rpms/fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c10s
rpms:c9s
rpms:c9
rpms:c8-beta
rpms:c8s
rpms:imports/c9-beta/fapolicyd-1.4.3-3.el9
rpms:imports/c10s/fapolicyd-1.4.3-3.el10
rpms:imports/c10s/fapolicyd-1.4.3-2.el10
rpms:imports/c10s/fapolicyd-1.4.3-1.el10
rpms:imports/c10s/fapolicyd-1.4.2-1.el10
rpms:imports/c10s/fapolicyd-1.4.1-2.el10
rpms:imports/c9/fapolicyd-1.3.3-106.el9_6.1
rpms:imports/c10s/fapolicyd-1.4.1-1.el10
rpms:imports/c10s/fapolicyd-1.3.7-1.el10
rpms:imports/c9-beta/fapolicyd-1.3.3-106.el9
rpms:imports/c10s/fapolicyd-1.3.3-107.el10
rpms:imports/c10s/fapolicyd-1.3.3-106.el10
rpms:imports/c10s/fapolicyd-1.3.3-105.el10
rpms:imports/c10s/fapolicyd-1.3.3-103.el10
rpms:imports/c10s/fapolicyd-1.3.3-102.el10
rpms:imports/c9-beta/fapolicyd-1.3.3-100.el9
rpms:imports/c10s/fapolicyd-1.3.3-101.el10
rpms:imports/c8/fapolicyd-1.3.2-1.el8
rpms:imports/c9/fapolicyd-1.3.2-100.el9
rpms:imports/c8-beta/fapolicyd-1.3.2-1.el8
rpms:imports/c9-beta/fapolicyd-1.3.2-100.el9
rpms:imports/c8/fapolicyd-1.1.3-12.el8
rpms:imports/c9/fapolicyd-1.1.3-104.el9
rpms:imports/c9-beta/fapolicyd-1.1.3-104.el9
rpms:imports/c8-beta/fapolicyd-1.1.3-12.el8
rpms:imports/c8s/fapolicyd-1.1.3-12.el8
rpms:imports/c9/fapolicyd-1.1.3-102.el9_1.7
rpms:imports/c8s/fapolicyd-1.1.3-10.el8
rpms:imports/c8/fapolicyd-1.1.3-8.el8_7.1
rpms:imports/c9/fapolicyd-1.1.3-102.el9
rpms:imports/c8s/fapolicyd-1.1.3-8.el8_7.1
rpms:imports/c8/fapolicyd-1.1.3-8.el8
rpms:imports/c9-beta/fapolicyd-1.1.3-102.el9
rpms:imports/c8-beta/fapolicyd-1.1.3-8.el8
rpms:imports/c8s/fapolicyd-1.1.3-8.el8
rpms:imports/c9/fapolicyd-1.1-103.el9_0.1
rpms:imports/c8/fapolicyd-1.1-6.el8_6.1
rpms:imports/c8s/fapolicyd-1.1.3-6.el8
rpms:imports/c8s/fapolicyd-1.1-6.el8_6.1
rpms:imports/c9/fapolicyd-1.1-103.el9_0
rpms:imports/c8/fapolicyd-1.1-6.el8
rpms:imports/c8s/fapolicyd-1.1-6.el8
rpms:imports/c9-beta/fapolicyd-1.1-100.el9
rpms:imports/c8s/fapolicyd-1.1-4.el8
rpms:imports/c8-beta/fapolicyd-1.1-1.el8
rpms:imports/c8s/fapolicyd-1.1-1.el8
rpms:imports/c9-beta/fapolicyd-1.0.4-101.el9
rpms:imports/c8s/fapolicyd-1.0.4-2.el8
rpms:imports/c9-beta/fapolicyd-1.0.3-4.el9
rpms:imports/c8-beta/fapolicyd-1.0.2-6.el8
rpms:imports/c8-beta/fapolicyd-1.0.2-3.el8
rpms:imports/c8-beta/fapolicyd-1.0-3.el8
rpms:imports/c8-beta/fapolicyd-0.9.1-2.el8
rpms:imports/c8-beta/fapolicyd-0.8.9-1.el8
rpms:imports/c8s/fapolicyd-1.0.2-6.el8
rpms:imports/c8s/fapolicyd-1.0.2-5.el8
rpms:imports/c8s/fapolicyd-1.0.2-4.el8
rpms:imports/c8s/fapolicyd-1.0.2-3.el8
rpms:imports/c8s/fapolicyd-1.0-3.el8_3.4
rpms:imports/c8/fapolicyd-1.0.2-6.el8
rpms:imports/c8/fapolicyd-1.0-3.el8_3.4
rpms:imports/c8/fapolicyd-1.0-3.el8_3.3
rpms:imports/c8/fapolicyd-1.0-3.el8_3.2
rpms:imports/c8/fapolicyd-1.0-3.el8
..
compare: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c10s
