import OL fapolicyd-1.3.3-106.0.1.el9_6.1

.fapolicyd.metadata

@@ -1,3 +1,3 @@
-f4fc52c6ec16cec13405d66752c0b222fff893e7 SOURCES/fapolicyd-1.3.2.tar.gz
-e61573db3de4d229377eebff8252765058ad4ab9 SOURCES/fapolicyd-selinux-0.6.tar.gz
+0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz
+ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz
 fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

.gitignore

@@ -1,3 +1,3 @@
-SOURCES/fapolicyd-1.3.2.tar.gz
-SOURCES/fapolicyd-selinux-0.6.tar.gz
+SOURCES/fapolicyd-1.3.3.tar.gz
+SOURCES/fapolicyd-selinux-0.7.tar.gz
 SOURCES/uthash-2.3.0.tar.gz

SOURCES/Add-var-lib-fapolicyd-to-tmpfiles.patch

@@ -0,0 +1,28 @@
+From de7b5e953e56ecad497878d1113abd8c10d8a453 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Fri, 15 Aug 2025 12:38:04 +0200
+Subject: [PATCH] Add /var/lib/fapolicyd to tmpfiles
+Content-type: text/plain
+
+On image based system, /var/lib/fapolicyd is not created during rpm
+installation but needs to be created during boot using tmpfiles.d
+
+Fixes:
+    fapolicyd[1463]: Failed writing db version No such file or directory
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ init/fapolicyd-tmpfiles.conf | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/init/fapolicyd-tmpfiles.conf b/init/fapolicyd-tmpfiles.conf
+index 24459d340d3c..84fbaa1cf6ed 100644
+--- a/init/fapolicyd-tmpfiles.conf
++++ b/init/fapolicyd-tmpfiles.conf
+@@ -1,1 +1,3 @@
+ d /run/fapolicyd 0770 root fapolicyd -
++d /var/lib/fapolicyd 770 root fapolicyd -
++Z /etc/fapolicyd - root fapolicyd -
+-- 
+2.50.1
+

SOURCES/fapolicyd-1.0.increase.db.max.size.patch

@@ -0,0 +1,14 @@
+Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
+----
+diff -Nur fapolicyd-1.1.3.orig/init/fapolicyd.conf fapolicyd-1.1.3/init/fapolicyd.conf
+--- fapolicyd-1.1.3.orig/init/fapolicyd.conf	2022-06-21 07:55:47.000000000 -0700
++++ fapolicyd-1.1.3/init/fapolicyd.conf	2022-10-03 06:23:23.992682955 -0700
+@@ -10,7 +10,7 @@
+ gid = fapolicyd
+ do_stat_report = 1
+ detailed_report = 1
+-db_max_size = 50
++db_max_size = 100
+ subj_cache_size = 1549
+ obj_cache_size = 8191
+ watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs

SOURCES/fapolicyd-data-format.patch

@@ -0,0 +1,27 @@
+From 6ce38340bd0ed3863259224de613ef6a29ca9297 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Sun, 20 Jul 2025 20:56:34 +0200
+Subject: [PATCH] ddasd
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/fapolicyd-backend.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/library/fapolicyd-backend.h b/src/library/fapolicyd-backend.h
+index 2844780..26f0a54 100644
+--- a/src/library/fapolicyd-backend.h
++++ b/src/library/fapolicyd-backend.h
+@@ -32,7 +32,8 @@
+ typedef enum { SRC_UNKNOWN, SRC_RPM, SRC_FILE_DB, SRC_DEB } trust_src_t;
+ 
+ // source, size, sha
+-#define DATA_FORMAT "%u %lu %64s"
++// do not pad the hash value so SHA1 and SHA256 digests parse correctly
++#define DATA_FORMAT "%u %lu %s"
+ 
+ typedef struct _backend
+ {
+-- 
+2.50.1
+

