.fapolicyd.metadata

@@ -0,0 +1,3 @@
+0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz
+ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz
+fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

.gitignore

@@ -1,2 +1,3 @@
-SOURCES/fapolicyd-1.3.2.tar.gz
-SOURCES/fapolicyd-selinux-0.6.tar.gz
+SOURCES/fapolicyd-1.3.3.tar.gz
+SOURCES/fapolicyd-selinux-0.7.tar.gz
+SOURCES/uthash-2.3.0.tar.gz

SOURCES/Add-var-lib-fapolicyd-to-tmpfiles.patch

@@ -0,0 +1,28 @@
+From de7b5e953e56ecad497878d1113abd8c10d8a453 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Fri, 15 Aug 2025 12:38:04 +0200
+Subject: [PATCH] Add /var/lib/fapolicyd to tmpfiles
+Content-type: text/plain
+
+On image based system, /var/lib/fapolicyd is not created during rpm
+installation but needs to be created during boot using tmpfiles.d
+
+Fixes:
+    fapolicyd[1463]: Failed writing db version No such file or directory
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ init/fapolicyd-tmpfiles.conf | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/init/fapolicyd-tmpfiles.conf b/init/fapolicyd-tmpfiles.conf
+index 24459d340d3c..84fbaa1cf6ed 100644
+--- a/init/fapolicyd-tmpfiles.conf
++++ b/init/fapolicyd-tmpfiles.conf
+@@ -1,1 +1,3 @@
+ d /run/fapolicyd 0770 root fapolicyd -
++d /var/lib/fapolicyd 770 root fapolicyd -
++Z /etc/fapolicyd - root fapolicyd -
+-- 
+2.50.1
+

SOURCES/fapolicyd-data-format.patch

@@ -0,0 +1,27 @@
+From 6ce38340bd0ed3863259224de613ef6a29ca9297 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Sun, 20 Jul 2025 20:56:34 +0200
+Subject: [PATCH] ddasd
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/fapolicyd-backend.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/library/fapolicyd-backend.h b/src/library/fapolicyd-backend.h
+index 2844780..26f0a54 100644
+--- a/src/library/fapolicyd-backend.h
++++ b/src/library/fapolicyd-backend.h
+@@ -32,7 +32,8 @@
+ typedef enum { SRC_UNKNOWN, SRC_RPM, SRC_FILE_DB, SRC_DEB } trust_src_t;
+ 
+ // source, size, sha
+-#define DATA_FORMAT "%u %lu %64s"
++// do not pad the hash value so SHA1 and SHA256 digests parse correctly
++#define DATA_FORMAT "%u %lu %s"
+ 
+ typedef struct _backend
+ {
+-- 
+2.50.1
+

SOURCES/fapolicyd-dnf-plugin.patch

@@ -1,34 +0,0 @@
-diff -up ./dnf/fapolicyd-dnf-plugin.py.fix ./dnf/fapolicyd-dnf-plugin.py
---- ./dnf/fapolicyd-dnf-plugin.py.fix	2023-06-20 13:21:21.098192421 +0200
-+++ ./dnf/fapolicyd-dnf-plugin.py	2023-06-20 13:21:46.287412300 +0200
-@@ -8,29 +8,10 @@ import sys
- class Fapolicyd(dnf.Plugin):
- 
-     name = "fapolicyd"
--    pipe = "/run/fapolicyd/fapolicyd.fifo"
-     file = None
- 
-     def __init__(self, base, cli):
-         pass
- 
-     def transaction(self):
--
--        if not os.path.exists(self.pipe):
--            sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n")
--            sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n")
--            sys.stderr.write("or fapolicyd is not running...\n")
--            return
--
--        if not stat.S_ISFIFO(os.stat(self.pipe).st_mode):
--            sys.stderr.write(self.pipe + ": is not a pipe!\n")
--            return
--
--        try:
--            self.file = open(self.pipe, "w")
--        except PermissionError:
--            sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
--            return
--
--        self.file.write("1\n")
--        self.file.close()
-+        pass

SOURCES/fapolicyd-infinite-loop.patch

@@ -0,0 +1,67 @@
+From baf402ccaf16bc993ce34d4e4ed08aa283cd2c94 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Fri, 18 Jul 2025 10:55:12 +0200
+Subject: [PATCH] Fix an infinite loop
+
+- either malloc fail or corruped data from lmdb can cause
+"fapolicyd -D" to hang in infinite loop
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/cli/fapolicyd-cli.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
+index 0c72733c..7eddf4e2 100644
+--- a/src/cli/fapolicyd-cli.c
++++ b/src/cli/fapolicyd-cli.c
+@@ -185,33 +185,35 @@ static int do_dump_db(void)
+ 		goto txn_abort;
+ 	}
+ 	do {
+-		char *path, *data, sha[65];
++		char *path = NULL, *data = NULL, sha[65];
+ 		unsigned int tsource;
+ 		off_t size;
+ 		const char *source;
+ 
+-		path = malloc(key.mv_size+1);
++		path = malloc(key.mv_size + 1);
+ 		if (!path)
+-			continue;
++			goto next_record;
++
+ 		memcpy(path, key.mv_data, key.mv_size);
+ 		path[key.mv_size] = 0;
+-		data = malloc(val.mv_size+1);
+-		if (!data) {
+-			free(path);
+-			continue;
+-		}
++		data = malloc(val.mv_size + 1);
++
++		if (!data)
++			goto next_record;
++
+ 		memcpy(data, val.mv_data, val.mv_size);
+ 		data[val.mv_size] = 0;
+-		if (sscanf(data, DATA_FORMAT, &tsource, &size, sha) != 3) {
+-			free(data);
+-			free(path);
+-			continue;
+-		}
++
++		if (sscanf(data, DATA_FORMAT, &tsource, &size, sha) != 3)
++			goto next_record;
++
+ 		source = lookup_tsource(tsource);
+ 		printf("%s %s %lu %s\n", source, path, size, sha);
++
++next_record:
+ 		free(data);
+ 		free(path);
+-		// Try to get the duplicate. If doesn't exist, get the next one
++		// Try to get the duplicate. If it doesn't exist, get the next one
+ 		rc = mdb_cursor_get(cursor, &key, &val, MDB_NEXT_DUP);
+ 		if (rc == MDB_NOTFOUND)
+ 			rc = mdb_cursor_get(cursor, &key, &val, MDB_NEXT_NODUP);

