.fapolicyd.metadata

@@ -0,0 +1,3 @@
+f4fc52c6ec16cec13405d66752c0b222fff893e7 SOURCES/fapolicyd-1.3.2.tar.gz
+e61573db3de4d229377eebff8252765058ad4ab9 SOURCES/fapolicyd-selinux-0.6.tar.gz
+fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

.gitignore

@@ -1,2 +1,3 @@
 SOURCES/fapolicyd-1.3.2.tar.gz
 SOURCES/fapolicyd-selinux-0.6.tar.gz
+SOURCES/uthash-2.3.0.tar.gz

SOURCES/fapolicyd-dnf-plugin.patch

@@ -1,34 +0,0 @@
-diff -up ./dnf/fapolicyd-dnf-plugin.py.fix ./dnf/fapolicyd-dnf-plugin.py
---- ./dnf/fapolicyd-dnf-plugin.py.fix	2023-06-20 13:21:21.098192421 +0200
-+++ ./dnf/fapolicyd-dnf-plugin.py	2023-06-20 13:21:46.287412300 +0200
-@@ -8,29 +8,10 @@ import sys
- class Fapolicyd(dnf.Plugin):
- 
-     name = "fapolicyd"
--    pipe = "/run/fapolicyd/fapolicyd.fifo"
-     file = None
- 
-     def __init__(self, base, cli):
-         pass
- 
-     def transaction(self):
--
--        if not os.path.exists(self.pipe):
--            sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n")
--            sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n")
--            sys.stderr.write("or fapolicyd is not running...\n")
--            return
--
--        if not stat.S_ISFIFO(os.stat(self.pipe).st_mode):
--            sys.stderr.write(self.pipe + ": is not a pipe!\n")
--            return
--
--        try:
--            self.file = open(self.pipe, "w")
--        except PermissionError:
--            sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
--            return
--
--        self.file.write("1\n")
--        self.file.close()
-+        pass

SOURCES/fapolicyd-librpm-workaround.patch

@@ -1,93 +0,0 @@
-diff -up ./src/daemon/fapolicyd.c.librpm-workaround ./src/daemon/fapolicyd.c
---- ./src/daemon/fapolicyd.c.librpm-workaround	2023-07-10 11:19:19.507044648 +0200
-+++ ./src/daemon/fapolicyd.c	2023-07-10 11:19:19.509044621 +0200
-@@ -572,7 +572,7 @@ int main(int argc, const char *argv[])
- 		capng_clear(CAPNG_SELECT_BOTH);
- 		capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
- 			CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
--			CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, -1);
-+			CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, CAP_CHOWN, -1);
- 		if (capng_change_id(config.uid, config.gid,
- 							CAPNG_DROP_SUPP_GRP)) {
- 			msg(LOG_ERR, "Cannot change to uid %d", config.uid);
-diff -up ./src/library/rpm-backend.c.librpm-workaround ./src/library/rpm-backend.c
---- ./src/library/rpm-backend.c.librpm-workaround	2023-06-15 16:45:14.000000000 +0200
-+++ ./src/library/rpm-backend.c	2023-07-10 11:22:07.066794595 +0200
-@@ -32,7 +32,12 @@
- #include <rpm/rpmdb.h>
- #include <rpm/rpmpgp.h>
- #include <fnmatch.h>
-+#include <glob.h>
-+#include <pwd.h>
-+#include <grp.h>
-+#include <fcntl.h>
- 
-+#include <unistd.h>
- #include <uthash.h>
- 
- #include "message.h"
-@@ -59,6 +64,50 @@ backend rpm_backend =
- static rpmts ts = NULL;
- static rpmdbMatchIterator mi = NULL;
- 
-+static void fix_files(void)
-+{
-+	glob_t glob_result;
-+	const char *pattern = "/var/lib/rpm/__*";
-+
-+	struct passwd * usr = getpwnam("fapolicyd");
-+	if (usr == NULL) {
-+		return;
-+	}
-+
-+	struct group * grp = getgrnam("fapolicyd");
-+	if (grp == NULL) {
-+		return;
-+	}
-+
-+	int return_value = glob(pattern, 0, NULL, &glob_result);
-+	if (return_value != 0) {
-+		return;
-+	}
-+
-+	for (int i = 0; i < glob_result.gl_pathc; ++i) {
-+
-+		int fd = open(glob_result.gl_pathv[i], O_NOFOLLOW);
-+
-+		if (fd == -1)
-+			continue;
-+
-+		struct stat file_stat;
-+		if (fstat(fd, &file_stat) != 0) {
-+			continue;
-+		}
-+
-+		if (file_stat.st_uid == usr->pw_uid &&
-+			file_stat.st_gid == grp->gr_gid) {
-+
-+			fchown(fd, 0, 0);
-+		}
-+
-+		close(fd);
-+	}
-+
-+	globfree(&glob_result);
-+}
-+
- static int init_rpm(void)
- {
- 	return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL);
-@@ -201,8 +250,13 @@ static int rpm_load_list(const conf_t *c
- 		return rc;
- 	}
- 
-+	int fixed = 0;
- 	// Loop across the rpm database
- 	while (get_next_package_rpm()) {
-+		if (!fixed) {
-+			fixed = 1;
-+			fix_files();
-+		}
- 		// Loop across the packages
- 		while (get_next_file_rpm()) {
- 			// We do not want directories or symlinks in the