rpms:c9s
rpms:c9
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c9-beta/fapolicyd-1.4.3-3.el9
rpms:imports/c10s/fapolicyd-1.4.3-3.el10
rpms:imports/c10s/fapolicyd-1.4.3-2.el10
rpms:imports/c10s/fapolicyd-1.4.3-1.el10
rpms:imports/c10s/fapolicyd-1.4.2-1.el10
rpms:imports/c10s/fapolicyd-1.4.1-2.el10
rpms:imports/c9/fapolicyd-1.3.3-106.el9_6.1
rpms:imports/c10s/fapolicyd-1.4.1-1.el10
rpms:imports/c10s/fapolicyd-1.3.7-1.el10
rpms:imports/c9-beta/fapolicyd-1.3.3-106.el9
rpms:imports/c10s/fapolicyd-1.3.3-107.el10
rpms:imports/c10s/fapolicyd-1.3.3-106.el10
rpms:imports/c10s/fapolicyd-1.3.3-105.el10
rpms:imports/c10s/fapolicyd-1.3.3-103.el10
rpms:imports/c10s/fapolicyd-1.3.3-102.el10
rpms:imports/c9-beta/fapolicyd-1.3.3-100.el9
rpms:imports/c10s/fapolicyd-1.3.3-101.el10
rpms:imports/c8/fapolicyd-1.3.2-1.el8
rpms:imports/c9/fapolicyd-1.3.2-100.el9
rpms:imports/c8-beta/fapolicyd-1.3.2-1.el8
rpms:imports/c9-beta/fapolicyd-1.3.2-100.el9
rpms:imports/c8/fapolicyd-1.1.3-12.el8
rpms:imports/c9/fapolicyd-1.1.3-104.el9
rpms:imports/c9-beta/fapolicyd-1.1.3-104.el9
rpms:imports/c8-beta/fapolicyd-1.1.3-12.el8
rpms:imports/c8s/fapolicyd-1.1.3-12.el8
rpms:imports/c9/fapolicyd-1.1.3-102.el9_1.7
rpms:imports/c8s/fapolicyd-1.1.3-10.el8
rpms:imports/c8/fapolicyd-1.1.3-8.el8_7.1
rpms:imports/c9/fapolicyd-1.1.3-102.el9
rpms:imports/c8s/fapolicyd-1.1.3-8.el8_7.1
rpms:imports/c8/fapolicyd-1.1.3-8.el8
rpms:imports/c9-beta/fapolicyd-1.1.3-102.el9
rpms:imports/c8-beta/fapolicyd-1.1.3-8.el8
rpms:imports/c8s/fapolicyd-1.1.3-8.el8
rpms:imports/c9/fapolicyd-1.1-103.el9_0.1
rpms:imports/c8/fapolicyd-1.1-6.el8_6.1
rpms:imports/c8s/fapolicyd-1.1.3-6.el8
rpms:imports/c8s/fapolicyd-1.1-6.el8_6.1
rpms:imports/c9/fapolicyd-1.1-103.el9_0
rpms:imports/c8/fapolicyd-1.1-6.el8
rpms:imports/c8s/fapolicyd-1.1-6.el8
rpms:imports/c9-beta/fapolicyd-1.1-100.el9
rpms:imports/c8s/fapolicyd-1.1-4.el8
rpms:imports/c8-beta/fapolicyd-1.1-1.el8
rpms:imports/c8s/fapolicyd-1.1-1.el8
rpms:imports/c9-beta/fapolicyd-1.0.4-101.el9
rpms:imports/c8s/fapolicyd-1.0.4-2.el8
rpms:imports/c9-beta/fapolicyd-1.0.3-4.el9
rpms:imports/c8-beta/fapolicyd-1.0.2-6.el8
rpms:imports/c8-beta/fapolicyd-1.0.2-3.el8
rpms:imports/c8-beta/fapolicyd-1.0-3.el8
rpms:imports/c8-beta/fapolicyd-0.9.1-2.el8
rpms:imports/c8-beta/fapolicyd-0.8.9-1.el8
rpms:imports/c8s/fapolicyd-1.0.2-6.el8
rpms:imports/c8s/fapolicyd-1.0.2-5.el8
rpms:imports/c8s/fapolicyd-1.0.2-4.el8
rpms:imports/c8s/fapolicyd-1.0.2-3.el8
rpms:imports/c8s/fapolicyd-1.0-3.el8_3.4
rpms:imports/c8/fapolicyd-1.0.2-6.el8
rpms:imports/c8/fapolicyd-1.0-3.el8_3.4
rpms:imports/c8/fapolicyd-1.0-3.el8_3.3
rpms:imports/c8/fapolicyd-1.0-3.el8_3.2
rpms:imports/c8/fapolicyd-1.0-3.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