SOURCES/fapolicyd-infinite-loop.patch

@@ -0,0 +1,67 @@
+From baf402ccaf16bc993ce34d4e4ed08aa283cd2c94 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Fri, 18 Jul 2025 10:55:12 +0200
+Subject: [PATCH] Fix an infinite loop
+
+- either malloc fail or corruped data from lmdb can cause
+"fapolicyd -D" to hang in infinite loop
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/cli/fapolicyd-cli.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
+index 0c72733c..7eddf4e2 100644
+--- a/src/cli/fapolicyd-cli.c
++++ b/src/cli/fapolicyd-cli.c
+@@ -185,33 +185,35 @@ static int do_dump_db(void)
+ 		goto txn_abort;
+ 	}
+ 	do {
+-		char *path, *data, sha[65];
++		char *path = NULL, *data = NULL, sha[65];
+ 		unsigned int tsource;
+ 		off_t size;
+ 		const char *source;
+ 
+-		path = malloc(key.mv_size+1);
++		path = malloc(key.mv_size + 1);
+ 		if (!path)
+-			continue;
++			goto next_record;
++
+ 		memcpy(path, key.mv_data, key.mv_size);
+ 		path[key.mv_size] = 0;
+-		data = malloc(val.mv_size+1);
+-		if (!data) {
+-			free(path);
+-			continue;
+-		}
++		data = malloc(val.mv_size + 1);
++
++		if (!data)
++			goto next_record;
++
+ 		memcpy(data, val.mv_data, val.mv_size);
+ 		data[val.mv_size] = 0;
+-		if (sscanf(data, DATA_FORMAT, &tsource, &size, sha) != 3) {
+-			free(data);
+-			free(path);
+-			continue;
+-		}
++
++		if (sscanf(data, DATA_FORMAT, &tsource, &size, sha) != 3)
++			goto next_record;
++
+ 		source = lookup_tsource(tsource);
+ 		printf("%s %s %lu %s\n", source, path, size, sha);
++
++next_record:
+ 		free(data);
+ 		free(path);
+-		// Try to get the duplicate. If doesn't exist, get the next one
++		// Try to get the duplicate. If it doesn't exist, get the next one
+ 		rc = mdb_cursor_get(cursor, &key, &val, MDB_NEXT_DUP);
+ 		if (rc == MDB_NOTFOUND)
+ 			rc = mdb_cursor_get(cursor, &key, &val, MDB_NEXT_NODUP);

SOURCES/fapolicyd-leaks.patch

@@ -1,78 +0,0 @@
-From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Tue, 18 Jul 2023 17:05:11 +0200
-Subject: [PATCH] Fix multiple leaks
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- src/library/filter.c |  3 +++
- src/library/policy.c | 13 +++++++++++--
- src/library/rules.c  |  3 ---
- 3 files changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/src/library/filter.c b/src/library/filter.c
-index d5d8cca..eb378ca 100644
---- a/src/library/filter.c
-+++ b/src/library/filter.c
-@@ -472,9 +472,12 @@ int filter_load_file(void)
- 			msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
- 			filter_destroy_obj(filter);
- 			free(line);
-+			line = NULL;
- 			goto bad;
- 		}
-+	}
- 
-+	if (line) {
- 		free(line);
- 		line = NULL;
- 	}
-diff --git a/src/library/policy.c b/src/library/policy.c
-index 7fe1210..31ff6e2 100644
---- a/src/library/policy.c
-+++ b/src/library/policy.c
-@@ -23,6 +23,7 @@
-  *   Radovan Sroka <rsroka@redhat.com>
-  */
- 
-+#include "attr-sets.h"
- #include "config.h"
- #include <stdbool.h>
- #include <stdio.h>
-@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
- 		return 1;
- 
- 	FILE * f = open_file();
--	if (f == NULL)
-+	if (f == NULL) {
-+		destroy_attr_sets();
- 		return 1;
-+	}
- 
- 	int res = _load_rules(_config, f);
- 	fclose(f);
--	return res;
-+
-+	if (res) {
-+		destroy_attr_sets();
-+		return 1;
-+	}
-+
-+	return 0;
- }
- 
- void destroy_rules(void)
-diff --git a/src/library/rules.c b/src/library/rules.c
-index 5ffa40e..4a8b098 100644
---- a/src/library/rules.c
-+++ b/src/library/rules.c
-@@ -65,9 +65,6 @@ int rules_create(llist *l)
- 	l->cur = NULL;
- 	l->cnt = 0;
- 
--	if (init_attr_sets())
--		return 1;
--
- 	return  0;
- }
- 

SOURCES/fapolicyd-normal-pattern.patch

@@ -0,0 +1,27 @@
+From 0b42573e129c8c095536e15b326fe76b87da2601 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Fri, 28 Feb 2025 18:02:16 +0100
+Subject: [PATCH] Fix normal pattern handling
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/rules.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/library/rules.c b/src/library/rules.c
+index 849a6c39..7f8fc7f5 100644
+--- a/src/library/rules.c
++++ b/src/library/rules.c
+@@ -406,9 +406,10 @@ static int assign_subject(lnode *n, int type, const char *ptr2, int lineno)
+ 			goto free_and_error;
+ 		}
+ 
+-		if (strcmp(tmp,
+-			PATTERN_LD_SO_STR) == 0) {
++		if (strcmp(tmp,	PATTERN_LD_SO_STR) == 0) {
+ 			n->s[i].val = PATTERN_LD_SO_VAL;
++		} else if (strcmp(tmp, PATTERN_NORMAL_STR) == 0) {
++			n->s[i].val = PATTERN_NORMAL_VAL;
+ 		} else if (strcmp(tmp, PATTERN_STATIC_STR) == 0) {
+ 			n->s[i].val = PATTERN_STATIC_VAL;
+ 		} else if (strcmp(tmp, PATTERN_LD_PRELOAD_STR) == 0) {

