf +%attr(755,root,root) %{_sbindir}/%{name} +%attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(755,root,root) %{_sbindir}/fagenrules +%attr(644,root,root) %{_mandir}/man8/* +%attr(644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man1/* +%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log +%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} +%attr(770,root,%{name}) %dir /run/%{name} +%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb + + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files dnf-plugin +%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py +%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc + + +%changelog +* Wed Apr 06 2022 Radovan Sroka - 1.1-103 +RHEL 9.0.0 ERRATUM +- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path +Resolves: rhbz#2069122 + +* Sun Apr 3 2022 Radovan Sroka - 1.1-101 +RHEL 9.0.0 ERRATUM +- fapolicyd denies access to /usr/lib64/ld-2.28.so +Resolves: rhbz#2066904 + +* Wed Feb 16 2022 Radovan Sroka - 1.1-100 +RHEL 9.0.0 ERRATUM +- rebase to 1.1 +Resolves: rhbz#2032408 +- introduce rules.d +Resolves: rhbz#2054740 +- remove pretrans scriptlet +Resolve: rhbz#2051481 + +* Tue Dec 14 2021 Zoltan Fridrich - 1.0.4-101 +RHEL 9.0.0 ERRATUM +- rebase to 1.0.4 +- added rpm_sha256_only option +- added trust.d directory +- allow file names with whitespaces in trust files +- use full paths in trust files +Resolves: rhbz#2032408 +- fix libc.so getting identified as application/x-executable +Resolves: rhbz#2015307 +- fix selinux DSP module definition in spec file +Resolves: rhbz#2014449 + +* Mon Aug 09 2021 Mohan Boddu - 1.0.3-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Tue Jul 20 2021 Radovan Sroka - 1.0.3-3 +RHEL 9 BETA +- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm +Resolves: rhbz#1932225 +Resolves: rhbz#1977731 + +* Thu Apr 15 2021 Mohan Boddu - 1.0.3-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Thu Apr 01 2021 Radovan Sroka - 1.0.3-1 +- rebase to 1.0.3 +- sync fedora with rhel + +* Tue Jan 26 2021 Fedora Release Engineering - 1.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 06 2021 Radovan Sroka - 1.0.2-1 +- rebase to 1.0.2 +- enabled make check +- dnf-plugin is now required subpackage + +* Mon Nov 16 2020 Radovan Sroka - 1.0.1-1 +- rebase to 1.0.1 +- introduced uthash dependency +- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket +Resolves: rhbz#1874491 +- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory +Resolves: rhbz#1876538 + +* Mon Jul 27 2020 Fedora Release Engineering - 1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 24 2020 Radovan Sroka - 1.0-3 +- backported few cosmetic small patches from upstream master +- rebase selinux tarbal to v0.3 +- file context pattern for /run/fapolicyd.pid is missing +Resolves: rhbz#1834674 + +* Tue May 26 2020 Miro Hrončok - 1.0-2 +- Rebuilt for Python 3.9 + +* Mon May 25 2020 Radovan Sroka - 1.0-1 +- rebase fapolicyd to 1.0 +- allowed sys_ptrace for user namespace + +* Mon Mar 23 2020 Radovan Sroka - 0.9.4-1 +- rebase fapolicyd to 0.9.4 +- polished the pattern detection engine +- rpm backend now drops most of the files in /usr/share/ to dramatically reduce + memory consumption and improve startup speed +- the commandline utility can now delete the lmdb trust database and manage + the file trust source + +* Mon Feb 24 2020 Radovan Sroka - 0.9.3-1 +- rebase fapolicyd to 0.9.3 +- dramatically improved startup time +- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy +- file type identification has been improved +- trust database statistics have been added to the reports + +* Tue Feb 04 2020 Radovan Sroka - 0.9.2-2 +- Label all fifo_file as fapolicyd_var_run_t in /var/run. +- Allow fapolicyd_t domain to create fifo files labeled as + fapolicyd_var_run_t + +* Fri Jan 31 2020 Radovan Sroka - 0.9.2-1 +- rebase fapolicyd to 0.9.2 +- allows watched mount points to be specified by file system types +- ELF file detection was improved +- the rules have been rewritten to express the policy based on subject + object trust for better performance and reliability +- exceptions for dracut and ansible were added to the rules to avoid problems + under normal system use +- adds an admin defined trust database (fapolicyd.trust) +- setting boost, queue, user, and group on the daemon + command line are deprecated + +* Tue Jan 28 2020 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 05 2019 Marek Tamaskovic - 0.9-3 +- Updated fapolicyd-selinux subpackage to v0.2 + Selinux subpackage is recommended for fapolicyd. + +* Mon Oct 07 2019 Radovan Sroka - 0.9-2 +- Added fapolicyd-selinux subpackage + +* Mon Oct 07 2019 Radovan Sroka - 0.9-1 +- rebase to v0.9 + +* Thu Oct 03 2019 Miro Hrončok - 0.8.10-2 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Wed Aug 28 2019 Radovan Sroka - 0.8.10-1 +- rebase to 0.8.10 +- generate python paths dynamically + +* Mon Aug 19 2019 Miro Hrončok - 0.8.9-5 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.8.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko - 0.8.9-3 +- Rebuild for RPM 4.15 + +* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko - 0.8.9-2 +- Rebuild for RPM 4.15 + +* Mon May 06 2019 Radovan Sroka - 0.8.9-1 +- New upstream release + +* Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 +- backport some patches to resolve dac_override for fapolicyd + +* Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 +- New upstream release +- Added new DNF plugin that can update the trust database when rpms are installed +- Added support for FAN_OPEN_EXEC_PERM + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + + +* Wed Oct 03 2018 Steve Grubb 0.8.7-1 +- New upstream bugfix release + +* Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 07 2018 Steve Grubb 0.8.6-1 +- New upstream feature release + +* Fri May 18 2018 Steve Grubb 0.8.5-2 +- Add dist tag (#1579362) + +* Fri Feb 16 2018 Steve Grubb 0.8.5-1 +- New release