19 changed files with 1081 additions and 414 deletions
Show Stats Expand all files Collapse all files

3
.fapolicyd.metadata Normal file
View File

@ -0,0 +1,3 @@
1a4a68f063262ca09c23d5bb617c8e036460c907 SOURCES/fapolicyd-1.4.3.tar.gz
7738046b00e2fde870ee483ff8ccb8235ecfcee1 SOURCES/fapolicyd-selinux-1.1.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

5
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/fapolicyd-1.3.2.tar.gz
SOURCES/fapolicyd-selinux-0.6.tar.gz
SOURCES/fapolicyd-1.4.3.tar.gz
SOURCES/fapolicyd-selinux-1.1.tar.gz
SOURCES/uthash-2.3.0.tar.gz

61
SOURCES/0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch Normal file
View File

@ -0,0 +1,61 @@
From a2ea4efcae9ff6c7af47058d8b61aa88f269cf66 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Mon, 19 Jan 2026 16:27:54 -0500
Subject: [PATCH] If less than 16 chars were read, allow shebang test (corner
case)
Content-type: text/plain
---
src/library/file.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/library/file.c b/src/library/file.c
index 30571890071b..6491733c0042 100644
--- a/src/library/file.c
+++ b/src/library/file.c
@@ -1253,12 +1253,9 @@ int get_ima_hash(int fd, file_hash_alg_t *alg, char *sha)
static unsigned char e_ident[EI_NIDENT];
-static int read_preliminary_header(int fd)
+static inline ssize_t read_preliminary_header(int fd)
{
- ssize_t rc = safe_read(fd, (char *)e_ident, EI_NIDENT);
- if (rc == EI_NIDENT)
- return 0;
- return 1;
+ return safe_read(fd, (char *)e_ident, EI_NIDENT);
}
@@ -1356,8 +1353,10 @@ static int looks_like_text_script(int fd)
uint32_t gather_elf(int fd, off_t size)
{
uint32_t info = 0;
+ ssize_t rc;
- if (read_preliminary_header(fd))
+ rc = read_preliminary_header(fd);
+ if (rc < 2)
goto rewind_out;
/* Detect scripts via shebang before ELF check */
@@ -1366,6 +1365,10 @@ uint32_t gather_elf(int fd, off_t size)
goto rewind_out;
}
+ /* Make sure we have the full preliminary header */
+ if (rc < EI_NIDENT)
+ goto rewind_out;
+
/* Check ELF magic */
if (strncmp((char *)e_ident, ELFMAG, 4)) {
// Not ELF - see if it might be text script
@@ -1688,4 +1691,3 @@ rewind_out:
rewind_fd(fd);
return info;
}
-
--
2.52.0