SOURCES/fapolicyd-uthash-bundle.patch

@@ -0,0 +1,39 @@
+diff -up ./configure.ac.uthash ./configure.ac
+--- ./configure.ac.uthash	2023-06-15 16:45:13.000000000 +0200
++++ ./configure.ac	2023-06-16 14:32:53.112363230 +0200
+@@ -96,10 +96,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
+ ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
+ AC_CHECK_FUNCS(fexecve, [], [])
+ 
+-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
+-["Couldn't find uthash.h...uthash-devel is missing"] )])
+-
+-
+ echo .
+ echo Checking for required libraries
+ AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
+diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
+--- ./src/library/rpm-backend.c.uthash	2023-06-16 14:32:53.112363230 +0200
++++ ./src/library/rpm-backend.c	2023-06-16 14:35:20.467338604 +0200
+@@ -33,7 +33,7 @@
+ #include <rpm/rpmpgp.h>
+ #include <fnmatch.h>
+ 
+-#include <uthash.h>
++#include "uthash.h"
+ 
+ #include "message.h"
+ #include "gcc-attributes.h"
+diff -up ./src/Makefile.am.uthash ./src/Makefile.am
+--- ./src/Makefile.am.uthash	2023-06-15 16:45:13.000000000 +0200
++++ ./src/Makefile.am	2023-06-16 14:32:53.112363230 +0200
+@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
+ 	-I${top_srcdir} \
+ 	-I${top_srcdir}/src/library
+ 
++AM_CPPFLAGS += \
++	-I${top_srcdir}/uthash-2.3.0/include
++
+ sbin_PROGRAMS = fapolicyd fapolicyd-cli
+ lib_LTLIBRARIES= libfapolicyd.la
+ 

SPECS/fapolicyd.spec

@@ -5,35 +5,35 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.3.2
-Release: 1%{?dist}
+Release: 100%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
 Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+# we bundle uthash for rhel9
+Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
 BuildRequires: gcc
 BuildRequires: kernel-headers
 BuildRequires: autoconf automake make gcc libtool
 BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
 BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
 BuildRequires: python3-devel
-BuildRequires: python2-devel
+
+%if 0%{?rhel} == 0
 BuildRequires: uthash-devel
-Requires: rpm-plugin-fapolicyd >= 4.14.3-12
+%endif
+
+Requires: %{name}-plugin
 Recommends: %{name}-selinux
 Requires(pre): shadow-utils
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 
-# we are making the dnf-plugin completelly dummy because of
-# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
-# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
-# the fapolicyd package because it provides safe upgrade path
-Patch1: fapolicyd-dnf-plugin.patch
+Patch1: fapolicyd-uthash-bundle.patch
 Patch2: selinux.patch
-Patch3: fapolicyd-selinux-links.patch
-Patch4: fapolicyd-leaks.patch
-Patch5: fapolicyd-librpm-workaround.patch
+Patch3: fapolicyd-leaks.patch
+Patch4: fapolicyd-selinux-links.patch
 
