import fapolicyd-1.0.3-4.el9
This commit is contained in:
commit
d4a6343324
3
.fapolicyd.metadata
Normal file
3
.fapolicyd.metadata
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
ff34a919c42f1256d0f6507cce70773d9e663447 SOURCES/fapolicyd-1.0.3.tar.gz
|
||||||
|
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
|
||||||
|
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz
|
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
SOURCES/fapolicyd-1.0.3.tar.gz
|
||||||
|
SOURCES/fapolicyd-selinux-0.4.tar.gz
|
||||||
|
SOURCES/uthash-2.3.0.tar.gz
|
40
SOURCES/fapolicyd-selinux-allow-boot-home.patch
Normal file
40
SOURCES/fapolicyd-selinux-allow-boot-home.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zdenek Pytela <zpytela@redhat.com>
|
||||||
|
Date: Tue, 6 Apr 2021 16:06:48 +0200
|
||||||
|
Subject: [PATCH] Allow fapolicyd watch boot and home directories
|
||||||
|
|
||||||
|
The fapolicyd service needs watch_mount and watch_with_perm permissions
|
||||||
|
for fanotify/inotify/dnotify calls on the following directories:
|
||||||
|
- /boot and /boot/efi directories
|
||||||
|
- /home directories
|
||||||
|
|
||||||
|
Note the /boot/efi directory has the dosfs_t label.
|
||||||
|
---
|
||||||
|
fapolicyd.te | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
index f5d0052..c12f385 100644
|
||||||
|
--- a/fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t)
|
||||||
|
|
||||||
|
files_mmap_usr_files(fapolicyd_t)
|
||||||
|
files_read_all_files(fapolicyd_t)
|
||||||
|
+files_watch_mount_boot_dirs(fapolicyd_t)
|
||||||
|
+files_watch_with_perm_boot_dirs(fapolicyd_t)
|
||||||
|
files_watch_mount_generic_tmp_dirs(fapolicyd_t)
|
||||||
|
files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
|
||||||
|
+files_watch_mount_home(fapolicyd_t)
|
||||||
|
+files_watch_with_perm_home(fapolicyd_t)
|
||||||
|
files_watch_mount_root_dirs(fapolicyd_t)
|
||||||
|
files_watch_with_perm_root_dirs(fapolicyd_t)
|
||||||
|
|
||||||
|
fs_getattr_xattr_fs(fapolicyd_t)
|
||||||
|
fs_watch_mount_tmpfs_dirs(fapolicyd_t)
|
||||||
|
fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
|
||||||
|
+fs_watch_mount_dos_dirs(fapolicyd_t)
|
||||||
|
+fs_watch_with_perm_dos_dirs(fapolicyd_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(fapolicyd_t)
|
||||||
|
dbus_system_bus_client(fapolicyd_t)
|
31
SOURCES/fapolicyd-selinux-watch-perm.patch
Normal file
31
SOURCES/fapolicyd-selinux-watch-perm.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zdenek Pytela <zpytela@redhat.com>
|
||||||
|
Date: Thu, 15 Apr 2021 16:56:08 +0200
|
||||||
|
Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and
|
||||||
|
directories
|
||||||
|
|
||||||
|
For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag
|
||||||
|
to mark the file's mount point to monitor. As this can be any file or
|
||||||
|
directory on the filesystem, the SELinux watch_mount and watch_with_perm
|
||||||
|
permissions are allowed for the file_type attribute.
|
||||||
|
---
|
||||||
|
fapolicyd.te | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
index c12f385..582e03f 100644
|
||||||
|
--- a/fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched };
|
||||||
|
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
+gen_require(`
|
||||||
|
+ attribute file_type;
|
||||||
|
+')
|
||||||
|
+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
|
||||||
|
+allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
|
||||||
|
+
|
||||||
|
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
|
||||||
|
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
|
||||||
|
|
39
SOURCES/fapolicyd-uthash-bundle.patch
Normal file
39
SOURCES/fapolicyd-uthash-bundle.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
diff -up ./configure.ac.uthash ./configure.ac
|
||||||
|
--- ./configure.ac.uthash 2021-03-25 22:12:48.164450403 +0100
|
||||||
|
+++ ./configure.ac 2021-03-25 22:13:01.067282788 +0100
|
||||||
|
@@ -67,10 +67,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
|
||||||
|
["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
|
||||||
|
AC_CHECK_FUNCS(fexecve, [], [])
|
||||||
|
|
||||||
|
-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
|
||||||
|
-["Couldn't find uthash.h...uthash-devel is missing"] )])
|
||||||
|
-
|
||||||
|
-
|
||||||
|
echo .