SOURCES/fapolicyd-nss-lookup.patch

@@ -0,0 +1,26 @@
+diff --git a/init/fapolicyd.service b/init/fapolicyd.service
+index 7eb2841a..a1b7da90 100644
+--- a/init/fapolicyd.service
++++ b/init/fapolicyd.service
+@@ -1,6 +1,12 @@
++# You should manage this file with systemctl edit utility and not manually
++
+ [Unit]
+ Description=File Access Policy Daemon
+ DefaultDependencies=no
++# If rules need user/group lookup, create a drop-in to delay the startup after NSS lookup is available:
++#   # mkdir -p /etc/systemd/system/fapolicyd.service.d
++#   # echo -e "[Unit]\nAfter=nss-user-lookup.target local-fs.target systemd-tmpfiles-setup.service" > /etc/systemd/system/fapolicyd.service.d/nss-lookup.conf
++#   # systemctl daemon-reload
+ After=local-fs.target systemd-tmpfiles-setup.service
+ Documentation=man:fapolicyd(8)
+ 
+@@ -12,8 +18,6 @@ PIDFile=/run/fapolicyd.pid
+ ExecStartPre=/usr/sbin/fagenrules
+ ExecStart=/usr/sbin/fapolicyd
+ Restart=on-abnormal
+-# Uncomment the following line if rules need user/group name lookup
+-#After=nss-user-lookup.target
+ 
+ [Install]
+ WantedBy=multi-user.target