39
SOURCES/0003-Fix-binary-path-of-rpm-loader.patch Normal file
View File

@ -0,0 +1,39 @@
From ee5ab7e537a922855e5e5f5905071adb1fc2eb25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Wed, 3 Dec 2025 16:36:54 +0100
Subject: [PATCH] Fix binary path of rpm-loader
Content-type: text/plain
---
src/Makefile.am | 1 +
src/library/rpm-backend.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index cab58ee130bd..8a356805b5ab 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -84,6 +84,7 @@ bin_PROGRAMS = fapolicyd-rpm-loader
fapolicyd_rpm_loader_SOURCES = \
handler/fapolicyd-rpm-loader.c
+fapolicyd_CFLAGS += -DBINARYDIR='"$(bindir)"'
fapolicyd_rpm_loader_CFLAGS = $(fapolicyd_CFLAGS)
fapolicyd_rpm_loader_LDFLAGS = $(fapolicyd_LDFLAGS)
fapolicyd_rpm_loader_LDADD = libfapolicyd.la
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
index fab8e5345d40..5b24c9589040 100644
--- a/src/library/rpm-backend.c
+++ b/src/library/rpm-backend.c
@@ -238,7 +238,7 @@ static int rpm_load_list(const conf_t *conf)
char *custom_env[] = { "FAPO_SOCK_FD=3", NULL };
pid_t pid = -1;
- int status = posix_spawn(&pid, "/usr/bin/fapolicyd-rpm-loader",
+ int status = posix_spawn(&pid, BINARYDIR "/fapolicyd-rpm-loader",
&actions, NULL, argv, custom_env);
close(sv[1]); // Parent doesn't write
--
2.52.0

48
SOURCES/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch Normal file
View File

@ -0,0 +1,48 @@
From d6956ef82051a9c805b02431e6c0083754549edd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Wed, 21 Jan 2026 11:30:58 +0100
Subject: [PATCH] Map file with MAP_SHARED instead of MAP_PRIVATE
Content-type: text/plain
When setting up a user probe using ebpf or systemtap on a file,
fapolicyd computes a different checksum, causing (usually) denial to
occur.
eBPF is used by Microsoft's MDATP, in particular for monitoring
/usr/lib64/libpam.so.0 function calls. Through setting a user probe,
mdatp and fapolicyd cannot be used concurrently.
The reason for computing a different checksum is using mmap(MAP_PRIVATE)
which makes the hooks set by ebpf and/or systemtap be visible:
~~~
1140 char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
1141 {
:
1165 mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
1166 if (mapped != MAP_FAILED) {
:
~~~
A solution consists in using MAP_SHARED instead of MAP_PRIVATE.
Fixes RHEL-142628.
---
src/library/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/library/file.c b/src/library/file.c
index 6491733c0042..802a89cc028a 100644
--- a/src/library/file.c
+++ b/src/library/file.c
@@ -1162,7 +1162,7 @@ char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
if (digest_length == 0)
return NULL;
- mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
+ mapped = mmap(0, size, PROT_READ, MAP_SHARED|MAP_POPULATE, fd, 0);
if (mapped != MAP_FAILED) {
unsigned char hptr[SHA512_DIGEST_LENGTH];
int computed = 0;
--
2.52.0

72
SOURCES/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch Normal file
View File

@ -0,0 +1,72 @@
From 67620805316e85b4edf6133a106181a4b4c8afac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Thu, 22 Jan 2026 10:55:45 +0100
Subject: [PATCH] Fix segfault when interrupting fapolicyd startup
Content-type: text/plain
In non-daemon mode, hitting Ctrl-C while fapolicyd initializes leads to
getting 2 segfaults:
- first one in term_handler() because 'q' is not initialized yet
- then one in coredump_handler() because 'm' is not initialized yet
Reproducer:
~~~
# fapolicyd --debug
[...]
01/22/26 10:48:37 [ INFO ]: Loading rpmdb backend
^CSegmentation fault (core dumped)
~~~
GDB shows:
~~~
(gdb) bt
#0 mlist_first (m=m@entry=0x0) at daemon/mounts.c:86 <<<<< SECOND SEGFAULT
#1 0x00005627e02de9ec in unmark_fanotify (m=0x0) at daemon/notify.c:258
#2 0x00005627e02dda13 in coredump_handler (sig=11) at daemon/fapolicyd.c:336
#3 coredump_handler (sig=11) at daemon/fapolicyd.c:333
#4 <signal handler called>
#5 __new_sem_post (sem=0x20) at sem_post.c:36 <<<<< FIRST SEGFAULT
#6 <signal handler called>
#7 __recvmsg_syscall (flags=0, msg=0x7ffe93e00350, fd=6) at ../sysdeps/unix/sysv/linux/recvmsg.c:27
#8 __libc_recvmsg (fd=6, msg=msg@entry=0x7ffe93e00350, flags=flags@entry=0)
at ../sysdeps/unix/sysv/linux/recvmsg.c:41
#9 0x00005627e02eef82 in rpm_load_list (conf=<optimized out>) at library/rpm-backend.c:260
#10 0x00005627e02ecc02 in backend_load (conf=conf@entry=0x5627e02fa0e0 <config>) at library/backend-manager.c:152
#11 0x00005627e02e21c0 in init_database (config=config@entry=0x5627e02fa0e0 <config>) at library/database.c:1440
#12 0x00005627e02db599 in main (argc=<optimized out>, argv=<optimized out>) at daemon/fapolicyd.c:1053
~~~
---
src/daemon/notify.c | 3 +++
src/library/queue.c | 3 ++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
index 8e1e778cb8c8..db6fb72e01ac 100644
--- a/src/daemon/notify.c
+++ b/src/daemon/notify.c
@@ -255,6 +255,9 @@ void fanotify_update(mlist *m)
void unmark_fanotify(mlist *m)
{
+ if (m == NULL)
+ return;
+
const char *path = mlist_first(m);
// Stop the flow of events
diff --git a/src/library/queue.c b/src/library/queue.c
index c82026439923..6236d0096c80 100644
--- a/src/library/queue.c
+++ b/src/library/queue.c
@@ -236,6 +236,7 @@ int q_timed_dequeue(struct queue *q, struct fanotify_event_metadata *data,
void q_shutdown(struct queue *q)
{
+ if (q == NULL)
+ return;
sem_post(&q->sem);
}
-
--
2.52.0