|
||||||
|
echo Checking for required libraries
|
||||||
|
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
|
||||||
|
diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
|
||||||
|
--- ./src/library/rpm-backend.c.uthash 2021-01-05 16:27:53.000000000 +0100
|
||||||
|
+++ ./src/library/rpm-backend.c 2021-03-25 22:12:33.212644641 +0100
|
||||||
|
@@ -32,7 +32,7 @@
|
||||||
|
#include <rpm/rpmdb.h>
|
||||||
|
#include <fnmatch.h>
|
||||||
|
|
||||||
|
-#include <uthash.h>
|
||||||
|
+#include "uthash.h"
|
||||||
|
|
||||||
|
#include "message.h"
|
||||||
|
|
||||||
|
diff -up ./src/Makefile.am.uthash ./src/Makefile.am
|
||||||
|
--- ./src/Makefile.am.uthash 2021-01-05 16:27:53.000000000 +0100
|
||||||
|
+++ ./src/Makefile.am 2021-03-25 22:12:33.212644641 +0100
|
||||||
|
@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
|
||||||
|
-I${top_srcdir} \
|
||||||
|
-I${top_srcdir}/src/library
|
||||||
|
|
||||||
|
+AM_CPPFLAGS += \
|
||||||
|
+ -I${top_srcdir}/uthash-2.3.0/include
|
||||||
|
+
|
||||||
|
sbin_PROGRAMS = fapolicyd fapolicyd-cli
|
||||||
|
lib_LTLIBRARIES= libfapolicyd.la
|
||||||
|
|
136
SOURCES/selinux-backport.patch
Normal file
136
SOURCES/selinux-backport.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.backport ./fapolicyd-selinux-0.4/fapolicyd.if
|
||||||
|
--- ./fapolicyd-selinux-0.4/fapolicyd.if.backport 2021-03-23 10:21:31.000000000 +0100
|
||||||
|
+++ ./fapolicyd-selinux-0.4/fapolicyd.if 2021-07-20 17:38:51.266053356 +0200
|
||||||
|
@@ -2,6 +2,122 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Watch_mount directories in /boot.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+ifndef(`files_watch_mount_boot_dirs',`
|
||||||
|
+ interface(`files_watch_mount_boot_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type boot_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 boot_t:dir watch_mount_dir_perms;
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Watch_mount home directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+ifndef(`files_watch_mount_home',`
|
||||||
|
+ interface(`files_watch_mount_home',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type home_root_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 home_root_t:dir watch_mount_dir_perms;
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Watch_with_perm home directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+ifndef(`files_watch_with_perm_home',`
|
||||||
|
+interface(`files_watch_with_perm_home',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type home_root_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 home_root_t:dir watch_with_perm_dir_perms;
|
||||||
|
+')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Watch_mount dirs on a DOS filesystem.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+ifndef(`fs_watch_mount_dos_dirs',`
|
||||||
|
+interface(`fs_watch_mount_dos_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dosfs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ watch_mount_dirs_pattern($1, dosfs_t, dosfs_t)
|
||||||
|
+')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Watch_with_perm dirs on a DOS filesystem.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+ifndef(`fs_watch_with_perm_dos_dirs',`
|
||||||
|
+interface(`fs_watch_with_perm_dos_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dosfs_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t)
|
||||||
|