SOURCES/fapolicyd-leaks.patch

@@ -1,78 +0,0 @@
-From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Tue, 18 Jul 2023 17:05:11 +0200
-Subject: [PATCH] Fix multiple leaks
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- src/library/filter.c |  3 +++
- src/library/policy.c | 13 +++++++++++--
- src/library/rules.c  |  3 ---
- 3 files changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/src/library/filter.c b/src/library/filter.c
-index d5d8cca..eb378ca 100644
---- a/src/library/filter.c
-+++ b/src/library/filter.c
-@@ -472,9 +472,12 @@ int filter_load_file(void)
- 			msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
- 			filter_destroy_obj(filter);
- 			free(line);
-+			line = NULL;
- 			goto bad;
- 		}
-+	}
- 
-+	if (line) {
- 		free(line);
- 		line = NULL;
- 	}
-diff --git a/src/library/policy.c b/src/library/policy.c
-index 7fe1210..31ff6e2 100644
---- a/src/library/policy.c
-+++ b/src/library/policy.c
-@@ -23,6 +23,7 @@
-  *   Radovan Sroka <rsroka@redhat.com>
-  */
- 
-+#include "attr-sets.h"
- #include "config.h"
- #include <stdbool.h>
- #include <stdio.h>
-@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
- 		return 1;
- 
- 	FILE * f = open_file();
--	if (f == NULL)
-+	if (f == NULL) {
-+		destroy_attr_sets();
- 		return 1;
-+	}
- 
- 	int res = _load_rules(_config, f);
- 	fclose(f);
--	return res;
-+
-+	if (res) {
-+		destroy_attr_sets();
-+		return 1;
-+	}
-+
-+	return 0;
- }
- 
- void destroy_rules(void)
-diff --git a/src/library/rules.c b/src/library/rules.c
-index 5ffa40e..4a8b098 100644
---- a/src/library/rules.c
-+++ b/src/library/rules.c
-@@ -65,9 +65,6 @@ int rules_create(llist *l)
- 	l->cur = NULL;
- 	l->cnt = 0;
- 
--	if (init_attr_sets())
--		return 1;
--
- 	return  0;
- }
- 

SOURCES/fapolicyd-librpm-workaround.patch

@@ -1,93 +0,0 @@
-diff -up ./src/daemon/fapolicyd.c.librpm-workaround ./src/daemon/fapolicyd.c
---- ./src/daemon/fapolicyd.c.librpm-workaround	2023-07-10 11:19:19.507044648 +0200
-+++ ./src/daemon/fapolicyd.c	2023-07-10 11:19:19.509044621 +0200
-@@ -572,7 +572,7 @@ int main(int argc, const char *argv[])
- 		capng_clear(CAPNG_SELECT_BOTH);
- 		capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
- 			CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
--			CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, -1);
-+			CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, CAP_CHOWN, -1);
- 		if (capng_change_id(config.uid, config.gid,
- 							CAPNG_DROP_SUPP_GRP)) {
- 			msg(LOG_ERR, "Cannot change to uid %d", config.uid);
-diff -up ./src/library/rpm-backend.c.librpm-workaround ./src/library/rpm-backend.c
---- ./src/library/rpm-backend.c.librpm-workaround	2023-06-15 16:45:14.000000000 +0200
-+++ ./src/library/rpm-backend.c	2023-07-10 11:22:07.066794595 +0200
-@@ -32,7 +32,12 @@
- #include <rpm/rpmdb.h>
- #include <rpm/rpmpgp.h>
- #include <fnmatch.h>
-+#include <glob.h>
-+#include <pwd.h>
-+#include <grp.h>
-+#include <fcntl.h>
- 
-+#include <unistd.h>
- #include <uthash.h>
- 
- #include "message.h"
-@@ -59,6 +64,50 @@ backend rpm_backend =
- static rpmts ts = NULL;
- static rpmdbMatchIterator mi = NULL;
- 
-+static void fix_files(void)
-+{
-+	glob_t glob_result;
-+	const char *pattern = "/var/lib/rpm/__*";
-+
-+	struct passwd * usr = getpwnam("fapolicyd");
-+	if (usr == NULL) {
-+		return;
-+	}
-+
-+	struct group * grp = getgrnam("fapolicyd");
-+	if (grp == NULL) {
-+		return;
-+	}
-+
-+	int return_value = glob(pattern, 0, NULL, &glob_result);
-+	if (return_value != 0) {
-+		return;
-+	}
-+
-+	for (int i = 0; i < glob_result.gl_pathc; ++i) {
-+
-+		int fd = open(glob_result.gl_pathv[i], O_NOFOLLOW);
-+
-+		if (fd == -1)
-+			continue;
-+
-+		struct stat file_stat;
-+		if (fstat(fd, &file_stat) != 0) {
-+			continue;
-+		}
-+
-+		if (file_stat.st_uid == usr->pw_uid &&
-+			file_stat.st_gid == grp->gr_gid) {
-+
-+			fchown(fd, 0, 0);
-+		}
-+
-+		close(fd);
-+	}
-+
-+	globfree(&glob_result);
-+}
-+
- static int init_rpm(void)
- {
- 	return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL);
-@@ -201,8 +250,13 @@ static int rpm_load_list(const conf_t *c
- 		return rc;
- 	}
- 
-+	int fixed = 0;
- 	// Loop across the rpm database
- 	while (get_next_package_rpm()) {
-+		if (!fixed) {
-+			fixed = 1;
-+			fix_files();
-+		}
- 		// Loop across the packages
- 		while (get_next_file_rpm()) {
- 			// We do not want directories or symlinks in the

SOURCES/fapolicyd-normal-pattern.patch

@@ -0,0 +1,27 @@
+From 0b42573e129c8c095536e15b326fe76b87da2601 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Fri, 28 Feb 2025 18:02:16 +0100
+Subject: [PATCH] Fix normal pattern handling
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/rules.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/library/rules.c b/src/library/rules.c
+index 849a6c39..7f8fc7f5 100644
+--- a/src/library/rules.c
++++ b/src/library/rules.c
+@@ -406,9 +406,10 @@ static int assign_subject(lnode *n, int type, const char *ptr2, int lineno)
+ 			goto free_and_error;
+ 		}
+ 
+-		if (strcmp(tmp,
+-			PATTERN_LD_SO_STR) == 0) {
++		if (strcmp(tmp,	PATTERN_LD_SO_STR) == 0) {
+ 			n->s[i].val = PATTERN_LD_SO_VAL;
++		} else if (strcmp(tmp, PATTERN_NORMAL_STR) == 0) {
++			n->s[i].val = PATTERN_NORMAL_VAL;
+ 		} else if (strcmp(tmp, PATTERN_STATIC_STR) == 0) {
+ 			n->s[i].val = PATTERN_STATIC_VAL;
+ 		} else if (strcmp(tmp, PATTERN_LD_PRELOAD_STR) == 0) {

