rpms
/
fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fapolicyd-1.1-100.el9

This commit is contained in:
CentOS Sources 2022-04-05 05:55:36 -04:00 committed by Stepan Oksanichenko
parent 697cfc6c82
commit cc551ae802
8 changed files with 58 additions and 592 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.fapolicyd.metadata
View File

@ -1,3 +1,3 @@
d0dd45121bf4a9ffa9f4d3e5c5bcdf89f5efa87a SOURCES/fapolicyd-1.0.4.tar.gz
1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/fapolicyd-1.0.4.tar.gz
SOURCES/fapolicyd-1.1.tar.gz
SOURCES/fapolicyd-selinux-0.4.tar.gz
SOURCES/uthash-2.3.0.tar.gz

11
SOURCES/fapolicyd-detect-sharedlib.patch
View File

@ -1,11 +0,0 @@
diff --color -ru a/src/library/file.c b/src/library/file.c
--- a/src/library/file.c 2021-11-12 20:21:54.000000000 +0100
+++ b/src/library/file.c 2021-12-15 12:40:05.088564218 +0100
@@ -295,6 +295,7 @@
if (!strncmp(p, "64", 2))
p += 2;
if (!strncmp(p, "/libc-2", 7) ||
+ !strncmp(p, "/libc.so", 8) ||
!strncmp(p, "/libpthread-2", 13))
ptr = "application/x-sharedlib";
}

190
SOURCES/fapolicyd-do-manage-files.patch
View File

@ -1,190 +0,0 @@
From 95ec2f9577abe98a73d8dcb9112043aa743fa7ad Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Fri, 19 Nov 2021 18:15:33 +0100
Subject: [PATCH] cli do_manage_file function refactoring and fix
---
src/cli/fapolicyd-cli.c | 159 ++++++++++++++++++++++------------------
1 file changed, 89 insertions(+), 70 deletions(-)
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
index ee5d5bd..30b92be 100644
--- a/src/cli/fapolicyd-cli.c
+++ b/src/cli/fapolicyd-cli.c
@@ -207,87 +207,106 @@ static int do_dump_db(void)
return rc;
}
-
-/*
- * This function always requires at least one option, the command. We can
- * guarantee that argv[2] is the command because getopt_long would have
- * printed an error otherwise. argv[3] would be an optional parameter based
- * on which command is being run. If argv[4] == "--trust-file" then argv[5]
- * specifies a trust file to operate on.
- *
- * The function returns 0 on success and 1 on failure
- */
-static int do_manage_files(int argc, char * const argv[])
+static int do_file_add(int argc, char * const argv[])
{
- int rc = 0;
+ char full_path[PATH_MAX] = { 0 };
- if (argc > 0) {
- if ( (strcmp("add", argv[0]) != 0)
- && (strcmp("delete", argv[0]) != 0)
- && (strcmp("update", argv[0]) != 0) ) {
- fprintf(stderr, "%s is not valid option, choose from add|delete|update\n", argv[0]);
- goto args_err;
- }
+ if (argc == 1) {
+ if (!realpath(argv[0], full_path))
+ return 3;
+ return file_append(full_path, NULL);
}
+ if (argc == 3) {
+ if (!realpath(argv[0], full_path))
+ return 3;
+ if (strcmp("--trust-file", argv[1]))
+ return 2;
+ return file_append(full_path, argv[2]);
+ }
+ return 2;
+}
- if (argc < 2)
- goto args_err;
-
- char full_path[PATH_MAX] = {0};
+static int do_file_delete(int argc, char * const argv[])
+{
+ char full_path[PATH_MAX] = { 0 };
- if (realpath(argv[1], full_path) == NULL) {
- fprintf(stderr, "Cannot get realpath from: %s\n", argv[1]);
- perror("realpath");
- goto args_err;
+ if (argc == 1) {
+ if (!realpath(argv[0], full_path))
+ return 3;
+ return file_delete(full_path, NULL);
}
+ if (argc == 3) {
+ if (!realpath(argv[0], full_path))
+ return 3;
+ if (strcmp("--trust-file", argv[1]))
+ return 2;
+ return file_delete(full_path, argv[2]);
+ }
+ return 2;
+}
- if (strcmp("add", argv[0]) == 0) {
- switch (argc) {
- case 2:
- rc = file_append(full_path, NULL);
- break;
- case 4:
- if (strcmp("--trust-file", argv[2]))
- goto args_err;
- rc = file_append(full_path, argv[3]);
- break;
- default:
- goto args_err;
- }
- } else if (strcmp("delete", argv[0]) == 0) {
- switch (argc) {
- case 2:
- rc = file_delete(full_path, NULL);
- break;
- case 4:
- if (strcmp("--trust-file", argv[2]))
- goto args_err;
- rc = file_delete(full_path, argv[3]);
- break;
- default:
- goto args_err;
- }
- } else if (strcmp("update", argv[0]) == 0) {
- switch (argc) {
- case 2:
- rc = file_update(full_path, NULL);
- break;
- case 4:
- if (strcmp("--trust-file", argv[2]))
- goto args_err;
- rc = file_update(full_path, argv[3]);
- break;
- default:
- goto args_err;
- }
+static int do_file_update(int argc, char * const argv[])
+{
+ char full_path[PATH_MAX] = { 0 };
+
+ if (argc == 0)
+ return file_update("/", NULL);
+ if (argc == 1) {
+ if (!realpath(argv[0], full_path))
+ return 3;
+ return file_update(full_path, NULL);
+ }
+ if (argc == 2) {
+ if (strcmp("--trust-file", argv[0]))
+ return 2;
+ return file_update("/", argv[1]);
+ }
+ if (argc == 3) {
+ if (!realpath(argv[0], full_path))
+ return 3;
+ if (strcmp("--trust-file", argv[1]))
+ return 2;
+ return file_update(full_path, argv[2]);
}
+ return 2;
+}
- return rc ? 1 : 0;
+static int do_manage_files(int argc, char * const argv[])
+{
+ int rc = 0;
-args_err:
- fprintf(stderr, "Wrong number of arguments\n\n");
- fprintf(stderr, "%s", usage);
+ if (argc < 1 || argc > 4) {
+ fprintf(stderr, "Wrong number of arguments\n");
+ fprintf(stderr, "\n%s", usage);
+ return 1;
+ }
+
+ if (!strcmp("add", argv[0]))
+ rc = do_file_add(argc - 1, argv + 1);
+ else if (!strcmp("delete", argv[0]))
+ rc = do_file_delete(argc - 1, argv + 1);
+ else if (!strcmp("update", argv[0]))
+ rc = do_file_update(argc - 1, argv + 1);
+ else {
+ fprintf(stderr, "%s is not a valid option, choose one of add|delete|update\n", argv[0]);
+ fprintf(stderr, "\n%s", usage);
+ return 1;
+ }
+ switch (rc) {
+ case 0: // no error
+ return 0;
+ case 2: // args error
+ fprintf(stderr, "Wrong number of arguments\n");
+ fprintf(stderr, "\n%s", usage);
+ break;
+ case 3: // realpath error
+ fprintf(stderr, "Can't obtain realpath from: %s\n", argv[1]);
+ fprintf(stderr, "\n%s", usage);
+ break;
+ default: // file function errors
+ break;
+ }
return 1;
}