+')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+###################################################################################################
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute fapolicyd_exec_t in the fapolicyd domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.backport ./fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
|
--- ./fapolicyd-selinux-0.4/fapolicyd.te.backport 2021-07-20 17:31:12.161166538 +0200
|
||||||
|
+++ ./fapolicyd-selinux-0.4/fapolicyd.te 2021-07-20 17:31:12.162166524 +0200
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
policy_module(fapolicyd, 1.0.0)
|
||||||
|
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
355
SPECS/fapolicyd.spec
Normal file
355
SPECS/fapolicyd.spec
Normal file
@ -0,0 +1,355 @@
|
|||||||
|
%global selinuxtype targeted
|
||||||
|
%global moduletype contrib
|
||||||
|
%define semodule_version 0.4
|
||||||
|
|
||||||
|
Summary: Application Whitelisting Daemon
|
||||||
|
Name: fapolicyd
|
||||||
|
Version: 1.0.3
|
||||||
|
Release: 4%{?dist}
|
||||||
|
License: GPLv3+
|
||||||
|
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||||
|
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||||
|
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
|
||||||
|
# we bundle uthash for rhel9
|
||||||
|
Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: kernel-headers
|
||||||
|
BuildRequires: autoconf automake make gcc libtool
|
||||||
|
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
|
||||||
|
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
|
||||||
|
BuildRequires: python3-devel
|
||||||
|
|
||||||
|
%if 0%{?rhel} == 0
|
||||||
|
BuildRequires: uthash-devel
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Requires: %{name}-plugin
|
||||||
|
Recommends: %{name}-selinux
|
||||||
|
Requires(pre): shadow-utils
|
||||||
|
Requires(post): systemd-units
|
||||||
|
Requires(preun): systemd-units
|
||||||
|
Requires(postun): systemd-units
|
||||||
|
|
||||||
|
Patch1: fapolicyd-uthash-bundle.patch
|
||||||
|
Patch2: fapolicyd-selinux-allow-boot-home.patch
|
||||||
|
Patch3: fapolicyd-selinux-watch-perm.patch
|
||||||
|
|
||||||
|
# hardcode missing selinux definitions from selinux-policy
|
||||||
|
Patch4: selinux-backport.patch
|
||||||
|
|
||||||
|
%description
|
||||||
|
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||||
|
to decide file access rights. Applications that are known via a reputation
|
||||||
|
source are allowed access while unknown applications are not. The daemon
|
||||||
|
makes use of the kernel's fanotify interface to determine file access rights.
|
||||||
|
|
||||||
|
%package selinux
|
||||||
|
Summary: Fapolicyd selinux
|
||||||
|
Group: Applications/System
|
||||||
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
BuildRequires: selinux-policy
|
||||||
|
BuildRequires: selinux-policy-devel
|
||||||
|
BuildArch: noarch
|
||||||
|
%{?selinux_requires}
|
||||||
|
|
||||||
|
%description selinux
|
||||||
|
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||||
|
|
||||||
|
%package dnf-plugin
|
||||||
|
Summary: Fapolicyd dnf plugin
|
||||||
|
Group: Applications/System
|
||||||
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
BuildArch: noarch
|
||||||
|
Provides: %{name}-plugin
|
||||||
|
|
||||||
|
%description dnf-plugin
|
||||||
|
The %{name}-dnf-plugin notifies %{name} daemon about dnf update.
|
||||||
|
The dnf plugin will be replaced with rpm plugin later.
|
||||||
|
Don't use dnf and rpm plugin together.