SOURCES/fapolicyd-rpm-loader.patch

@@ -0,0 +1,309 @@
+diff -up ./fapolicyd.spec.rpm-loader ./fapolicyd.spec
+--- ./fapolicyd.spec.rpm-loader	2024-04-29 17:59:11.000000000 +0200
++++ ./fapolicyd.spec	2025-05-18 20:11:39.722717947 +0200
+@@ -268,6 +268,7 @@ fi
+ %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+ %attr(755,root,root) %{_sbindir}/%{name}
+ %attr(755,root,root) %{_sbindir}/%{name}-cli
++%attr(755,root,root) %{_sbindir}/%{name}-rpm-loader
+ %attr(755,root,root) %{_sbindir}/fagenrules
+ %attr(644,root,root) %{_mandir}/man8/*
+ %attr(644,root,root) %{_mandir}/man5/*
+diff -up ./src/daemon/fapolicyd.c.rpm-loader ./src/daemon/fapolicyd.c
+--- ./src/daemon/fapolicyd.c.rpm-loader	2025-05-18 20:11:39.721683468 +0200
++++ ./src/daemon/fapolicyd.c	2025-05-18 20:11:39.722858226 +0200
+@@ -105,17 +105,19 @@ static void install_syscall_filter(void)
+ 	ctx = seccomp_init(SCMP_ACT_ALLOW);
+ 	if (ctx == NULL)
+ 		goto err_out;
+-
++#ifndef USE_RPM
+ 	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES),
+ 				SCMP_SYS(execve), 0);
+ 	if (rc < 0)
+ 		goto err_out;
+-#ifdef HAVE_FEXECVE
+-# ifdef __NR_fexecve
++
++# ifdef HAVE_FEXECVE
++#  ifdef __NR_fexecve
+ 	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES),
+ 				SCMP_SYS(fexecve), 0);
+ 	if (rc < 0)
+ 		goto err_out;
++#  endif
+ # endif
+ #endif
+ 	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EIO),
+diff -up ./src/handler/fapolicyd-rpm-loader.c.rpm-loader ./src/handler/fapolicyd-rpm-loader.c
+--- ./src/handler/fapolicyd-rpm-loader.c.rpm-loader	2025-05-18 20:11:39.722986504 +0200
++++ ./src/handler/fapolicyd-rpm-loader.c	2025-05-18 20:13:48.417481732 +0200
+@@ -0,0 +1,85 @@
++/*
++ * fapolicy-rpm-loader.c - loader tool for fapolicyd
++ * Copyright (c) 2025-2025 Red Hat Inc.
++ * All Rights Reserved.
++ *
++ * This software may be freely redistributed and/or modified under the
++ * terms of the GNU General Public License as published by the Free
++ * Software Foundation; either version 2, or (at your option) any
++ * later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; see the file COPYING. If not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
++ * Boston, MA 02110-1335, USA.
++ *
++ * Authors:
++ *   Radovan Sroka <rsroka@redhat.com>
++ */
++
++#include "config.h"
++#include <stdio.h>
++#include <string.h>
++#include <sys/syslog.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <ctype.h>
++#include <magic.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <stdatomic.h>
++#include <lmdb.h>
++#include <limits.h>
++#include <signal.h>
++
++#include "backend-manager.h"
++#include "daemon-config.h"
++#include "message.h"
++#include "llist.h"
++#include "fd-fgets.h"
++#include "paths.h"
++
++volatile atomic_bool stop = 0;  // Library needs this
++unsigned int debug_mode = 0;			// Library needs this
++unsigned int permissive = 0;			// Library needs this
++
++
++int do_rpm_init_backend(void);
++int do_rpm_load_list(conf_t * conf);
++int do_rpm_destroy_backend(void);
++
++extern backend rpm_backend;
++
++int main(int argc, char * const argv[])
++{
++
++	set_message_mode(MSG_STDERR, DBG_YES);
++
++	conf_t config;
++
++	load_daemon_config(&config);
++
++	do_rpm_init_backend();
++	do_rpm_load_list(&config);
++
++	msg(LOG_INFO, "Loaded files %ld", rpm_backend.list.count);
++
++	list_item_t *item = list_get_first(&rpm_backend.list);
++	for (; item != NULL; item = item->next) {
++		printf("%s %s\n", (const char*)item->index, (const char*)item->data);
++	}
++
++	do_rpm_destroy_backend();
++
++	free_daemon_config(&config);
++	return 0;
++}
++
+diff -up ./src/library/rpm-backend.c.rpm-loader ./src/library/rpm-backend.c
+--- ./src/library/rpm-backend.c.rpm-loader	2025-05-18 20:11:39.718862697 +0200
++++ ./src/library/rpm-backend.c	2025-05-18 20:11:39.723077584 +0200
+@@ -23,8 +23,11 @@
+  */
+ 
+ #include "config.h"
++#include <ctype.h>
+ #include <stddef.h>
+ #include <sys/types.h>
++#include <sys/wait.h>
++#include <spawn.h>
+ #include <rpm/rpmlib.h>
+ #include <rpm/rpmts.h>
+ #include <rpm/rpmmacro.h>
+@@ -37,11 +40,16 @@
+ 
+ #include "message.h"
+ #include "gcc-attributes.h"
++#include "fd-fgets.h"
+ #include "fapolicyd-backend.h"