30
SOURCES/0006-Potential-memory-leak-on-early-return-in-file_append.patch Normal file
View File

@ -0,0 +1,30 @@
From 49d824ef1fdeca5ea5bb28ea6e68a24d21a96756 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 28 Jan 2026 21:29:17 -0500
Subject: [PATCH] Potential memory leak on early-return in file_append
Content-type: text/plain
If add_list_load_path(path) returns failure after adding items to add_list, the function returns without calling list_empty, which can leak any accumulated entries. Call list_empty before returning an error.
---
src/cli/file-cli.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/cli/file-cli.c b/src/cli/file-cli.c
index 7e02e939fdb0..b07d42ee070c 100644
--- a/src/cli/file-cli.c
+++ b/src/cli/file-cli.c
@@ -130,8 +130,10 @@ int file_append(const char *path, const char *fname, bool use_filter)
list_init(&add_list);
rc = add_list_load_path(path);
- if (rc)
+ if (rc) {
+ list_empty(&add_list); // could be partially populated by nftw
return rc;
+ }
if (use_filter && filter_prune_list(&add_list, NULL)) {
list_empty(&add_list);
--
2.53.0

26
SOURCES/0007-whitespace-fix.patch Normal file
View File

@ -0,0 +1,26 @@
From b91b460b943185a1585cbbfe331eac38527b64cb Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 28 Jan 2026 22:07:10 -0500
Subject: [PATCH] whitespace fix
Content-type: text/plain
---
src/library/rpm-backend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
index 5b24c9589040..c4a90cd1c9f1 100644
--- a/src/library/rpm-backend.c
+++ b/src/library/rpm-backend.c
@@ -443,7 +443,7 @@ out:
// cleaning up
struct _hash_record *item, *tmp;
HASH_ITER( hh, hashtable, item, tmp) {
- HASH_DEL( hashtable, item );
+ HASH_DEL( hashtable, item );
free((void*)item->key);
free((void*)item);
}
--
2.53.0

42
SOURCES/0008-Fix-32-bit-ELF-dynamic-section-parsing.patch Normal file
View File

@ -0,0 +1,42 @@
From f87d54e6eede34a6ef4b77df56ec1df9e313822d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 6 Feb 2026 14:31:52 +0100
Subject: [PATCH] Fix 32-bit ELF dynamic section parsing
Content-type: text/plain
Use Elf32_Dyn instead of Elf64_Dyn when parsing PT_DYNAMIC segments in
32-bit ELF files. The incorrect type could cause a segfault on special
32 bit libraries.
Fixes: https://issues.redhat.com/browse/RHEL-1357
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
src/library/file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/library/file.c b/src/library/file.c
index 802a89cc028a..2dffaaceea1e 100644
--- a/src/library/file.c
+++ b/src/library/file.c
@@ -1485,7 +1485,7 @@ uint32_t gather_elf(int fd, off_t size)
if (ph_tbl[i].p_filesz > size)
goto err_out32;
- Elf64_Dyn *dyn_tbl = malloc(ph_tbl[i].p_filesz);
+ Elf32_Dyn *dyn_tbl = malloc(ph_tbl[i].p_filesz);
if((unsigned int)lseek(fd, ph_tbl[i].p_offset,
SEEK_SET) !=
@@ -1494,7 +1494,7 @@ uint32_t gather_elf(int fd, off_t size)
goto err_out32;
}
- num = ph_tbl[i].p_filesz / sizeof(Elf64_Dyn);
+ num = ph_tbl[i].p_filesz / sizeof(Elf32_Dyn);
if (num > 1000) {
free(dyn_tbl);
goto err_out32;
--
2.53.0

