The implicit declarations fix broken the ELN build due to overlapping
patches. Applying the RHEL patches last, and adjusting them as needed
for Fedora changes, is the simplest way to make both builds successful.
- introduced uthash dependency
- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
Resolves: rhbz#1874491
- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
Resolves: rhbz#1876538
- backported few cosmetic small patches from upstream master
- rebase selinux tarbal to v0.3
- file context pattern for /run/fapolicyd.pid is missing
Resolves: rhbz#1834674
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
- release now has 3 integrity modes: file size, IMA, and sha256 based
- it can now send event information to syslog
- the syslog event information is tailorable to how you'd like to see it
- there is now the ability to create sets of words that can be matched
against in the rules engine
- there are now 2 policies shipped: known-libs and restrictive
- fapolicyd-cli can now dump the trust db for inspection
- the integrity system needs sha256 hashes,
it will print a warning for files in rpms that do not have them
- polished the pattern detection engine
- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
memory consumption and improve startup speed
- the commandline utility can now delete the lmdb trust database and manage
the file trust source
- dramatically improved startup time
- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
- file type identification has been improved
- trust database statistics have been added to the reports
- allows watched mount points to be specified by file system types
- ELF file detection was improved
- the rules have been rewritten to express the policy based on subject
object trust for better performance and reliability
- exceptions for dracut and ansible were added to the rules to avoid problems
under normal system use
- adds an admin defined trust database (fapolicyd.trust)
- setting boost, queue, user, and group on the daemon
command line are deprecated
Improved subject cache management, performance improvements, drop need for
fapolicyd.mounts file - daemon detects filesystems to monitor, stop collecting
documentation in the trust database, and handle long paths.
This release features:
- systemd usage updates
- file permission adjustments based on selinux policy review
- unterminated reads of auid & sessionid values was fixed
- ld_preload pattern is deprecated for now