SOURCES/fapolicyd-nss-lookup.patch

@@ -0,0 +1,26 @@
+diff --git a/init/fapolicyd.service b/init/fapolicyd.service
+index 7eb2841a..a1b7da90 100644
+--- a/init/fapolicyd.service
++++ b/init/fapolicyd.service
+@@ -1,6 +1,12 @@
++# You should manage this file with systemctl edit utility and not manually
++
+ [Unit]
+ Description=File Access Policy Daemon
+ DefaultDependencies=no
++# If rules need user/group lookup, create a drop-in to delay the startup after NSS lookup is available:
++#   # mkdir -p /etc/systemd/system/fapolicyd.service.d
++#   # echo -e "[Unit]\nAfter=nss-user-lookup.target local-fs.target systemd-tmpfiles-setup.service" > /etc/systemd/system/fapolicyd.service.d/nss-lookup.conf
++#   # systemctl daemon-reload
+ After=local-fs.target systemd-tmpfiles-setup.service
+ Documentation=man:fapolicyd(8)
+ 
+@@ -12,8 +18,6 @@ PIDFile=/run/fapolicyd.pid
+ ExecStartPre=/usr/sbin/fagenrules
+ ExecStart=/usr/sbin/fapolicyd
+ Restart=on-abnormal
+-# Uncomment the following line if rules need user/group name lookup
+-#After=nss-user-lookup.target
+ 
+ [Install]
+ WantedBy=multi-user.target

