RHEL 9.1.0 ERRATUM
- fapolicyd denies access to /usr/lib64/ld-2.28.so Resolves: rhbz#2067493 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
Radovan Sroka
parent
04a7a9e4fd
commit
c17d1d3f6b
13
fagenrules-group.patch
Normal file
13
fagenrules-group.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -up ./init/fagenrules.fix ./init/fagenrules
|
||||
--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200
|
||||
+++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200
|
||||
@@ -117,7 +117,8 @@ fi
|
||||
|
||||
# We copy the file so that it gets the right selinux label
|
||||
cp ${TmpRules} ${DestinationFile}
|
||||
-chmod 0640 ${DestinationFile}
|
||||
+chmod 0644 ${DestinationFile}
|
||||
+chgrp fapolicyd ${DestinationFile}
|
||||
|
||||
# Restore context on MLS system.
|
||||
# /tmp is SystemLow & fapolicyd.rules is SystemHigh
|
||||
109
fapolicyd-reorder-rules.patch
Normal file
109
fapolicyd-reorder-rules.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Thu, 24 Mar 2022 09:59:05 +0100
|
||||
Subject: [PATCH] Reorder loop holes with patterns in rules.d
|
||||
|
||||
- this keeps backwards compatibility with older wersions of rules
|
||||
- the ld_so pattern was applied to root
|
||||
- it caused problems with running ldd as root(previously unrestricted)
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
fapolicyd.spec | 6 +++---
|
||||
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
|
||||
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
|
||||
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
|
||||
rules.d/Makefile.am | 4 ++--
|
||||
rules.d/README-rules | 16 ++++++++--------
|
||||
6 files changed, 13 insertions(+), 13 deletions(-)
|
||||
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
|
||||
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
|
||||
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
|
||||
|
||||
diff --git a/fapolicyd.spec b/fapolicyd.spec
|
||||
index c2aae21..261b780 100644
|
||||
--- a/fapolicyd.spec
|
||||
+++ b/fapolicyd.spec
|
||||
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
||||
if [ "$files" -eq 0 ] ; then
|
||||
## Install the known libs policy
|
||||
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
|
||||
similarity index 100%
|
||||
rename from rules.d/30-dracut.rules
|
||||
rename to rules.d/20-dracut.rules
|
||||
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
|
||||
similarity index 100%
|
||||
rename from rules.d/30-updaters.rules
|
||||
rename to rules.d/21-updaters.rules
|
||||
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
|
||||
similarity index 100%
|
||||
rename from rules.d/20-patterns.rules
|
||||
rename to rules.d/30-patterns.rules
|
||||
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
|
||||
index 76b5377..9bb61a7 100644
|
||||
--- a/rules.d/Makefile.am
|
||||
+++ b/rules.d/Makefile.am
|
||||
@@ -23,8 +23,8 @@
|
||||
|
||||
CONFIG_CLEAN_FILES = *.rej *.orig
|
||||
|
||||
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
|
||||
- 30-dracut.rules 30-updaters.rules \
|
||||
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
|
||||
+ 21-updaters.rules 30-patterns.rules \
|
||||
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
|
||||
43-known-elf.rules \
|
||||
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
|
||||
diff --git a/rules.d/README-rules b/rules.d/README-rules
|
||||
index c03c02b..30fcd01 100644
|
||||
--- a/rules.d/README-rules
|
||||
+++ b/rules.d/README-rules
|
||||
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
|
||||
organized into groups with the following meanings:
|
||||
|
||||
10 - macros
|
||||
-20 - patterns
|
||||
-30 - loop holes
|
||||
+20 - loop holes
|
||||
+30 - patterns
|
||||
40 - ELF rules
|
||||
50 - user/group access rules
|
||||
60 - application access rules
|
||||
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
|
||||
fapolicyd.rules.known-libs
|
||||
--------------------------
|
||||
10-languages.rules
|
||||
-20-patterns.rules
|
||||
-30-dracut.rules
|
||||
-30-updaters.rules
|
||||
+20-dracut.rules
|
||||
+21-updaters.rules
|
||||
+30-patterns.rules
|
||||
40-bad-elf.rules
|
||||
41-shared-obj.rules
|
||||
42-trusted-elf.rules
|
||||
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
|
||||
fapolicyd.rules.restrictive
|
||||
---------------------------
|
||||
10-languages.rules
|
||||
-20-patterns.rules
|
||||
-30-dracut.rules
|
||||
-30-updaters.rules
|
||||
+20-dracut.rules
|
||||
+21-updaters.rules
|
||||
+30-patterns.rules
|
||||
40-bad-elf.rules
|
||||
41-shared-obj.rules
|
||||
43-known-elf.rules
|
||||
--
|
||||
2.35.1
|
||||
@ -5,7 +5,7 @@
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 1.1
|
||||
Release: 100%{?dist}
|
||||
Release: 101%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||
@ -32,6 +32,8 @@ Requires(postun): systemd-units
|
||||
|
||||
Patch1: fapolicyd-uthash-bundle.patch
|
||||
Patch2: fapolicyd-selinux.patch
|
||||
Patch3: fapolicyd-reorder-rules.patch
|
||||
Patch4: fagenrules-group.patch
|
||||
|
||||
%description
|
||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||
@ -78,6 +80,8 @@ Don't use dnf and rpm plugin together.