16
SOURCES/fapolicyd-documentation.patch
View File

@ -1,16 +0,0 @@
diff --color -ru a/doc/fapolicyd.trust.5 b/doc/fapolicyd.trust.5
--- a/doc/fapolicyd.trust.5 2021-11-12 20:21:54.000000000 +0100
+++ b/doc/fapolicyd.trust.5 2021-12-07 13:28:18.358213561 +0100
@@ -7,6 +7,12 @@
contains list of trusted files/binaries for the application whitelisting daemon. You may add comments to the file by starting the line with a '#' character.
Each line has to contain three columns and space is a valid separator. The first column contains full path to the file, the second is size of the file in bytes
and the third is valid sha256 hash.
+.sp
+The directory \fI/etc/fapolicyd/trust\&.d\fR can be used to store multiple trust files\&.
+This way a privileged user can split the trust database into multiple files and manage them separately through \fBfapolicyd\-cli\fR\&.
+Functionally, the fapolicy daemon will behave the same way as if the whole trust database has been defined inside \fBfapolicyd\&.trust\fR file\&.
+Syntax and semantics of trust files inside \fBtrust\&.d\fR directory are the same as for \fBfapolicyd\&.trust\fR file (described above)\&.
+Trust files can either be created manually inside \fBtrust\&.d\fR directory or via \fBfapolicyd\-cli\fR\& (the latter option is recommended).
.SH EXAMPLE
.PP