+ #include "llist.h"
+ 
+ #include "filter.h"
+ 
++int do_rpm_init_backend(void);
++int do_rpm_load_list(const conf_t *);
++int do_rpm_destroy_backend(void);
++
+ static int rpm_init_backend(void);
+ static int rpm_load_list(const conf_t *);
+ static int rpm_destroy_backend(void);
+@@ -183,9 +191,104 @@ struct _hash_record {
+ 	UT_hash_handle hh;
+ };
+ 
+-extern unsigned int debug_mode;
++#define BUFFER_SIZE 4096
++#define MAX_DELIMS 3
+ static int rpm_load_list(const conf_t *conf)
+ {
++	int pipefd[2];
++	if (pipe(pipefd) == -1) {
++		perror("pipe failed");
++		return 1;
++    }
++	// we well read stdout later
++	// there will be data from rpmdb
++	posix_spawn_file_actions_t actions;
++	posix_spawn_file_actions_init(&actions);
++	posix_spawn_file_actions_addclose(&actions, pipefd[0]);
++	posix_spawn_file_actions_adddup2(&actions, pipefd[1], STDOUT_FILENO);
++	posix_spawn_file_actions_addclose(&actions, pipefd[1]);
++
++	char *argv[] = { NULL };
++	char *custom_env[] = { NULL };
++
++	pid_t pid = -1;
++	// int status = posix_spawn(&pid, "/home/rsroka/Work/fapolicyd-upstream-fork2/src/fapolicyd-rpm-loader", &actions, NULL, argv, custom_env);
++	int status = posix_spawn(&pid, "/usr/sbin/fapolicyd-rpm-loader", &actions, NULL, argv, custom_env);
++
++
++	close(pipefd[1]);  // Parent doesn't write
++
++	if (status == 0) {
++		msg(LOG_DEBUG, "fapolicyd-rpm-loader spawned with pid: %d", pid);
++
++		char buff[BUFFER_SIZE];
++		fd_fgets_context_t * fd_fgets_context = fd_fgets_init();
++		do {
++			fd_fgets_rewind(fd_fgets_context);
++			int res = fd_fgets(fd_fgets_context, buff, sizeof(buff), pipefd[0]);
++			if (res == -1)
++				break;
++			else if (res > 0) {
++				char* end  = strchr(buff, '\n');
++
++				if (end == NULL) {
++					msg(LOG_ERR, "Too long line?");
++					continue;
++				}
++
++				int size = end - buff;
++				*end = '\0';
++
++				// it's better to parse it from the end because there can be space in file name
++				int delims = 0;
++				char * delim = NULL;
++				for (int i = size-1 ; i >= 0 ; i--) {
++					if (isspace(buff[i])) {
++						delim = &buff[i];
++						delims++;
++					}
++
++					if (delims >= MAX_DELIMS) {
++						buff[i] = '\0';
++						break;
++					}
++				}
++
++				char * index = strdup(buff);
++				char * data = strdup(delim + 1);
++				if (!index || !data) {
++					free(index);
++					free(data);
++					continue;
++				}
++
++				list_append(&rpm_backend.list, index, data);
++			}
++		} while(!fd_fgets_eof(fd_fgets_context));
++
++		fd_fgets_destroy(fd_fgets_context);
++
++		close(pipefd[0]);
++		waitpid(pid, NULL, 0);
++		
++	} else {
++		msg(LOG_ERR, "posix_spawn failed: %s\n", strerror(status));
++	}
++
++	posix_spawn_file_actions_destroy(&actions);
++
++	if (rpm_backend.list.count == 0) {
++		msg(LOG_DEBUG, "Recieved 0 files from rpmdb loader");
++		return 1;
++	}
++
++	return 0;
++}
++
++// this function is used in fapolicyd-rpm-loader
++extern unsigned int debug_mode;
++int do_rpm_load_list(const conf_t *conf)
++{
+ 	int rc;
+ 	unsigned int msg_count = 0;
+ 
+@@ -298,6 +401,14 @@ static int rpm_load_list(const conf_t *c
+ 
+ static int rpm_init_backend(void)
+ {
++	list_init(&rpm_backend.list);
++
++	return 0;
++}
++
++// this function is used in fapolicyd-rpm-loader
++int do_rpm_init_backend(void)
++{
+ 	if (filter_init())
+ 		return 1;
+ 
+@@ -318,3 +429,10 @@ static int rpm_destroy_backend(void)
+ 	list_empty(&rpm_backend.list);
+ 	return 0;
+ }
++
++// this function is used in fapolicyd-rpm-loader
++int do_rpm_destroy_backend(void)
++{
++	list_empty(&rpm_backend.list);
++	return 0;
++}
+diff -up ./src/Makefile.am.rpm-loader ./src/Makefile.am
+--- ./src/Makefile.am.rpm-loader	2025-05-18 20:11:39.718965116 +0200
++++ ./src/Makefile.am	2025-05-18 20:11:39.723185202 +0200
+@@ -75,6 +75,15 @@ libfapolicyd_la_SOURCES += \
+ 	library/filter.c \
+ 	library/filter.h
+ 
++sbin_PROGRAMS += fapolicyd-rpm-loader
++
++fapolicyd_rpm_loader_SOURCES = \
++	handler/fapolicyd-rpm-loader.c
++
++fapolicyd_rpm_loader_CFLAGS = $(fapolicyd_CFLAGS)
++fapolicyd_rpm_loader_LDFLAGS = $(fapolicyd_LDFLAGS)
++
++fapolicyd_rpm_loader_LDADD = libfapolicyd.la
+ endif
+ 
+ if WITH_DEB