|
||||
%endif
|
||||
|
||||
%patch2 -p1 -b .selinux
|
||||
%patch3 -p1 -b .reorder
|
||||
%patch4 -p1 -b .group
|
||||
|
||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
||||
@ -113,7 +117,12 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
|
||||
mkdir -p %{buildroot}/run/%{name}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
|
||||
|
||||
# get list of file names between known-libs and restrictive from sample-rules/README-rules
|
||||
cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \
|
||||
| grep -A 100 'known-libs' \
|
||||
| grep -B 100 'restrictive' \
|
||||
| grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
|
||||
chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
|
||||
|
||||
# selinux
|
||||
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||
@ -124,8 +133,49 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_
|
||||
#cleanup
|
||||
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
|
||||
|
||||
%define manage_default_rules default_changed=0 \
|
||||
# check changed fapolicyd.rules \
|
||||
if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \
|
||||
diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \
|
||||
default_changed=1; \
|
||||
#echo "change detected in fapolicyd.rules"; \
|
||||
} \
|
||||
fi \
|
||||
if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \
|
||||
default_ruleset='' \
|
||||
# get listing of default rule files in known-libs \
|
||||
[ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \
|
||||
# check for removed or added files \
|
||||
default_count=`echo "$default_ruleset" | wc -l` \
|
||||
current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \
|
||||
[ $default_count -eq $current_count ] || { \
|
||||
default_changed=1; \
|
||||
#echo "change detected in number of rule files d:$default_count vs c:$current_count"; \
|
||||
} \
|
||||
for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \
|
||||
if echo "$default_ruleset" | grep -q "`basename $file`"; then \
|
||||
# compare content of the rule files \
|
||||
diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \
|
||||
default_changed=1; \
|
||||
#echo "change detected in `basename $file`"; \
|
||||
} \
|
||||
else \
|
||||
# added file detected \
|
||||
default_changed=1 \
|
||||
#echo "change detected in added rules file `basename $file`"; \
|
||||
fi \
|
||||
done \
|
||||
fi \
|
||||
# remove files if no change against default rules detected \
|
||||
[ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \
|
||||
|
||||
|
||||
%pre
|
||||
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
|
||||
if [ $1 -eq 2 ]; then
|
||||
# detect changed default rules in case of upgrade
|
||||
%manage_default_rules
|
||||
fi
|
||||
|
||||
%post
|
||||
# if no pre-existing rule file
|
||||
@ -134,29 +184,27 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
||||
# Only if no pre-existing component rules
|
||||
if [ "$files" -eq 0 ] ; then
|
||||
## Install the known libs policy
|
||||
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/
|
||||
for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do
|
||||
cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/
|
||||
done
|
||||
chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
|
||||
if [ -x /usr/sbin/restorecon ] ; then
|
||||
# restore correct label
|
||||
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
|
||||
fi
|
||||
fagenrules --load
|
||||
fagenrules > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
%systemd_post %{name}.service
|
||||
|
||||
%preun
|
||||
%systemd_preun %{name}.service
|
||||
if [ $1 -eq 0 ]; then
|
||||
# detect changed default rules in case of uninstall
|
||||
%manage_default_rules
|
||||
else
|
||||
[ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || :
|
||||
fi
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart %{name}.service
|
||||
@ -167,13 +215,14 @@ fi
|
||||
%license COPYING
|
||||
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
|
||||
%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
|
||||
%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
|
||||
%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
|
||||
%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
|
||||
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
|
||||
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
|
||||
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
|
||||
%ghost %{_sysconfdir}/%{name}/rules.d/*
|
||||
%ghost %{_sysconfdir}/%{name}/%{name}.rules
|
||||
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
|
||||
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
|
||||
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
|
||||
@ -216,6 +265,11 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
|
||||
RHEL 9.1.0 ERRATUM
|
||||
- fapolicyd denies access to /usr/lib64/ld-2.28.so
|
||||
Resolves: rhbz#2067493
|
||||
|
||||
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
|
||||
RHEL 9.0.0 ERRATUM
|
||||
- rebase to 1.1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user