209
SOURCES/fapolicyd-fix-escaping.patch
View File

@ -1,209 +0,0 @@
diff --color -ru a/init/fapolicyd.trust b/init/fapolicyd.trust
--- a/init/fapolicyd.trust 2021-11-12 20:21:54.000000000 +0100
+++ b/init/fapolicyd.trust 2021-12-08 13:25:43.441187113 +0100
@@ -1,3 +1,4 @@
+# AUTOGENERATED FILE VERSION 2
# This file contains a list of trusted files
#
# FULL PATH SIZE SHA256
diff --color -ru a/src/cli/file-cli.c b/src/cli/file-cli.c
--- a/src/cli/file-cli.c 2021-11-12 20:21:54.000000000 +0100
+++ b/src/cli/file-cli.c 2021-12-08 13:25:43.441187113 +0100
@@ -89,9 +89,6 @@
return 0;
}
-
-
-
int file_append(const char *path, const char *fname)
{
set_message_mode(MSG_STDERR, DBG_NO);
@@ -110,11 +107,14 @@
char *dest = fname ? fapolicyd_strcat(TRUST_DIR_PATH, fname) :
TRUST_FILE_PATH;
+
int rc = trust_file_append(dest, &add_list);
+ list_empty(&add_list);
+
if (fname)
free(dest);
- list_empty(&add_list);
+
return rc ? -1 : 0;
}
diff --color -ru a/src/library/trust-file.c b/src/library/trust-file.c
--- a/src/library/trust-file.c 2021-11-12 20:21:54.000000000 +0100
+++ b/src/library/trust-file.c 2021-12-08 15:42:15.787206923 +0100
@@ -51,6 +51,7 @@
#define FTW_NOPENFD 1024
#define FTW_FLAGS (FTW_ACTIONRETVAL | FTW_PHYS)
+#define HEADER0 "# AUTOGENERATED FILE VERSION 2\n"
#define HEADER1 "# This file contains a list of trusted files\n"
#define HEADER2 "#\n"
#define HEADER3 "# FULL PATH SIZE SHA256\n"
@@ -137,12 +138,19 @@
return 1;
}
- size_t hlen = strlen(HEADER1);
+ size_t hlen;
+ hlen = strlen(HEADER0);
+ fwrite(HEADER0, hlen, 1, f);
+
+ hlen = strlen(HEADER1);
fwrite(HEADER1, hlen, 1, f);
+
hlen = strlen(HEADER2);
fwrite(HEADER2, hlen, 1, f);
+
hlen = strlen(HEADER3);
fwrite(HEADER3, hlen, 1, f);
+
hlen = strlen(HEADER4);
fwrite(HEADER4, hlen, 1, f);
@@ -163,50 +171,49 @@
return 0;
}
-
-
-int trust_file_append(const char *fpath, const list_t *list) {
- int fd = open(fpath, O_CREAT | O_WRONLY | O_APPEND, 0600);
- if (fd == -1) {
- msg(LOG_ERR, "Cannot open %s", fpath);
+int trust_file_append(const char *fpath, list_t *list)
+{
+ list_t content;
+ list_init(&content);
+ int rc = trust_file_load(fpath, &content);
+ if (rc)
return 1;
- }
for (list_item_t *lptr = list->first; lptr; lptr = lptr->next) {
- int count = 1;
- char *line = make_path_string(lptr->index, &count);
- if (!line)
- continue;
-
- if (write(fd, line, count) == -1) {
- msg(LOG_ERR, "failed writing to %s\n", fpath);
- free(line);
- close(fd);
- return 2;
- }
- free(line);
+ int i = 0;
+ lptr->data = make_path_string(lptr->index, &i);
}
- close(fd);
- return 0;
+ list_merge(&content, list);
+ write_out_list(&content, fpath);
+ list_empty(&content);
+ return rc ? 1 : 0;
}
int trust_file_load(const char *fpath, list_t *list)
{
+ char buffer[BUFFER_SIZE];
+ int escaped = 0;
+ long line = 0;
+
FILE *file = fopen(fpath, "r");
if (!file) {
msg(LOG_ERR, "Cannot open %s", fpath);
return 1;
}
- char buffer[BUFFER_SIZE];
while (fgets(buffer, BUFFER_SIZE, file)) {
- char name[4097], sha[65], *index, *data;
+ char name[4097], sha[65], *index = NULL, *data = NULL;
unsigned long sz;
unsigned int tsource = SRC_FILE_DB;
- if (iscntrl(buffer[0]) || buffer[0] == '#')
+ line++;
+
+ if (iscntrl(buffer[0]) || buffer[0] == '#') {
+ if (line == 1 && strncmp(buffer, HEADER0, strlen(HEADER0)) == 0)
+ escaped = 1;
continue;
+ }
if (sscanf(buffer, FILE_READ_FORMAT, name, &sz, sha) != 3) {
msg(LOG_WARNING, "Can't parse %s", buffer);
@@ -217,7 +224,7 @@
if (asprintf(&data, DATA_FORMAT, tsource, sz, sha) == -1)
data = NULL;
- index = unescape(name);
+ index = escaped ? unescape(name) : strdup(name);
if (index == NULL) {
msg(LOG_ERR, "Could not unescape %s from %s", name, fpath);
free(data);
@@ -311,33 +318,22 @@
int trust_file_rm_duplicates(const char *fpath, list_t *list)
{
- FILE *file = fopen(fpath, "r");
- if (!file) {
- msg(LOG_ERR, "Cannot open %s", fpath);
- return 1;
- }
-
- char buffer[BUFFER_SIZE];
- while (fgets(buffer, BUFFER_SIZE, file)) {
- char thash[65], tpath[4097];
- long unsigned size;
+ list_t trust_file;
+ list_init(&trust_file);
- if (iscntrl(buffer[0]) || buffer[0] == '#')
- continue;
+ int rc = trust_file_load(fpath, &trust_file);
+ if (rc)
+ goto cleanup;
- if (sscanf(buffer, FILE_READ_FORMAT, tpath, &size, thash) != 3) {
- msg(LOG_WARNING, "Can't parse %s", buffer);
- fclose(file);
- return 2;
- }
-
- list_remove(list, tpath);
+ for (list_item_t *lptr = trust_file.first; lptr; lptr = lptr->next) {
+ list_remove(list, lptr->index);
if (list->count == 0)
break;
}
- fclose(file);
- return 0;
+cleanup:
+ list_empty(&trust_file);
+ return rc;
}
diff --color -ru a/src/library/trust-file.h b/src/library/trust-file.h
--- a/src/library/trust-file.h 2021-11-12 20:21:54.000000000 +0100
+++ b/src/library/trust-file.h 2021-12-08 13:25:43.441187113 +0100
@@ -30,8 +30,7 @@
#define TRUST_FILE_PATH "/etc/fapolicyd/fapolicyd.trust"
#define TRUST_DIR_PATH "/etc/fapolicyd/trust.d/"
-int trust_file_append(const char *fpath, const list_t *list);
-
+int trust_file_append(const char *fpath, list_t *list);
int trust_file_load(const char *fpath, list_t *list);
int trust_file_update_path(const char *fpath, const char *path);
int trust_file_delete_path(const char *fpath, const char *path);