SOURCES/fapolicyd-rpm-v.patch

@@ -0,0 +1,34 @@
+From 686096c400587d5f28e041c4ebb58e07e4d7b3fc Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Wed, 20 Nov 2024 14:30:14 +0100
+Subject: [PATCH] Fix creation of RUN_DIR because it breaks rpm verify
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/database.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/library/database.c b/src/library/database.c
+index 44dd0b2b..d89b16c1 100644
+--- a/src/library/database.c
++++ b/src/library/database.c
+@@ -122,6 +122,19 @@ int preconstruct_fifo(const conf_t *config)
+ 		    strerror_r(errno, err_buff, BUFFER_SIZE));
+ 		return 1;
+ 	} else {
++
++		if ((chmod(RUN_DIR, 0770))) {
++			msg(LOG_ERR, "Failed to fix mode of dir %s (%s)",
++			    RUN_DIR, strerror_r(errno, err_buff, BUFFER_SIZE));
++			return 1;
++		}
++
++		if ((chown(RUN_DIR, 0, config->gid))) {
++			msg(LOG_ERR, "Failed to fix ownership of dir %s (%s)",
++			    RUN_DIR, strerror_r(errno, err_buff, BUFFER_SIZE));
++			return 1;
++		}
++
+ 		/* Make sure that there is no such file/fifo */
+ 		unlink_fifo();
+ 	}

SOURCES/fapolicyd-selinux-links.patch

@@ -1,23 +0,0 @@
-From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Wed, 19 Jul 2023 16:00:13 +0200
-Subject: [PATCH] Allow links
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- fapolicyd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
-index daf31bd..5d6f9aa 100644
---- a/fapolicyd-selinux-0.6/fapolicyd.te
-+++ b/fapolicyd-selinux-0.6/fapolicyd.te
-@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
-     files_watch_sb_all_mountpoints(fapolicyd_t)
- ')
- 
-+allow fapolicyd_t file_type : lnk_file { getattr read };
-+
- manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
- logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
- 

SOURCES/fapolicyd-skip-nonregular.patch

@@ -0,0 +1,39 @@
+From 508805c9f47ca22695fd7a265668f99e9258ea27 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Thu, 24 Jul 2025 15:30:06 +0200
+Subject: [PATCH] Skip to add non regular files to trustdb
+
+- it does not make any sense to have them in the trustdb
+- the patch should be fix potential error when reading nonregular files
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/cli/file-cli.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
+index 7deec39c..ae326c14 100644
+--- a/src/cli/file-cli.c
++++ b/src/cli/file-cli.c
+@@ -67,7 +67,7 @@ static int ftw_add_list_append(const char *fpath,
+  */
+ static int add_list_load_path(const char *path)
+ {
+-	int fd = open(path, O_RDONLY);
++	int fd = open(path, O_RDONLY|O_NONBLOCK);
+ 	if (fd < 0) {
+ 		msg(LOG_ERR, "Cannot open %s", path);
+ 		return 1;
+@@ -83,8 +83,11 @@ static int add_list_load_path(const char *path)
+ 
+ 	if (S_ISDIR(sb.st_mode))
+ 		nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS);
+-	else
++	else if (S_ISREG(sb.st_mode)) {
+ 		list_append(&add_list, strdup(path), NULL);
++	} else {
++		msg(LOG_INFO, "Skipping non regular file: %s", path);
++	}
+ 
+ 	return 0;
+ }

SOURCES/fapolicyd-socket-segfault.patch

@@ -0,0 +1,48 @@
+From 73770c9111800cb5a1e62203e460ae9149307d49 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Mon, 28 Jul 2025 18:44:08 +0200
+Subject: [PATCH] Fix segfault when socket is inside of the directory
+
+$ socat UNIX-LISTEN:"/home/rsroka/dir/socket" /dev/null &
+
+[ ERROR ]: Cannot open /home/rsroka/dir/socket
+Program received signal SIGSEGV, Segmentation fault.
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/cli/file-cli.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
+index ae326c14..655e8f15 100644
+--- a/src/cli/file-cli.c
++++ b/src/cli/file-cli.c
+@@ -53,8 +53,13 @@ static int ftw_add_list_append(const char *fpath,
+ 		int typeflag,
+ 		struct FTW *ftwbuf __attribute__ ((unused)))
+ {
+-	if (typeflag == FTW_F)
+-		list_append(&add_list, strdup(fpath), NULL);
++	if (typeflag == FTW_F) {
++		if (S_ISREG(sb->st_mode)) {
++			list_append(&add_list, strdup(fpath), NULL);
++		} else {
++			msg(LOG_INFO, "Skipping non regular file: %s", fpath);
++		}
++	}
+ 	return FTW_CONTINUE;
+ }
+ 
+@@ -83,11 +88,8 @@ static int add_list_load_path(const char *path)
+ 
+ 	if (S_ISDIR(sb.st_mode))
+ 		nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS);
+-	else if (S_ISREG(sb.st_mode)) {
++	else
+ 		list_append(&add_list, strdup(path), NULL);
+-	} else {
+-		msg(LOG_INFO, "Skipping non regular file: %s", path);
+-	}
+ 
+ 	return 0;
+ }