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@@ -60,11 +60,15 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 # selinux
 %setup -q -D -T -a 1
 
-%patch -P 1 -p1 -b .dnf-plugin
+%if 0%{?rhel} != 0
+# uthash
+%setup -q -D -T -a 2
+%patch -P 1 -p1 -b .uthash
+%endif
+
 %patch -P 2 -p1 -b .selinux
-%patch -P 3 -p1 -b .selinux-links
-%patch -P 4 -p1 -b .leaks
-%patch -P 5 -p1 -b .librpm-workaround
+%patch -P 3 -p1 -b .leaks
+%patch -P 4 -p1 -b .links
 
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@@ -86,7 +90,7 @@ cp INSTALL INSTALL.tmp
     --with-rpm \
     --disable-shared
 
-%make_build
+make CFLAGS="%{optflags}" %{?_smp_mflags}
 
 # selinux
 pushd %{name}-selinux-%{semodule_version}
@@ -96,14 +100,12 @@ popd
 %check
 make check
 
-# Selinux
+# selinux
 %pre selinux
 %selinux_relabel_pre -s %{selinuxtype}
 
 %install
 %make_install
-mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
-install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
 install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
 mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
 mkdir -p %{buildroot}/run/%{name}
@@ -216,10 +218,10 @@ fi
 %attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
-%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
+%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
 %attr(755,root,root) %{_sbindir}/%{name}
@@ -233,10 +235,8 @@ fi
 %ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
 %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
 %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
-%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
-%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
 
-# selinux
+
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
@@ -255,172 +255,208 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
-* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-1
-RHEL 8.9.0 ERRATUM
+* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
+RHEL 9.3.0 ERRATUM
 - Rebase fapolicyd to the latest stable version
-Resolves: RHEL-519
-- RFE: send rule number to fanotify so it gets audited
-Resolves: RHEL-628
-- Default q_size doesn't match manpage's one
-Resolves: RHEL-629
+Resolves: RHEL-430
 - fapolicyd can leak FDs and never answer request, causing target process to hang forever
-Resolves: RHEL-632
+Resolves: RHEL-621
+- RFE: send rule number to fanotify so it gets audited
+Resolves: RHEL-624
 - fapolicyd needs to make sure the FD limit is never reached
-Resolves: RHEL-631
+Resolves: RHEL-623
 - fapolicyd still allows execution of a program after "untrusting" it
-Resolves: RHEL-630
+Resolves: RHEL-622
+- Default q_size doesn't match manpage's one
+Resolves: RHEL-627
+- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
+Resolves: RHEL-817
 - Fix broken backwards compatibility backend numbers
-Resolves: RHEL-731
-- fapolicyd can create RPM DB files /var/lib/rpm/__db.xxx with bad ownership causing AVCs to occur
-Resolves: RHEL-829
+Resolves: RHEL-730
 - SELinux prevents the fapolicyd from reading symlink (cert_t)
-Resolves: RHEL-820
+Resolves: RHEL-816
 
-* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-12
-RHEL 8.8.0 ERRATUM
+* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
+RHEL 9.2.0 ERRATUM
 - statically linked app can execute untrusted app
-Resolves: rhbz#2088349
+Resolves: rhbz#2097077
+- fapolicyd ineffective with systemd DynamicUser=yes
+Resolves: rhbz#2136802
 - Starting manually fapolicyd while the service is already running breaks the system
-Resolves: rhbz#2103352
+Resolves: rhbz#2160517
 - Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
-Resolves: rhbz#2087040
+Resolves: rhbz#2160518
 - fapolicyd: Introduce filtering of rpmdb
-Resolves: rhbz#2165645
+Resolves: RHEL-192
 
-* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8
-RHEL 8.7.0 ERRATUM
+* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
+RHEL 9.1.0 ERRATUM
 - rebase fapolicyd to the latest stable vesion
-Resolves: rhbz#2100087
-- fapolicyd does not correctly handle SIGHUP
-Resolves: rhbz#2070639
-- fapolicyd often breaks package updates
-Resolves: rhbz#2111243
-- drop libgcrypt in favour of openssl
-Resolves: rhbz#2111935
-- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
-Resolves: rhbz#2103914
+Resolves: rhbz#2100041
 - fapolicyd gets way too easily killed by OOM killer
-Resolves: rhbz#2100089
-- compiled.rules file ownership and mode
-Resolves: rhbz#2066653
-- Faulty handling of static applications
-Resolves: rhbz#2084497
+Resolves: rhbz#2097385
+- fapolicyd does not correctly handle SIGHUP
+Resolves: rhbz#2070655
 - Introduce ppid rule attribute
-Resolves: rhbz#2102563
-- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]
-Resolves: rhbz#2069121
-- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0]
-Resolves: rhbz#2068105
+Resolves: rhbz#2102558
+- fapolicyd often breaks package updates
+Resolves: rhbz#2111244
+- drop libgcrypt in favour of openssl
+Resolves: rhbz#2111938
+- Remove dnf plugin
+Resolves: rhbz#2113959
+- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
+Resolves: rhbz#2115849
 
-* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
-RHEL 8.6.0 ERRATUM
+* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
+RHEL 9.1.0 ERRATUM
+- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
+Resolves: rhbz#2069123
+- Faulty handling of static applications
+Resolves: rhbz#2096457
+
+* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
+RHEL 9.1.0 ERRATUM
+- fapolicyd denies access to /usr/lib64/ld-2.28.so
+Resolves: rhbz#2067493
+
+* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
+RHEL 9.0.0 ERRATUM
 - rebase to 1.1
-Resolves: rhbz#1939379
-- introduce rules.d feature
-Resolves: rhbz#2054741
+Resolves: rhbz#2032408
+- introduce rules.d
+Resolves: rhbz#2054740
 - remove pretrans scriptlet
-Resolves: rhbz#2051485
+Resolve: rhbz#2051481
 
-* Mon Dec 13 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-2
-RHEL 8.6.0 ERRATUM
+* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
+RHEL 9.0.0 ERRATUM
 - rebase to 1.0.4
 - added rpm_sha256_only option
 - added trust.d directory
-- allow file names with whitespace in trust files
+- allow file names with whitespaces in trust files
 - use full paths in trust files
-Resolves: rhbz#1939379
+Resolves: rhbz#2032408
 - fix libc.so getting identified as application/x-executable
-Resolves: rhbz#1989272
-- fix fapolicyd-dnf-plugin reporting as '<invalid>'
-Resolves: rhbz#1997414
+Resolves: rhbz#2015307
 - fix selinux DSP module definition in spec file
-Resolves: rhbz#2014445
+Resolves: rhbz#2014449
 
-* Thu Aug 19 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-7
-- fapolicyd abnormally exits by executing sosreport
-- fixed multiple problems with unlink()
-- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
-Resolves: rhbz#1943251
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
-RHEL 8.4.0 ERRATUM
+* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
+RHEL 9 BETA
+- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
+Resolves: rhbz#1932225
+Resolves: rhbz#1977731
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
+- rebase to 1.0.3
+- sync fedora with rhel
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-1
 - rebase to 1.0.2
-- strong dependency on rpm/rpm-plugin-fapolicyd
-- installed dnf-plugin is dummy and we are not using it anymore
-- enabled integrity setting
-Resolves: rhbz#1887451
-- added make check
-- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail
-- fixed java detection
-Resolves: rhbz#1895435
-- dnf update fails when fapolicyd is enabled
-Resolves: rhbz#1876975
-- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
-Resolves: rhbz#1896875
+- enabled make check
+- dnf-plugin is now required subpackage
 
-* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
-RHEL 8.3 ERRATUM
-- fixed manpage fapolicyd-conf
-Resolves: rhbz#1817413
+* Mon Nov 16 2020 Radovan Sroka <rsroka@redhat.com> - 1.0.1-1
+- rebase to 1.0.1
+- introduced uthash dependency
+- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
+Resolves: rhbz#1874491
+- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
+Resolves: rhbz#1876538
 
-* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
-RHEL 8.3 ERRATUM
-- rebase to v1.0
-- installed multiple policies to /usr/share/fapolicyd
-  - known-libs (default)
-  - restrictive
-- installed fapolicyd.trust file
-- enhanced fapolicyd-cli
-Resolves: rhbz#1817413
-- introduced fapolicyd-selinux that provides SELinux policy module
-Resolves: rhbz#1714529
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
-RHEL 8.2 ERRATUM
-- fixed possible heap buffer overflow in elf parser
-Resolves: rhbz#1807912
+* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
+- backported few cosmetic small patches from upstream master
+- rebase selinux tarbal to v0.3
+- file context pattern for /run/fapolicyd.pid is missing
+Resolves: rhbz#1834674
 
-* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
-RHEL 8.2 ERRATUM
-- fixed build time python interpreter detection (spec)
-- added python2-devel as a BuildRequires (spec)
-- allow running bash scripts in home directories
-Resolves: rhbz#1801872
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
+- Rebuilt for Python 3.9
 
-* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
-RHEL 8.2 ERRATUM
-- rebase to v0.9.1
-- updated default configuration with new syntax
-- removed daemon mounts configuration
-Resolves: rhbz#1759895
-- default fapolicyd policy prevents Ansible from running
-- added ansible rule to default ruleset
-Resolves: rhbz#1746464
-- suspicious logs on service start
-Resolves: rhbz#1747494
-- fapolicyd blocks dracut from generating initramfs
-- added dracut rule to default configuration
-Resolves: rhbz#1757736
-- fapolicyd fails to identify perl interpreter
-Resolves: rhbz#1765039
+* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
+- rebase fapolicyd to 1.0
+- allowed sys_ptrace for user namespace
 
-* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
-- added missing manpage for fapolicyd-cli
-Resolves: rhbz#1708015
+* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
+- rebase fapolicyd to 0.9.4
+- polished the pattern detection engine
+- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
+  memory consumption and improve startup speed
+- the commandline utility can now delete the lmdb trust database and manage
+  the file trust source
 
-* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
-- Convert hashes to lowercase like sha256sum outputs
-- Stop littering STDOUT output for dnf plugin in fapolicyd
-Resolves: rhbz#1721496
+* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
+- rebase fapolicyd to 0.9.3
+- dramatically improved startup time
+- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
+- file type identification has been improved
+- trust database statistics have been added to the reports
 
-* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
-- new upstream release
-Resolves: rhbz#1673323
+* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
+- Label all fifo_file as fapolicyd_var_run_t in /var/run.
+- Allow fapolicyd_t domain to create fifo files labeled as
+  fapolicyd_var_run_t
+
+* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
+- rebase fapolicyd to 0.9.2
+- allows watched mount points to be specified by file system types
+- ELF file detection was improved
+- the rules have been rewritten to express the policy based on subject
+  object trust for better performance and reliability
+- exceptions for dracut and ansible were added to the rules to avoid problems
+  under normal system use
+- adds an admin defined trust database (fapolicyd.trust)
+- setting boost, queue, user, and group on the daemon
+  command line are deprecated
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
+- Updated fapolicyd-selinux subpackage to v0.2
+  Selinux subpackage is recommended for fapolicyd.
+
+* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
+- Added fapolicyd-selinux subpackage
+
+* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
+- rebase to v0.9
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
+- rebase to 0.8.10
+- generate python paths dynamically
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
+- Rebuild for RPM 4.15
+
+* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
+- Rebuild for RPM 4.15
 
 * Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
 - New upstream release
-- imported from fedora30
-  resolves: rhbz#1673323
 
 * Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
 - backport some patches to resolve dac_override for fapolicyd