117
SOURCES/fapolicyd-trust-file-append.patch
View File

@ -1,117 +0,0 @@
diff --color -ru a/src/library/trust-file.c b/src/library/trust-file.c
--- a/src/library/trust-file.c 2021-12-13 09:37:56.633741747 +0100
+++ b/src/library/trust-file.c 2021-12-13 13:44:13.689151921 +0100
@@ -176,8 +176,11 @@
list_t content;
list_init(&content);
int rc = trust_file_load(fpath, &content);
- if (rc)
+ // if trust file does not exist, we ignore it as it will be created while writing
+ if (rc == 2) {
+ // exit on parse error, we dont want invalid entries to be removed
return 1;
+ }
for (list_item_t *lptr = list->first; lptr; lptr = lptr->next) {
int i = 0;
@@ -187,9 +190,16 @@
list_merge(&content, list);
write_out_list(&content, fpath);
list_empty(&content);
- return rc ? 1 : 0;
+ return 0;
}
+/**
+ * @brief Load trust file into list
+ *
+ * @param fpath Full path to trust file
+ * @param list Trust file will be loaded into this list
+ * @return 0 on success, 1 if file can't be open, 2 on parsing error
+ */
int trust_file_load(const char *fpath, list_t *list)
{
char buffer[BUFFER_SIZE];
@@ -197,10 +207,8 @@
long line = 0;
FILE *file = fopen(fpath, "r");
- if (!file) {
- msg(LOG_ERR, "Cannot open %s", fpath);
+ if (!file)
return 1;
- }
while (fgets(buffer, BUFFER_SIZE, file)) {
char name[4097], sha[65], *index = NULL, *data = NULL;
@@ -257,7 +265,17 @@
{
list_t list;
list_init(&list);
- trust_file_load(fpath, &list);
+ int rc = trust_file_load(fpath, &list);
+ switch (rc) {
+ case 1:
+ msg(LOG_ERR, "Cannot open %s", fpath);
+ return 0;
+ case 2:
+ list_empty(&list);
+ return -1;
+ default:
+ break;
+ }
int count = 0;
size_t path_len = strlen(path);
@@ -295,7 +313,17 @@
{
list_t list;
list_init(&list);
- trust_file_load(fpath, &list);
+ int rc = trust_file_load(fpath, &list);
+ switch (rc) {
+ case 1:
+ msg(LOG_ERR, "Cannot open %s", fpath);
+ return 0;
+ case 2:
+ list_empty(&list);
+ return -1;
+ default:
+ break;
+ }
int count = 0;
size_t path_len = strlen(path);
@@ -320,20 +348,26 @@
{
list_t trust_file;
list_init(&trust_file);
-
int rc = trust_file_load(fpath, &trust_file);
- if (rc)
- goto cleanup;
-
+ switch (rc) {
+ case 1:
+ msg(LOG_ERR, "Cannot open %s", fpath);
+ return -1;
+ case 2:
+ list_empty(&trust_file);
+ return -1;
+ default:
+ break;
+ }
+
for (list_item_t *lptr = trust_file.first; lptr; lptr = lptr->next) {
list_remove(list, lptr->index);
if (list->count == 0)
break;
}
-cleanup:
list_empty(&trust_file);
- return rc;
+ return 0;
}