SOURCES/fapolicyd-uthash-bundle.patch

@@ -1,10 +1,10 @@
 diff -up ./configure.ac.uthash ./configure.ac
---- ./configure.ac.uthash	2023-06-15 16:45:13.000000000 +0200
-+++ ./configure.ac	2023-06-16 14:32:53.112363230 +0200
-@@ -96,10 +96,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
+--- ./configure.ac.uthash	2022-09-27 16:34:59.000000000 +0200
++++ ./configure.ac	2022-09-29 11:57:26.297879027 +0200
+@@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
  ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
  AC_CHECK_FUNCS(fexecve, [], [])
- 
+ AC_CHECK_FUNCS([gettid])
 -AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
 -["Couldn't find uthash.h...uthash-devel is missing"] )])
 -
@@ -13,8 +13,8 @@ diff -up ./configure.ac.uthash ./configure.ac
  echo Checking for required libraries
  AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
 diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
---- ./src/library/rpm-backend.c.uthash	2023-06-16 14:32:53.112363230 +0200
-+++ ./src/library/rpm-backend.c	2023-06-16 14:35:20.467338604 +0200
+--- ./src/library/rpm-backend.c.uthash	2022-09-29 11:57:26.297879027 +0200
++++ ./src/library/rpm-backend.c	2022-09-29 11:58:45.470119807 +0200
 @@ -33,7 +33,7 @@
  #include <rpm/rpmpgp.h>
  #include <fnmatch.h>
@@ -25,8 +25,8 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
  #include "message.h"
  #include "gcc-attributes.h"
 diff -up ./src/Makefile.am.uthash ./src/Makefile.am
---- ./src/Makefile.am.uthash	2023-06-15 16:45:13.000000000 +0200
-+++ ./src/Makefile.am	2023-06-16 14:32:53.112363230 +0200
+--- ./src/Makefile.am.uthash	2022-09-27 16:34:59.000000000 +0200
++++ ./src/Makefile.am	2022-09-29 11:57:26.297879027 +0200
 @@ -5,6 +5,9 @@ AM_CPPFLAGS = \
  	-I${top_srcdir} \
  	-I${top_srcdir}/src/library

SOURCES/fapolicyd.sysusers

@@ -0,0 +1 @@
+u fapolicyd - "Application Whitelisting Daemon" /var/lib/fapolicyd

SOURCES/selinux.patch

@@ -1,6 +1,6 @@
-diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te
---- ./fapolicyd-selinux-0.6/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
-+++ ./fapolicyd-selinux-0.6/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
+diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te
+--- ./fapolicyd-selinux-0.7/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
++++ ./fapolicyd-selinux-0.7/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
 @@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
  
  ifdef(`fs_watch_all_fs',`

SOURCES/var-run-selinux.patch

@@ -0,0 +1,26 @@
+From 750c5e288f8253c71a9722da960addb078aee93c Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 6 Feb 2024 21:17:27 +0100
+Subject: [PATCH] Rename all /var/run file context entries to /run
+
+With the 1f76e522a ("Rename all /var/run file context entries to /run")
+selinux-policy commit, all /var/run file context entries moved to /run
+and the equivalency was inverted. Subsequently, changes in fapolicyd.fc
+need to be done, too, in a similar manner.
+---
+ fapolicyd.fc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc
+index 2bdc7aa..d081dc8 100644
+--- a/fapolicyd-selinux-0.7/fapolicyd.fc
++++ b/fapolicyd-selinux-0.7/fapolicyd.fc
+@@ -8,6 +8,6 @@
+ 
+ /var/log/fapolicyd-access.log    --      gen_context(system_u:object_r:fapolicyd_log_t,s0)
+ 
+-/var/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
++/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+ 
+-/var/run/fapolicyd\.pid	--	 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
++/run/fapolicyd\.pid	--	 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)

SOURCES/var-run-t-dir-selinux.patch

@@ -0,0 +1,11 @@
+diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.var_run_dir ./fapolicyd-selinux-0.7/fapolicyd.te
+--- ./fapolicyd-selinux-0.7/fapolicyd.te.var_run_dir	2025-07-20 21:08:05.054395347 +0200
++++ ./fapolicyd-selinux-0.7/fapolicyd.te	2025-07-20 21:08:28.240293532 +0200
+@@ -57,6 +57,7 @@ ifdef(`files_watch_sb_all_mountpoints',`
+ ')
+ 
+ allow fapolicyd_t file_type : lnk_file { getattr read };
++allow fapolicyd_t var_run_t:dir setattr;
+ 
+ manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
+ logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

