diff --git a/.gitignore b/.gitignore index 18b62ae..e5e639e 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /uthash-2.3.0.tar.gz /fapolicyd-1.0.3.tar.gz /fapolicyd-1.0.4.tar.gz +/fapolicyd-1.1.tar.gz diff --git a/fapolicyd.spec b/fapolicyd.spec index ea8ba85..3df77d0 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -4,8 +4,8 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.0.4 -Release: 3%{?dist} +Version: 1.1 +Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -82,9 +82,9 @@ Don't use dnf and rpm plugin together. %patch2 -p1 -b .watch-perm %patch3 -p1 -b .home -sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* -sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* -sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules %build ./autogen.sh @@ -93,7 +93,7 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\// --with-rpm \ --disable-shared -make CFLAGS="%{optflags}" %{?_smp_mflags} +%make_build # selinux pushd %{name}-selinux-%{semodule_version} @@ -108,14 +108,15 @@ make check %selinux_relabel_pre -s %{selinuxtype} %install -make DESTDIR="%{buildroot}" INSTALL='install -p' install +%make_install mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf -install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d + # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} @@ -124,34 +125,37 @@ install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if #cleanup -find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} -%pretrans -p -if posix.access("/run/fapolicyd.pid", "f") then - os.execute([[ - c=/etc/fapolicyd/fapolicyd.rules - rule="allow perm=any uid=0 : all" - - if test -e $c; then - if systemctl is-active fapolicyd &> /dev/null; then - tmp=`mktemp` - cat $c > $tmp - echo "$rule" > $c - cat $tmp >> $c - systemctl restart fapolicyd || true - sleep 10 - cat $tmp > $c - rm -f $tmp - fi - fi - ]]) -end - - %post +# if no pre-existing rule file +if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` + # Only if no pre-existing component rules + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ + chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* + if [ -x /usr/sbin/restorecon ] ; then + # restore correct label + /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* + fi + fagenrules --load + fi +fi %systemd_post %{name}.service %preun @@ -165,26 +169,31 @@ end %{!?_licensedir:%global license %%doc} %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} -%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.* +%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* +%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d +%ghost %{_sysconfdir}/%{name}/rules.d/* %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust -%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(755,root,root) %{_sbindir}/fagenrules %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %attr(644,root,root) %{_mandir}/man1/* %attr(644,root,root) %{_datadir}/%{name}/* -%ghost %{_localstatedir}/log/%{name}-access.log +%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} -%ghost /run/%{name}/%{name}.fifo -%ghost %{_localstatedir}/lib/%{name}/data.mdb -%ghost %{_localstatedir}/lib/%{name}/lock.mdb +%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 @@ -209,6 +218,10 @@ fi %changelog +* Sun Jan 23 2022 Radovan Sroka - 1.1-1 +- rebase to v1.1 +- added rules.d folder + * Thu Jan 20 2022 Fedora Release Engineering - 1.0.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index 4850341..e7d25f3 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (fapolicyd-1.0.4.tar.gz) = 08a8625b1ad9a383359435605595b17a537c7ca889ad0b8d6acdf5d27e98dc38f557187a54e5320d9eeb624999f19526cc29c2e43449033f4f086e0bef142d7b +SHA512 (fapolicyd-1.1.tar.gz) = d8478a5e55f8ab3b40ab881795d391d6edd8c4149e743f3685afedf561f853f46f80e49f7b0f05e20c86d71442e286c7db9b289049b5314047d14d8d1b9f3b4e SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2 SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294