SOURCES/fapolicyd-rpm-loader.patch

@@ -0,0 +1,309 @@
+diff -up ./fapolicyd.spec.rpm-loader ./fapolicyd.spec
+--- ./fapolicyd.spec.rpm-loader	2024-04-29 17:59:11.000000000 +0200
++++ ./fapolicyd.spec	2025-05-18 20:11:39.722717947 +0200
+@@ -268,6 +268,7 @@ fi
+ %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+ %attr(755,root,root) %{_sbindir}/%{name}
+ %attr(755,root,root) %{_sbindir}/%{name}-cli
++%attr(755,root,root) %{_sbindir}/%{name}-rpm-loader
+ %attr(755,root,root) %{_sbindir}/fagenrules
+ %attr(644,root,root) %{_mandir}/man8/*
+ %attr(644,root,root) %{_mandir}/man5/*
+diff -up ./src/daemon/fapolicyd.c.rpm-loader ./src/daemon/fapolicyd.c
+--- ./src/daemon/fapolicyd.c.rpm-loader	2025-05-18 20:11:39.721683468 +0200
++++ ./src/daemon/fapolicyd.c	2025-05-18 20:11:39.722858226 +0200
+@@ -105,17 +105,19 @@ static void install_syscall_filter(void)
+ 	ctx = seccomp_init(SCMP_ACT_ALLOW);
+ 	if (ctx == NULL)
+ 		goto err_out;
+-
++#ifndef USE_RPM
+ 	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES),
+ 				SCMP_SYS(execve), 0);
+ 	if (rc < 0)
+ 		goto err_out;
+-#ifdef HAVE_FEXECVE
+-# ifdef __NR_fexecve
++
++# ifdef HAVE_FEXECVE
++#  ifdef __NR_fexecve
+ 	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES),
+ 				SCMP_SYS(fexecve), 0);
+ 	if (rc < 0)
+ 		goto err_out;
++#  endif
+ # endif
+ #endif
+ 	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EIO),
+diff -up ./src/handler/fapolicyd-rpm-loader.c.rpm-loader ./src/handler/fapolicyd-rpm-loader.c
+--- ./src/handler/fapolicyd-rpm-loader.c.rpm-loader	2025-05-18 20:11:39.722986504 +0200
++++ ./src/handler/fapolicyd-rpm-loader.c	2025-05-18 20:13:48.417481732 +0200
+@@ -0,0 +1,85 @@
++/*
++ * fapolicy-rpm-loader.c - loader tool for fapolicyd
++ * Copyright (c) 2025-2025 Red Hat Inc.
++ * All Rights Reserved.
++ *
++ * This software may be freely redistributed and/or modified under the
++ * terms of the GNU General Public License as published by the Free
++ * Software Foundation; either version 2, or (at your option) any
++ * later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; see the file COPYING. If not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
++ * Boston, MA 02110-1335, USA.
++ *
++ * Authors:
++ *   Radovan Sroka <rsroka@redhat.com>
++ */
++
++#include "config.h"
++#include <stdio.h>
++#include <string.h>
++#include <sys/syslog.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <ctype.h>
++#include <magic.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <stdatomic.h>
++#include <lmdb.h>
++#include <limits.h>
++#include <signal.h>
++
++#include "backend-manager.h"
++#include "daemon-config.h"
++#include "message.h"
++#include "llist.h"
++#include "fd-fgets.h"
++#include "paths.h"
++
++volatile atomic_bool stop = 0;  // Library needs this
++unsigned int debug_mode = 0;			// Library needs this
++unsigned int permissive = 0;			// Library needs this
++
++
++int do_rpm_init_backend(void);
++int do_rpm_load_list(conf_t * conf);
++int do_rpm_destroy_backend(void);
++
++extern backend rpm_backend;
++
++int main(int argc, char * const argv[])
++{
++
++	set_message_mode(MSG_STDERR, DBG_YES);
++
++	conf_t config;
++
++	load_daemon_config(&config);
++
++	do_rpm_init_backend();
++	do_rpm_load_list(&config);
++
++	msg(LOG_INFO, "Loaded files %ld", rpm_backend.list.count);
++
++	list_item_t *item = list_get_first(&rpm_backend.list);
++	for (; item != NULL; item = item->next) {
++		printf("%s %s\n", (const char*)item->index, (const char*)item->data);
++	}
++
++	do_rpm_destroy_backend();
++
++	free_daemon_config(&config);
++	return 0;
++}
++
+diff -up ./src/library/rpm-backend.c.rpm-loader ./src/library/rpm-backend.c
+--- ./src/library/rpm-backend.c.rpm-loader	2025-05-18 20:11:39.718862697 +0200
++++ ./src/library/rpm-backend.c	2025-05-18 20:11:39.723077584 +0200
+@@ -23,8 +23,11 @@
+  */
+ 
+ #include "config.h"
++#include <ctype.h>
+ #include <stddef.h>
+ #include <sys/types.h>
++#include <sys/wait.h>
++#include <spawn.h>
+ #include <rpm/rpmlib.h>
+ #include <rpm/rpmts.h>
+ #include <rpm/rpmmacro.h>
+@@ -37,11 +40,16 @@
+ 
+ #include "message.h"
+ #include "gcc-attributes.h"
++#include "fd-fgets.h"
+ #include "fapolicyd-backend.h"
+ #include "llist.h"
+ 
+ #include "filter.h"
+ 
++int do_rpm_init_backend(void);
++int do_rpm_load_list(const conf_t *);
++int do_rpm_destroy_backend(void);
++
+ static int rpm_init_backend(void);
+ static int rpm_load_list(const conf_t *);
+ static int rpm_destroy_backend(void);
+@@ -183,9 +191,104 @@ struct _hash_record {
+ 	UT_hash_handle hh;
+ };
+ 
+-extern unsigned int debug_mode;
++#define BUFFER_SIZE 4096
++#define MAX_DELIMS 3
+ static int rpm_load_list(const conf_t *conf)
+ {
++	int pipefd[2];
++	if (pipe(pipefd) == -1) {
++		perror("pipe failed");
++		return 1;
++    }
++	// we well read stdout later
++	// there will be data from rpmdb
++	posix_spawn_file_actions_t actions;
++	posix_spawn_file_actions_init(&actions);
++	posix_spawn_file_actions_addclose(&actions, pipefd[0]);
++	posix_spawn_file_actions_adddup2(&actions, pipefd[1], STDOUT_FILENO);
++	posix_spawn_file_actions_addclose(&actions, pipefd[1]);
++
++	char *argv[] = { NULL };
++	char *custom_env[] = { NULL };
++
++	pid_t pid = -1;
++	// int status = posix_spawn(&pid, "/home/rsroka/Work/fapolicyd-upstream-fork2/src/fapolicyd-rpm-loader", &actions, NULL, argv, custom_env);
++	int status = posix_spawn(&pid, "/usr/sbin/fapolicyd-rpm-loader", &actions, NULL, argv, custom_env);
++
++
++	close(pipefd[1]);  // Parent doesn't write
++
++	if (status == 0) {
++		msg(LOG_DEBUG, "fapolicyd-rpm-loader spawned with pid: %d", pid);
++
++		char buff[BUFFER_SIZE];
++		fd_fgets_context_t * fd_fgets_context = fd_fgets_init();
++		do {
++			fd_fgets_rewind(fd_fgets_context);
++			int res = fd_fgets(fd_fgets_context, buff, sizeof(buff), pipefd[0]);
++			if (res == -1)
++				break;
++			else if (res > 0) {
++				char* end  = strchr(buff, '\n');
++
++				if (end == NULL) {
++					msg(LOG_ERR, "Too long line?");
++					continue;
++				}
++
++				int size = end - buff;
++				*end = '\0';
++
++				// it's better to parse it from the end because there can be space in file name
++				int delims = 0;
++				char * delim = NULL;
++				for (int i = size-1 ; i >= 0 ; i--) {
++					if (isspace(buff[i])) {
++						delim = &buff[i];
++						delims++;
++					}
++
++					if (delims >= MAX_DELIMS) {
++						buff[i] = '\0';
++						break;
++					}
++				}
++
++				char * index = strdup(buff);
++				char * data = strdup(delim + 1);
++				if (!index || !data) {
++					free(index);
++					free(data);
++					continue;
++				}
++
++				list_append(&rpm_backend.list, index, data);
++			}
++		} while(!fd_fgets_eof(fd_fgets_context));
++
++		fd_fgets_destroy(fd_fgets_context);
++
++		close(pipefd[0]);
++		waitpid(pid, NULL, 0);
++		
++	} else {
++		msg(LOG_ERR, "posix_spawn failed: %s\n", strerror(status));
++	}
++
++	posix_spawn_file_actions_destroy(&actions);
++
++	if (rpm_backend.list.count == 0) {
++		msg(LOG_DEBUG, "Recieved 0 files from rpmdb loader");
++		return 1;
++	}
++
++	return 0;
++}
++
++// this function is used in fapolicyd-rpm-loader
++extern unsigned int debug_mode;
++int do_rpm_load_list(const conf_t *conf)
++{
+ 	int rc;
+ 	unsigned int msg_count = 0;
+ 
+@@ -298,6 +401,14 @@ static int rpm_load_list(const conf_t *c
+ 
+ static int rpm_init_backend(void)
+ {
++	list_init(&rpm_backend.list);
++
++	return 0;
++}
++
++// this function is used in fapolicyd-rpm-loader
++int do_rpm_init_backend(void)
++{
+ 	if (filter_init())
+ 		return 1;
+ 
+@@ -318,3 +429,10 @@ static int rpm_destroy_backend(void)
+ 	list_empty(&rpm_backend.list);
+ 	return 0;
+ }
++
++// this function is used in fapolicyd-rpm-loader
++int do_rpm_destroy_backend(void)
++{
++	list_empty(&rpm_backend.list);
++	return 0;
++}
+diff -up ./src/Makefile.am.rpm-loader ./src/Makefile.am
+--- ./src/Makefile.am.rpm-loader	2025-05-18 20:11:39.718965116 +0200
++++ ./src/Makefile.am	2025-05-18 20:11:39.723185202 +0200
+@@ -75,6 +75,15 @@ libfapolicyd_la_SOURCES += \
+ 	library/filter.c \
+ 	library/filter.h
+ 
++sbin_PROGRAMS += fapolicyd-rpm-loader
++
++fapolicyd_rpm_loader_SOURCES = \
++	handler/fapolicyd-rpm-loader.c
++
++fapolicyd_rpm_loader_CFLAGS = $(fapolicyd_CFLAGS)
++fapolicyd_rpm_loader_LDFLAGS = $(fapolicyd_LDFLAGS)
++
++fapolicyd_rpm_loader_LDADD = libfapolicyd.la
+ endif
+ 
+ if WITH_DEB