SPECS/fapolicyd.spec

@@ -1,17 +1,18 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.6
+%define semodule_version 0.7
 
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.3.2
-Release: 100%{?dist}
+Version: 1.3.3
+Release: 106.0.1%{?dist}.1
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
 Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
 # we bundle uthash for rhel9
 Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
+Source3: fapolicyd.sysusers
 BuildRequires: gcc
 BuildRequires: kernel-headers
 BuildRequires: autoconf automake make gcc libtool
@@ -32,8 +33,18 @@ Requires(postun): systemd-units
 
 Patch1: fapolicyd-uthash-bundle.patch
 Patch2: selinux.patch
-Patch3: fapolicyd-leaks.patch
-Patch4: fapolicyd-selinux-links.patch
+Patch3: var-run-selinux.patch
+Patch4: fapolicyd-rpm-v.patch
+Patch5: fapolicyd-nss-lookup.patch
+Patch6: fapolicyd-normal-pattern.patch
+Patch7: fapolicyd-rpm-loader.patch
+Patch8: fapolicyd-infinite-loop.patch
+Patch9: fapolicyd-data-format.patch
+Patch10: var-run-t-dir-selinux.patch
+Patch11: fapolicyd-skip-nonregular.patch
+Patch12: fapolicyd-socket-segfault.patch
+Patch13: Add-var-lib-fapolicyd-to-tmpfiles.patch
+Patch100: fapolicyd-1.0.increase.db.max.size.patch
 
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@@ -65,10 +76,20 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 %setup -q -D -T -a 2
 %patch -P 1 -p1 -b .uthash
 %endif
+%patch100 -p1
 
 %patch -P 2 -p1 -b .selinux
-%patch -P 3 -p1 -b .leaks
-%patch -P 4 -p1 -b .links
+%patch -P 3 -p1 -R -b .var-run-selinux
+%patch -P 4 -p1 -b .rpm-v
+%patch -P 5 -p1 -b .nss-lookup
+%patch -P 6 -p1 -b .normal-pattern
+%patch -P 7 -p1 -b .rpm-loader
+%patch -P 8 -p1 -b .infinite-loop
+%patch -P 9 -p1 -b .data-format
+%patch -P 10 -p1 -b .var-run-dir
+%patch -P 11 -p1 -b .skip-nonregular
+%patch -P 12 -p1 -b .socket-segfault
+%patch -P 13 -p1 -b .var-lib-dir
 
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@@ -107,6 +128,7 @@ make check
 %install
 %make_install
 install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
 mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
 mkdir -p %{buildroot}/run/%{name}
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
@@ -166,6 +188,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
 
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
+
 if [ $1 -eq 2 ]; then
 # detect changed default rules in case of upgrade
 %manage_default_rules
@@ -207,11 +230,11 @@ fi
 %doc README.md
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%attr(755,root,%{name}) %dir %{_datadir}/%{name}
-%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
-%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
-%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
-%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
+%attr(755,root,root) %dir %{_datadir}/%{name}
+%attr(755,root,root) %dir %{_datadir}/%{name}/sample-rules
+%attr(644,root,root) %{_datadir}/%{name}/default-ruleset.known-libs
+%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
+%attr(644,root,root) %{_datadir}/%{name}/fapolicyd-magic.mgc
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
@@ -224,6 +247,8 @@ fi
 %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+%attr(755,root,root) %{_sbindir}/%{name}-rpm-loader
+%attr(644,root,root) %{_sysusersdir}/%{name}.conf
 %attr(755,root,root) %{_sbindir}/%{name}
 %attr(755,root,root) %{_sbindir}/%{name}-cli
 %attr(755,root,root) %{_sbindir}/fagenrules
@@ -255,6 +280,22 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
+* Tue Nov 04 2025 Akshata Konala <akshata.konala@oracle.com> - 1.3.3-106.0.1.1
+- Increase db_max_size to 100M
+
+* Mon Aug 18 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.3.3-106.1
+- RPMDB crashes with SIGBUS when updating the RPMDB repeatedly
+- Add /var/lib/fapolicyd to tmpfiles
+- File /run/fapolicyd differs from RPM expectations
+- fapolicyd.service badly instructs how to start after nss-user-lookup.target
+- fapolicy rule containing 'pattern=normal' produces error
+- "fapolicyd-cli --file add" crashes when processing sockets
+
+* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
+RHEL 9.5.0 ERRATUM
+- rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7
+Resolves: RHEL-36285
+
 * Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
 RHEL 9.3.0 ERRATUM
 - Rebase fapolicyd to the latest stable version