103
SPECS/fapolicyd.spec
View File

@ -4,8 +4,8 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.0.4
Release: 101%{?dist}
Version: 1.1
Release: 100%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -32,11 +32,6 @@ Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch
Patch2: fapolicyd-selinux.patch
Patch3: fapolicyd-do-manage-files.patch
Patch4: fapolicyd-documentation.patch
Patch5: fapolicyd-fix-escaping.patch
Patch6: fapolicyd-trust-file-append.patch
Patch7: fapolicyd-detect-sharedlib.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -83,15 +78,10 @@ Don't use dnf and rpm plugin together.
%endif
%patch2 -p1 -b .selinux
%patch3 -p1 -b .do-manage-files
%patch4 -p1 -b .documentation
%patch5 -p1 -b .fix-escaping
%patch6 -p1 -b .trust-file-append
%patch7 -p1 -b .detect-sharedlib
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
%build
./autogen.sh
@ -115,14 +105,15 @@ make check
%selinux_relabel_pre -s %{selinuxtype}
%install
make DESTDIR="%{buildroot}" INSTALL='install -p' install
%make_install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
@ -131,34 +122,37 @@ install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
#cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
%pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
%pretrans -p <lua>
if posix.access("/run/fapolicyd.pid", "f") then
os.execute([[
c=/etc/fapolicyd/fapolicyd.rules
rule="allow perm=any uid=0 : all"
if test -e $c; then
if systemctl is-active fapolicyd &> /dev/null; then
tmp=`mktemp`
cat $c > $tmp
echo "$rule" > $c
cat $tmp >> $c
systemctl restart fapolicyd || true
sleep 10
cat $tmp > $c
rm -f $tmp
fi
fi
]])
end
%post
# if no pre-existing rule file
if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w`
# Only if no pre-existing component rules
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/
chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
if [ -x /usr/sbin/restorecon ] ; then
# restore correct label
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
fi
fagenrules --load
fi
fi
%systemd_post %{name}.service
%preun
@ -172,26 +166,32 @@ end
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
%ghost %{_sysconfdir}/%{name}/rules.d/*
%ghost %{_sysconfdir}/%{name}/%{name}.rules
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(755,root,root) %{_sbindir}/%{name}
%attr(755,root,root) %{_sbindir}/%{name}-cli
%attr(755,root,root) %{_sbindir}/fagenrules
%attr(644,root,root) %{_mandir}/man8/*
%attr(644,root,root) %{_mandir}/man5/*
%attr(644,root,root) %{_mandir}/man1/*
%attr(644,root,root) %{_datadir}/%{name}/*
%ghost %{_localstatedir}/log/%{name}-access.log
%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
%attr(770,root,%{name}) %dir /run/%{name}
%ghost /run/%{name}/%{name}.fifo
%ghost %{_localstatedir}/lib/%{name}/data.mdb
%ghost %{_localstatedir}/lib/%{name}/lock.mdb
%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
@ -216,6 +216,15 @@ fi
%changelog
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
RHEL 9.0.0 ERRATUM
- rebase to 1.1
Resolves: rhbz#2032408
- introduce rules.d
Resolves: rhbz#2054740
- remove pretrans scriptlet
Resolve: rhbz#2051481
* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
RHEL 9.0.0 ERRATUM
- rebase to 1.0.4