SOURCES/fapolicyd-rpm-v.patch

@@ -0,0 +1,34 @@
+From 686096c400587d5f28e041c4ebb58e07e4d7b3fc Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Wed, 20 Nov 2024 14:30:14 +0100
+Subject: [PATCH] Fix creation of RUN_DIR because it breaks rpm verify
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/database.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/library/database.c b/src/library/database.c
+index 44dd0b2b..d89b16c1 100644
+--- a/src/library/database.c
++++ b/src/library/database.c
+@@ -122,6 +122,19 @@ int preconstruct_fifo(const conf_t *config)
+ 		    strerror_r(errno, err_buff, BUFFER_SIZE));
+ 		return 1;
+ 	} else {
++
++		if ((chmod(RUN_DIR, 0770))) {
++			msg(LOG_ERR, "Failed to fix mode of dir %s (%s)",
++			    RUN_DIR, strerror_r(errno, err_buff, BUFFER_SIZE));
++			return 1;
++		}
++
++		if ((chown(RUN_DIR, 0, config->gid))) {
++			msg(LOG_ERR, "Failed to fix ownership of dir %s (%s)",
++			    RUN_DIR, strerror_r(errno, err_buff, BUFFER_SIZE));
++			return 1;
++		}
++
+ 		/* Make sure that there is no such file/fifo */
+ 		unlink_fifo();
+ 	}

SOURCES/fapolicyd-selinux-links.patch

@@ -1,23 +0,0 @@
-From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Wed, 19 Jul 2023 16:00:13 +0200
-Subject: [PATCH] Allow links
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- fapolicyd.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
-index daf31bd..5d6f9aa 100644
---- a/fapolicyd-selinux-0.6/fapolicyd.te
-+++ b/fapolicyd-selinux-0.6/fapolicyd.te
-@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
-     files_watch_sb_all_mountpoints(fapolicyd_t)
- ')
- 
-+allow fapolicyd_t file_type : lnk_file { getattr read };
-+
- manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
- logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
- 

SOURCES/fapolicyd-skip-nonregular.patch

@@ -0,0 +1,39 @@
+From 508805c9f47ca22695fd7a265668f99e9258ea27 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Thu, 24 Jul 2025 15:30:06 +0200
+Subject: [PATCH] Skip to add non regular files to trustdb
+
+- it does not make any sense to have them in the trustdb
+- the patch should be fix potential error when reading nonregular files
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/cli/file-cli.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
+index 7deec39c..ae326c14 100644
+--- a/src/cli/file-cli.c
++++ b/src/cli/file-cli.c
+@@ -67,7 +67,7 @@ static int ftw_add_list_append(const char *fpath,
+  */
+ static int add_list_load_path(const char *path)
+ {
+-	int fd = open(path, O_RDONLY);
++	int fd = open(path, O_RDONLY|O_NONBLOCK);
+ 	if (fd < 0) {
+ 		msg(LOG_ERR, "Cannot open %s", path);
+ 		return 1;
+@@ -83,8 +83,11 @@ static int add_list_load_path(const char *path)
+ 
+ 	if (S_ISDIR(sb.st_mode))
+ 		nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS);
+-	else
++	else if (S_ISREG(sb.st_mode)) {
+ 		list_append(&add_list, strdup(path), NULL);
++	} else {
++		msg(LOG_INFO, "Skipping non regular file: %s", path);
++	}
+ 
+ 	return 0;
+ }

SOURCES/fapolicyd-socket-segfault.patch

@@ -0,0 +1,48 @@
+From 73770c9111800cb5a1e62203e460ae9149307d49 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Mon, 28 Jul 2025 18:44:08 +0200
+Subject: [PATCH] Fix segfault when socket is inside of the directory
+
+$ socat UNIX-LISTEN:"/home/rsroka/dir/socket" /dev/null &
+
+[ ERROR ]: Cannot open /home/rsroka/dir/socket
+Program received signal SIGSEGV, Segmentation fault.
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/cli/file-cli.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
+index ae326c14..655e8f15 100644
+--- a/src/cli/file-cli.c
++++ b/src/cli/file-cli.c
+@@ -53,8 +53,13 @@ static int ftw_add_list_append(const char *fpath,
+ 		int typeflag,
+ 		struct FTW *ftwbuf __attribute__ ((unused)))
+ {
+-	if (typeflag == FTW_F)
+-		list_append(&add_list, strdup(fpath), NULL);
++	if (typeflag == FTW_F) {
++		if (S_ISREG(sb->st_mode)) {
++			list_append(&add_list, strdup(fpath), NULL);
++		} else {
++			msg(LOG_INFO, "Skipping non regular file: %s", fpath);
++		}
++	}
+ 	return FTW_CONTINUE;
+ }
+ 
+@@ -83,11 +88,8 @@ static int add_list_load_path(const char *path)
+ 
+ 	if (S_ISDIR(sb.st_mode))
+ 		nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS);
+-	else if (S_ISREG(sb.st_mode)) {
++	else
+ 		list_append(&add_list, strdup(path), NULL);
+-	} else {
+-		msg(LOG_INFO, "Skipping non regular file: %s", path);
+-	}
+ 
+ 	return 0;
+ }

SOURCES/fapolicyd-uthash-bundle.patch

@@ -0,0 +1,39 @@
+diff -up ./configure.ac.uthash ./configure.ac
+--- ./configure.ac.uthash	2022-09-27 16:34:59.000000000 +0200
++++ ./configure.ac	2022-09-29 11:57:26.297879027 +0200
+@@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
+ ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
+ AC_CHECK_FUNCS(fexecve, [], [])
+ AC_CHECK_FUNCS([gettid])
+-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
+-["Couldn't find uthash.h...uthash-devel is missing"] )])
+-
+-
+ echo .
+ echo Checking for required libraries
+ AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
+diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
+--- ./src/library/rpm-backend.c.uthash	2022-09-29 11:57:26.297879027 +0200
++++ ./src/library/rpm-backend.c	2022-09-29 11:58:45.470119807 +0200
+@@ -33,7 +33,7 @@
+ #include <rpm/rpmpgp.h>
+ #include <fnmatch.h>
+ 
+-#include <uthash.h>
++#include "uthash.h"
+ 
+ #include "message.h"
+ #include "gcc-attributes.h"
+diff -up ./src/Makefile.am.uthash ./src/Makefile.am
+--- ./src/Makefile.am.uthash	2022-09-27 16:34:59.000000000 +0200
++++ ./src/Makefile.am	2022-09-29 11:57:26.297879027 +0200
+@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
+ 	-I${top_srcdir} \
+ 	-I${top_srcdir}/src/library
+ 
++AM_CPPFLAGS += \
++	-I${top_srcdir}/uthash-2.3.0/include
++
+ sbin_PROGRAMS = fapolicyd fapolicyd-cli
+ lib_LTLIBRARIES= libfapolicyd.la
+ 