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
|
||||||
|
%setup -q
|
||||||
|
|
||||||
|
# selinux
|
||||||
|
%setup -q -D -T -a 1
|
||||||
|
|
||||||
|
%if 0%{?rhel} != 0
|
||||||
|
# uthash
|
||||||
|
%setup -q -D -T -a 2
|
||||||
|
%patch1 -p1 -b .uthash
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%patch2 -p1 -b .home-boot
|
||||||
|
%patch3 -p1 -b .watch-perm
|
||||||
|
|
||||||
|
%patch4 -p1 -b .backport
|
||||||
|
|
||||||
|
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||||
|
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||||
|
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
|
||||||
|
|
||||||
|
%build
|
||||||
|
./autogen.sh
|
||||||
|
%configure \
|
||||||
|
--with-audit \
|
||||||
|
--with-rpm \
|
||||||
|
--disable-shared
|
||||||
|
|
||||||
|
make CFLAGS="%{optflags}" %{?_smp_mflags}
|
||||||
|
|
||||||
|
# selinux
|
||||||
|
pushd %{name}-selinux-%{semodule_version}
|
||||||
|
make
|
||||||
|
popd
|
||||||
|
|
||||||
|
%check
|
||||||
|
make check
|
||||||
|
|
||||||
|
# selinux
|
||||||
|
%pre selinux
|
||||||
|
%selinux_relabel_pre -s %{selinuxtype}
|
||||||
|
|
||||||
|
%install
|
||||||
|
make DESTDIR="%{buildroot}" INSTALL='install -p' install
|
||||||
|
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
||||||
|
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
||||||
|
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
|
||||||
|
install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
|
||||||
|
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
|
||||||
|
mkdir -p %{buildroot}/run/%{name}
|
||||||
|
|
||||||
|
# selinux
|
||||||
|
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||||
|
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||||
|
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
|
||||||
|
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
|
||||||
|
|
||||||
|
#cleanup
|
||||||
|
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
||||||
|
|
||||||
|
%pre
|
||||||
|
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
|
||||||
|
|
||||||
|
%pretrans -p <lua>
|
||||||
|
if posix.access("/run/fapolicyd.pid", "f") then
|
||||||
|
os.execute([[
|
||||||
|
c=/etc/fapolicyd/fapolicyd.rules
|
||||||
|
rule="allow perm=any uid=0 : all"
|
||||||
|
|
||||||
|
if test -e $c; then
|
||||||
|
if systemctl is-active fapolicyd &> /dev/null; then
|
||||||
|
tmp=`mktemp`
|
||||||
|
cat $c > $tmp
|
||||||
|
echo "$rule" > $c
|
||||||
|
cat $tmp >> $c
|
||||||
|
systemctl restart fapolicyd || true
|
||||||
|
sleep 10
|
||||||
|
cat $tmp > $c
|
||||||
|
rm -f $tmp
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
]])
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
%post
|
||||||
|
%systemd_post %{name}.service
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun %{name}.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
|
%files
|
||||||
|
%doc README.md
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
|
%license COPYING
|
||||||
|
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
|
||||||
|
%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
|
||||||
|
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
|
||||||
|
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
||||||
|
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
|
||||||
|
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
||||||
|
%attr(644,root,root) %{_unitdir}/%{name}.service
|
||||||
|
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
|
||||||
|
%attr(755,root,root) %{_sbindir}/%{name}
|
||||||
|
%attr(755,root,root) %{_sbindir}/%{name}-cli
|
||||||
|
%attr(644,root,root) %{_mandir}/man8/*
|
||||||
|
%attr(644,root,root) %{_mandir}/man5/*
|
||||||
|
%attr(644,root,root) %{_mandir}/man1/*
|
||||||
|
%attr(644,root,root) %{_datadir}/%{name}/*
|
||||||
|
%ghost %{_localstatedir}/log/%{name}-access.log
|
||||||
|
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
|
||||||
|
%attr(770,root,%{name}) %dir /run/%{name}
|
||||||
|
%ghost /run/%{name}/%{name}.fifo
|
||||||
|
%ghost %{_localstatedir}/lib/%{name}/data.mdb
|
||||||
|
%ghost %{_localstatedir}/lib/%{name}/lock.mdb
|
||||||
|
|
||||||
|
%files selinux
|
||||||
|
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||||
|
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
|
||||||
|
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
|
||||||
|
|
||||||
|
%post selinux
|
||||||
|
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||||
|
%selinux_relabel_post -s %{selinuxtype}
|
||||||
|
|
||||||
|
%postun selinux
|
||||||
|
if [ $1 -eq 0 ]; then
|
||||||
|
%selinux_modules_uninstall -s %{selinuxtype} %{name}
|
||||||
|
fi
|
||||||
|
|
||||||
|
%posttrans selinux
|
||||||
|
%selinux_relabel_post -s %{selinuxtype}
|
||||||
|
|
||||||
|
%files dnf-plugin
|
||||||
|
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
|
||||||
|
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
|
||||||
|
RHEL 9 BETA
|
||||||
|
- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
|
||||||
|
Resolves: rhbz#1932225
|
||||||
|
Resolves: rhbz#1977731
|
||||||
|
|
||||||
|
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
|
||||||
|
- rebase to 1.0.3
|
||||||
|
- sync fedora with rhel
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-1
|
||||||
|
- rebase to 1.0.2
|
||||||
|
- enabled make check
|
||||||
|
- dnf-plugin is now required subpackage
|
||||||
|
|
||||||
|
* Mon Nov 16 2020 Radovan Sroka <rsroka@redhat.com> - 1.0.1-1
|
||||||
|
- rebase to 1.0.1
|
||||||
|
- introduced uthash dependency
|
||||||
|
- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
|
||||||
|
Resolves: rhbz#1874491
|
||||||
|
- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
|
||||||
|
Resolves: rhbz#1876538
|
||||||
|
|
||||||
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
|
||||||
|
- backported few cosmetic small patches from upstream master
|
||||||
|
- rebase selinux tarbal to v0.3
|
||||||
|
- file context pattern for /run/fapolicyd.pid is missing
|
||||||
|
Resolves: rhbz#1834674
|
||||||
|
|
||||||
|
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
|
||||||
|
- Rebuilt for Python 3.9
|
||||||
|
|
||||||
|
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
|
||||||
|
- rebase fapolicyd to 1.0
|
||||||
|
- allowed sys_ptrace for user namespace
|
||||||
|
|
||||||
|
* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
|
||||||
|
- rebase fapolicyd to 0.9.4
|
||||||
|
- polished the pattern detection engine
|
||||||
|
- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
|
||||||
|
memory consumption and improve startup speed
|
||||||
|
- the commandline utility can now delete the lmdb trust database and manage
|
||||||
|
the file trust source
|
||||||
|
|
||||||
|
* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
|
||||||
|
- rebase fapolicyd to 0.9.3
|
||||||
|
- dramatically improved startup time
|
||||||
|
- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
|
||||||
|
- file type identification has been improved
|
||||||
|
- trust database statistics have been added to the reports
|
||||||
|
|
||||||
|
* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
|
||||||
|
- Label all fifo_file as fapolicyd_var_run_t in /var/run.
|
||||||
|
- Allow fapolicyd_t domain to create fifo files labeled as
|
||||||
|
fapolicyd_var_run_t
|
||||||
|
|
||||||
|
* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
|
||||||
|
- rebase fapolicyd to 0.9.2
|
||||||
|
- allows watched mount points to be specified by file system types
|
||||||
|
- ELF file detection was improved
|
||||||
|
- the rules have been rewritten to express the policy based on subject
|
||||||
|
object trust for better performance and reliability
|
||||||
|
- exceptions for dracut and ansible were added to the rules to avoid problems
|
||||||
|
under normal system use
|
||||||
|
- adds an admin defined trust database (fapolicyd.trust)
|
||||||
|
- setting boost, queue, user, and group on the daemon
|
||||||
|
command line are deprecated
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
|
||||||
|
- Updated fapolicyd-selinux subpackage to v0.2
|
||||||
|
Selinux subpackage is recommended for fapolicyd.
|
||||||
|
|
||||||
|
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
|
||||||
|
- Added fapolicyd-selinux subpackage
|
||||||
|
|
||||||
|
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
|
||||||
|
- rebase to v0.9
|
||||||
|
|
||||||
|
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
|
||||||
|
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||||
|
|
||||||
|
* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
|
||||||
|
- rebase to 0.8.10
|
||||||
|
- generate python paths dynamically
|
||||||
|
|
||||||
|
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
|
||||||
|
- Rebuilt for Python 3.8
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
|
||||||
|
- Rebuild for RPM 4.15
|
||||||
|
|
||||||
|
* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
|
||||||
|
- Rebuild for RPM 4.15
|
||||||
|
|
||||||
|
* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
|
||||||
|
- backport some patches to resolve dac_override for fapolicyd
|
||||||
|
|
||||||
|
* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1
|
||||||
|
- New upstream release
|
||||||
|
- Added new DNF plugin that can update the trust database when rpms are installed
|
||||||
|
- Added support for FAN_OPEN_EXEC_PERM
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
|
||||||
|
* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1
|
||||||
|
- New upstream bugfix release
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1
|
||||||
|
- New upstream feature release
|
||||||
|
|
||||||
|
* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2
|
||||||
|
- Add dist tag (#1579362)
|
||||||
|
|
||||||
|
* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1
|
||||||
|
- New release
|
Loading…
Reference in New Issue
Block a user