SOURCES/fapolicyd.sysusers

@@ -0,0 +1 @@
+u fapolicyd - "Application Whitelisting Daemon" /var/lib/fapolicyd

SOURCES/selinux.patch

@@ -1,6 +1,6 @@
-diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te
---- ./fapolicyd-selinux-0.6/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
-+++ ./fapolicyd-selinux-0.6/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
+diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te
+--- ./fapolicyd-selinux-0.7/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
++++ ./fapolicyd-selinux-0.7/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
 @@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
  
  ifdef(`fs_watch_all_fs',`

SOURCES/var-run-selinux.patch

@@ -0,0 +1,26 @@
+From 750c5e288f8253c71a9722da960addb078aee93c Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 6 Feb 2024 21:17:27 +0100
+Subject: [PATCH] Rename all /var/run file context entries to /run
+
+With the 1f76e522a ("Rename all /var/run file context entries to /run")
+selinux-policy commit, all /var/run file context entries moved to /run
+and the equivalency was inverted. Subsequently, changes in fapolicyd.fc
+need to be done, too, in a similar manner.
+---
+ fapolicyd.fc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc
+index 2bdc7aa..d081dc8 100644
+--- a/fapolicyd-selinux-0.7/fapolicyd.fc
++++ b/fapolicyd-selinux-0.7/fapolicyd.fc
+@@ -8,6 +8,6 @@
+ 
+ /var/log/fapolicyd-access.log    --      gen_context(system_u:object_r:fapolicyd_log_t,s0)
+ 
+-/var/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
++/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+ 
+-/var/run/fapolicyd\.pid	--	 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
++/run/fapolicyd\.pid	--	 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)

SOURCES/var-run-t-dir-selinux.patch

@@ -0,0 +1,11 @@
+diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.var_run_dir ./fapolicyd-selinux-0.7/fapolicyd.te
+--- ./fapolicyd-selinux-0.7/fapolicyd.te.var_run_dir	2025-07-20 21:08:05.054395347 +0200
++++ ./fapolicyd-selinux-0.7/fapolicyd.te	2025-07-20 21:08:28.240293532 +0200
+@@ -57,6 +57,7 @@ ifdef(`files_watch_sb_all_mountpoints',`
+ ')
+ 
+ allow fapolicyd_t file_type : lnk_file { getattr read };
++allow fapolicyd_t var_run_t:dir setattr;
+ 
+ manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
+ logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

SPECS/fapolicyd.spec

@@ -1,39 +1,49 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.6
+%define semodule_version 0.7
 
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.3.2
-Release: 1%{?dist}
+Version: 1.3.3
+Release: 106%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
 Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+# we bundle uthash for rhel9
+Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
+Source3: fapolicyd.sysusers
 BuildRequires: gcc
 BuildRequires: kernel-headers
 BuildRequires: autoconf automake make gcc libtool
 BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
 BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
 BuildRequires: python3-devel
-BuildRequires: python2-devel
+
+%if 0%{?rhel} == 0
 BuildRequires: uthash-devel
-Requires: rpm-plugin-fapolicyd >= 4.14.3-12
+%endif
+
+Requires: %{name}-plugin
 Recommends: %{name}-selinux
 Requires(pre): shadow-utils
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 
-# we are making the dnf-plugin completelly dummy because of
-# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
-# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
-# the fapolicyd package because it provides safe upgrade path
-Patch1: fapolicyd-dnf-plugin.patch
+Patch1: fapolicyd-uthash-bundle.patch
 Patch2: selinux.patch
-Patch3: fapolicyd-selinux-links.patch
-Patch4: fapolicyd-leaks.patch
-Patch5: fapolicyd-librpm-workaround.patch
+Patch3: var-run-selinux.patch
+Patch4: fapolicyd-rpm-v.patch
+Patch5: fapolicyd-nss-lookup.patch
+Patch6: fapolicyd-normal-pattern.patch
+Patch7: fapolicyd-rpm-loader.patch
+Patch8: fapolicyd-infinite-loop.patch
+Patch9: fapolicyd-data-format.patch
+Patch10: var-run-t-dir-selinux.patch
+Patch11: fapolicyd-skip-nonregular.patch
+Patch12: fapolicyd-socket-segfault.patch
+Patch13: Add-var-lib-fapolicyd-to-tmpfiles.patch
 
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@@ -60,11 +70,24 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 # selinux
 %setup -q -D -T -a 1
 
-%patch -P 1 -p1 -b .dnf-plugin
+%if 0%{?rhel} != 0
+# uthash
+%setup -q -D -T -a 2
+%patch -P 1 -p1 -b .uthash
+%endif
+
 %patch -P 2 -p1 -b .selinux
-%patch -P 3 -p1 -b .selinux-links
-%patch -P 4 -p1 -b .leaks
-%patch -P 5 -p1 -b .librpm-workaround
+%patch -P 3 -p1 -R -b .var-run-selinux
+%patch -P 4 -p1 -b .rpm-v
+%patch -P 5 -p1 -b .nss-lookup
+%patch -P 6 -p1 -b .normal-pattern
+%patch -P 7 -p1 -b .rpm-loader
+%patch -P 8 -p1 -b .infinite-loop
+%patch -P 9 -p1 -b .data-format
+%patch -P 10 -p1 -b .var-run-dir
+%patch -P 11 -p1 -b .skip-nonregular
+%patch -P 12 -p1 -b .socket-segfault
+%patch -P 13 -p1 -b .var-lib-dir
 
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@@ -86,7 +109,7 @@ cp INSTALL INSTALL.tmp
     --with-rpm \
     --disable-shared
 
-%make_build
+make CFLAGS="%{optflags}" %{?_smp_mflags}
 
 # selinux
 pushd %{name}-selinux-%{semodule_version}
@@ -96,15 +119,14 @@ popd
 %check
 make check
 
-# Selinux
+# selinux
 %pre selinux
 %selinux_relabel_pre -s %{selinuxtype}
 
 %install
 %make_install
-mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
-install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
 install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
 mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
 mkdir -p %{buildroot}/run/%{name}
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
@@ -164,6 +186,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
 
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
+
 if [ $1 -eq 2 ]; then
 # detect changed default rules in case of upgrade
 %manage_default_rules
@@ -205,23 +228,25 @@ fi
 %doc README.md
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%attr(755,root,%{name}) %dir %{_datadir}/%{name}
-%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
-%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
-%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
-%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
+%attr(755,root,root) %dir %{_datadir}/%{name}
+%attr(755,root,root) %dir %{_datadir}/%{name}/sample-rules
+%attr(644,root,root) %{_datadir}/%{name}/default-ruleset.known-libs
+%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
+%attr(644,root,root) %{_datadir}/%{name}/fapolicyd-magic.mgc
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
 %attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
-%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
+%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+%attr(755,root,root) %{_sbindir}/%{name}-rpm-loader
+%attr(644,root,root) %{_sysusersdir}/%{name}.conf
 %attr(755,root,root) %{_sbindir}/%{name}
 %attr(755,root,root) %{_sbindir}/%{name}-cli
 %attr(755,root,root) %{_sbindir}/fagenrules
@@ -233,10 +258,8 @@ fi
 %ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
 %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
 %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
-%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
-%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
 
-# selinux
+
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
@@ -255,172 +278,230 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
-* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-1
-RHEL 8.9.0 ERRATUM
+* Mon Aug 18 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.3.3-106
+- Add /var/lib/fapolicyd to tmpfiles
+Resolves: RHEL-104873
+
+* Wed May 28 2025 Radovan Sroka <rsroka@redhat.com> - 1.3.3-105
+RHEL 9.7.0 ERRATUM
+- RPMDB crashes with SIGBUS when updating the RPMDB repeatedly
+Resolves: RHEL-63090
+- File /run/fapolicyd differs from RPM expectations
+Resolves: RHEL-59626
+- fapolicyd.service badly instructs how to start after nss-user-lookup.target
+Resolves: RHEL-21871
+- fapolicy rule containing 'pattern=normal' produces error
+Resolves: RHEL-30020
+- "fapolicyd-cli --file add" crashes when processing sockets
+Resolves: RHEL-69136
+
+* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
+RHEL 9.5.0 ERRATUM
+- rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7
+Resolves: RHEL-36285
+
+* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
+RHEL 9.3.0 ERRATUM
 - Rebase fapolicyd to the latest stable version
-Resolves: RHEL-519
-- RFE: send rule number to fanotify so it gets audited
-Resolves: RHEL-628
-- Default q_size doesn't match manpage's one
-Resolves: RHEL-629
+Resolves: RHEL-430
 - fapolicyd can leak FDs and never answer request, causing target process to hang forever
-Resolves: RHEL-632
+Resolves: RHEL-621
+- RFE: send rule number to fanotify so it gets audited
+Resolves: RHEL-624
 - fapolicyd needs to make sure the FD limit is never reached
-Resolves: RHEL-631
+Resolves: RHEL-623
 - fapolicyd still allows execution of a program after "untrusting" it
-Resolves: RHEL-630
+Resolves: RHEL-622
+- Default q_size doesn't match manpage's one
+Resolves: RHEL-627
+- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
+Resolves: RHEL-817
 - Fix broken backwards compatibility backend numbers
-Resolves: RHEL-731
-- fapolicyd can create RPM DB files /var/lib/rpm/__db.xxx with bad ownership causing AVCs to occur
-Resolves: RHEL-829
+Resolves: RHEL-730
 - SELinux prevents the fapolicyd from reading symlink (cert_t)
-Resolves: RHEL-820
+Resolves: RHEL-816
 
-* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-12
-RHEL 8.8.0 ERRATUM
+* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
+RHEL 9.2.0 ERRATUM
 - statically linked app can execute untrusted app
-Resolves: rhbz#2088349
+Resolves: rhbz#2097077
+- fapolicyd ineffective with systemd DynamicUser=yes
+Resolves: rhbz#2136802
 - Starting manually fapolicyd while the service is already running breaks the system
-Resolves: rhbz#2103352
+Resolves: rhbz#2160517
 - Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
-Resolves: rhbz#2087040
+Resolves: rhbz#2160518
 - fapolicyd: Introduce filtering of rpmdb
-Resolves: rhbz#2165645
+Resolves: RHEL-192
 
-* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8
-RHEL 8.7.0 ERRATUM
+* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
+RHEL 9.1.0 ERRATUM
 - rebase fapolicyd to the latest stable vesion
-Resolves: rhbz#2100087
-- fapolicyd does not correctly handle SIGHUP
-Resolves: rhbz#2070639
-- fapolicyd often breaks package updates
-Resolves: rhbz#2111243
-- drop libgcrypt in favour of openssl
-Resolves: rhbz#2111935
-- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
-Resolves: rhbz#2103914
+Resolves: rhbz#2100041
 - fapolicyd gets way too easily killed by OOM killer
-Resolves: rhbz#2100089
-- compiled.rules file ownership and mode
-Resolves: rhbz#2066653
-- Faulty handling of static applications
-Resolves: rhbz#2084497
+Resolves: rhbz#2097385
+- fapolicyd does not correctly handle SIGHUP
+Resolves: rhbz#2070655
 - Introduce ppid rule attribute
-Resolves: rhbz#2102563
-- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]
-Resolves: rhbz#2069121
-- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0]
-Resolves: rhbz#2068105
+Resolves: rhbz#2102558
+- fapolicyd often breaks package updates
+Resolves: rhbz#2111244
+- drop libgcrypt in favour of openssl
+Resolves: rhbz#2111938
+- Remove dnf plugin
+Resolves: rhbz#2113959
+- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
+Resolves: rhbz#2115849
 
-* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
-RHEL 8.6.0 ERRATUM
+* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
+RHEL 9.1.0 ERRATUM
+- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
+Resolves: rhbz#2069123
+- Faulty handling of static applications
+Resolves: rhbz#2096457
+
+* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
+RHEL 9.1.0 ERRATUM
+- fapolicyd denies access to /usr/lib64/ld-2.28.so
+Resolves: rhbz#2067493
+
+* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
+RHEL 9.0.0 ERRATUM
 - rebase to 1.1
-Resolves: rhbz#1939379
-- introduce rules.d feature
-Resolves: rhbz#2054741
+Resolves: rhbz#2032408
+- introduce rules.d
+Resolves: rhbz#2054740
 - remove pretrans scriptlet
-Resolves: rhbz#2051485
+Resolve: rhbz#2051481
 
-* Mon Dec 13 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-2
-RHEL 8.6.0 ERRATUM
+* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
+RHEL 9.0.0 ERRATUM
 - rebase to 1.0.4
 - added rpm_sha256_only option
 - added trust.d directory
-- allow file names with whitespace in trust files
+- allow file names with whitespaces in trust files
 - use full paths in trust files
-Resolves: rhbz#1939379
+Resolves: rhbz#2032408
 - fix libc.so getting identified as application/x-executable
-Resolves: rhbz#1989272
-- fix fapolicyd-dnf-plugin reporting as '<invalid>'
-Resolves: rhbz#1997414
+Resolves: rhbz#2015307
 - fix selinux DSP module definition in spec file
-Resolves: rhbz#2014445
+Resolves: rhbz#2014449
 
-* Thu Aug 19 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-7
-- fapolicyd abnormally exits by executing sosreport
-- fixed multiple problems with unlink()
-- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
-Resolves: rhbz#1943251
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
-RHEL 8.4.0 ERRATUM
+* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
+RHEL 9 BETA
+- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
+Resolves: rhbz#1932225
+Resolves: rhbz#1977731
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
+- rebase to 1.0.3
+- sync fedora with rhel
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-1
 - rebase to 1.0.2
-- strong dependency on rpm/rpm-plugin-fapolicyd
-- installed dnf-plugin is dummy and we are not using it anymore
-- enabled integrity setting
-Resolves: rhbz#1887451
-- added make check
-- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail
-- fixed java detection
-Resolves: rhbz#1895435
-- dnf update fails when fapolicyd is enabled
-Resolves: rhbz#1876975
-- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
-Resolves: rhbz#1896875
+- enabled make check
+- dnf-plugin is now required subpackage
 
-* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
-RHEL 8.3 ERRATUM
-- fixed manpage fapolicyd-conf
-Resolves: rhbz#1817413
+* Mon Nov 16 2020 Radovan Sroka <rsroka@redhat.com> - 1.0.1-1
+- rebase to 1.0.1
+- introduced uthash dependency
+- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
+Resolves: rhbz#1874491
+- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
+Resolves: rhbz#1876538
 
-* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
-RHEL 8.3 ERRATUM
-- rebase to v1.0
-- installed multiple policies to /usr/share/fapolicyd
-  - known-libs (default)
-  - restrictive
-- installed fapolicyd.trust file
-- enhanced fapolicyd-cli
-Resolves: rhbz#1817413
-- introduced fapolicyd-selinux that provides SELinux policy module
-Resolves: rhbz#1714529
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
-RHEL 8.2 ERRATUM
-- fixed possible heap buffer overflow in elf parser
-Resolves: rhbz#1807912
+* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
+- backported few cosmetic small patches from upstream master
+- rebase selinux tarbal to v0.3
+- file context pattern for /run/fapolicyd.pid is missing
+Resolves: rhbz#1834674
 
-* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
-RHEL 8.2 ERRATUM
-- fixed build time python interpreter detection (spec)
-- added python2-devel as a BuildRequires (spec)
-- allow running bash scripts in home directories
-Resolves: rhbz#1801872
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
+- Rebuilt for Python 3.9
 
-* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
-RHEL 8.2 ERRATUM
-- rebase to v0.9.1
-- updated default configuration with new syntax
-- removed daemon mounts configuration
-Resolves: rhbz#1759895
-- default fapolicyd policy prevents Ansible from running
-- added ansible rule to default ruleset
-Resolves: rhbz#1746464
-- suspicious logs on service start
-Resolves: rhbz#1747494
-- fapolicyd blocks dracut from generating initramfs
-- added dracut rule to default configuration
-Resolves: rhbz#1757736
-- fapolicyd fails to identify perl interpreter
-Resolves: rhbz#1765039
+* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
+- rebase fapolicyd to 1.0
+- allowed sys_ptrace for user namespace
 
-* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
-- added missing manpage for fapolicyd-cli
-Resolves: rhbz#1708015
+* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
+- rebase fapolicyd to 0.9.4
+- polished the pattern detection engine
+- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
+  memory consumption and improve startup speed
+- the commandline utility can now delete the lmdb trust database and manage
+  the file trust source
 
-* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
-- Convert hashes to lowercase like sha256sum outputs
-- Stop littering STDOUT output for dnf plugin in fapolicyd
-Resolves: rhbz#1721496
+* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
+- rebase fapolicyd to 0.9.3
+- dramatically improved startup time
+- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
+- file type identification has been improved
+- trust database statistics have been added to the reports
 
-* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
-- new upstream release
-Resolves: rhbz#1673323
+* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
+- Label all fifo_file as fapolicyd_var_run_t in /var/run.
+- Allow fapolicyd_t domain to create fifo files labeled as
+  fapolicyd_var_run_t
+
+* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
+- rebase fapolicyd to 0.9.2
+- allows watched mount points to be specified by file system types
+- ELF file detection was improved
+- the rules have been rewritten to express the policy based on subject
+  object trust for better performance and reliability
+- exceptions for dracut and ansible were added to the rules to avoid problems
+  under normal system use
+- adds an admin defined trust database (fapolicyd.trust)
+- setting boost, queue, user, and group on the daemon
+  command line are deprecated
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
+- Updated fapolicyd-selinux subpackage to v0.2
+  Selinux subpackage is recommended for fapolicyd.
+
+* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
+- Added fapolicyd-selinux subpackage
+
+* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
+- rebase to v0.9
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
+- rebase to 0.8.10
+- generate python paths dynamically
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
+- Rebuild for RPM 4.15
+
+* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
+- Rebuild for RPM 4.15
 
 * Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
 - New upstream release
-- imported from fedora30
-  resolves: rhbz#1673323
 
 * Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
 - backport some patches to resolve dac_override for fapolicyd