438
SOURCES/bachradsusi.gpg Normal file
View File

@ -0,0 +1,438 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno
qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A
vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3
K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU
lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw
CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K
AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et
3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi
kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX
TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW
Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB
tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF
Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP
/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3
LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL
PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45
5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3
sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp
vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk
TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI
uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB
o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/
LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL
k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA
CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL
byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+
h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68
E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT
oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2
bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk
ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04
XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr
Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi
E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648
vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V
iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF
YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9
MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh
3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540
Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX
E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi
BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq
btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f
EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ
7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX
rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN
85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V
b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs
zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u
J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW
m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb
nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I
5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P
9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k
n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe
qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI
HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari
eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT
rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355
IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx
3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx
Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC
WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB
QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q
GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy
RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc
coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz
lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL
1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5
uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg
nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC
YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY
HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3
A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs
Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6
BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02
SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH
oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j
TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f
BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30
D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l
j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+
XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb
8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc
poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT
Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6
lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90
Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu
Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp
HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo
LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438
jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N
cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7
51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R
i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR
ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt
ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA
CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8
Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky
95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs
FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF
Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv
R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5
pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN
UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR
pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc
srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme
rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J
AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi
rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h
/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD
NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W
KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X
ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1
I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan
phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o
EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4
9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl
7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S
9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh
BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU
UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2
GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa
qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ
VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi
NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP
+PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b
nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU
F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh
gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ
ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH
At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP
xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg
GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A
Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN
945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4
/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P
pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN
miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X
+kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2
w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR
LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u
gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C
hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6
tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv
A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM
9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6
Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq
LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs
3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB
CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX
PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE
ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE
6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef
RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+
jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf
xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY
nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT
HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl
lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd
xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp
pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW
60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ
uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM
86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn
eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L
mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb
Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv
siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9
26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo
SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd
jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX
o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm
GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj
Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc
H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+
GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1
b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc
ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz
f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j
JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L
RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5
r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a
FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E
sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds
EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n
pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb
vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9
p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC
lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy
mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c
pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc
L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc
eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5
QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp
MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss
Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO
L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY
LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn
gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR
AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc
O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS
sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp
H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08
5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7
KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj
zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT
x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y
+jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/
GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E
afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT
jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa
/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L
yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx
uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq
OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh
AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc
qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L
GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU
maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt
aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+
gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy
eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo
QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ
jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX
nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR
BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW
vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK
9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4
knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R
UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq
I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V
SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk
Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl
V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7
hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ
AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm
xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i
5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6
280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF
DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg
7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R
5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f
QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP
auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6
YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU
WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW
IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec
8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia
1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0
ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv
PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM
iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb
ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7
2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F
fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU
BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX
pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg
MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA
rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM
m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL
qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC
heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1
LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5
JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4
7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR
qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6
FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq
QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL
9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh
BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx
4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY
fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e
Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ
gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti
KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N
5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9
uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD
TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH
IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX
URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l
vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg
Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k
fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT
sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA
eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ
oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR
F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D
FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY
qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC
/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3
WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC
VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE
uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB
dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI
0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy
3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm
mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/
833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv
CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz
fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A
9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL
YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8
y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0
42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo
92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0
Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe
SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf
E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy
iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA
wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG
vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF
kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6
5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu
IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv
1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4
TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfpkCDQRnKRF7ARAAo5H9/6cStbyjWFeb
G6qDn6pT+4v1rlbRZo0rYwWkDmEAjOZMRC9SJipTCdQeNFlv6HEiiCvl3bmZIqrZ
+zvLI6U1+2dH7k06xNqIFLTV0zbr+tUkOwspg5nr59KsuNP01WBS0ELzunO/zHj+
BOEdPg1KvB0IQFtqAwaAfuny67YvTr9O7Yz07ZCfTxPtHf6FJ80FPeRa0LoZYnW4
UmSGtm1f59VD9+qe4yhRtNanamXUKjf8BTw0rQwjoJhVT5Mg0Z6hW6fhFrD57Lgd
8fBi5ZHHUlR4z1+nqGCUoHlHjc0JVyK8j8fofKafow/79ITaOqBzv+P3psY9ecBg
7wGaOHrqzRzRxAfKYRO2IaFHRGnsEE8FnwSEL00uPVxpiiTavrLJFEjku9GmP3OY
3rbwIPXbw1m9mZG1yAVbSEEf58WSWeoBp0O6qrwAdIbdgUX4BkQ8bX5MtUjXp5tm
0StmjQiZ7O91cg0VuWtrfj/I4E3xtloNzhtG2QLI4s7iAL1orhClxEuZRO9alUCS
cnRvhmw2Dh6sB6i56evcZdUFwxMXOByxfWr0fxX4QlR8jYqMPj7UMNj2PccTBOQX
umIW2cdGEeni9vrE9cLfZRSNCwPWAXWtr1zQW54Jx5DjCGHobQk53Z7kE+MZVAje
gOaT0u50cljBNfJootuln4+gbGMAEQEAAbQlUGV0ciBMYXV0cmJhY2ggPGxhdXRy
YmFjaEByZWRoYXQuY29tPokCVwQTAQgAQRYhBGjSGCM0KhNoOus+TvtMaFtdwcE+
BQJnKRF7AhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPtM
aFtdwcE+doMQAI5mnNA8aH0dfeOZnz/NrMwY6H7jK/+lYatCx05e1TfK+zz9feRK
sxgP3Pjj0p9igo3jIdPcN5/YnlmVEeplDmSiKOOdendviy+sA8sukMo07Q+m1pYW
NzFtyiZd+c44mp9I1l7h6rktIY9XDedrlAkNog1VlUet9eNpmgXt2OmJNDmYftWc
KIpyw/ZLaubjRcAmxwsn7I6dWnT66Ffg9H8trcRlWipVWP8imO0EIpwC8RbhuNgk
xjt/cVf3CEpzokF4n0k3nqYmt90NNtGc0kG5QAlTvlUuHpNWzuzvdAPtMy3KEaXI
fu3IEZeIKCxSgWXTm7zRKUn0F6jKAsLXhK/WOA1Aa7NdAUwMxrEndfNoqBrusaLD
lpzWU7USv2YT+Pf3aQ7u1szg2J8V5eqRP+E8wwe54RNCgQrcDgUq5abyncsvull3
GqJvzvZC7/Q3Th/g5Wc+dRaGBz0O9FBuRPQwjrnB932xW1fDf17cScpVKAvV/jwn
tpWXf7nSv2M0o9fihnTBl4d2c2EBKtTdp5W0IpeRl5uLad3AYoouP6RoZ+/Id/Zg
NeaQKH/ZlCxk5S9GLzYhm665ysOYRkh7NfoThRtvAqAeDcTKWGDG1nQok2KKOSyq
S81PT2AlMz7A26R0vsH/9lQ1uZFIhIGbxZXlGERZwXd1s+lgfWTbB5K+iQIzBBAB
CAAdFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmcpGAUACgkQvDkF8jUXnPFdGQ/+
L7uA7EMB+Yh0urhZuOltZSNtge6b+UbLZTd8DRsf044e+Z0NJWdQ2saLBptGhIcn
as4Qd0gS+QkWB7lMrJ31uux15ZBjFsGtyqK+VoH8JIPvV8Mr5XojqA+UYUpXP6ns
ILrdkUvNzpeA51IxYuVMWcut8SUVYzjD11YG1P8LFzydsImaYe7se+RE85F3/2Po
kZNe0d0Gh36uyfJSND80XrrxLpROgabQgHNG0drL/DHjdoa3F0V5EUoG7NBwUrmB
RlWKYCLUFfW+8mQn6RVK8JIV9WaHrzi/KAZLonZb5dCjO0e+Ol16pyUofLA8SN7B
aqjens8ho297GtE3darkXmj5p3p4YPur/D+oZCNIH+BYMsht46VtE3v6V10P8KA2
6MgNo5qME1Q0kC1DUYi68cPeDgrQBMWa+nF+m9i2aGeAyi3qDhZu03JLhOYAhv45
OVRawm9vFqyKiBRANVogTRr+ch4zywaapwfVLQ+xiwVLqlT5n/iIzWCQ0hA15eKZ
gJV0kTXL4OWKBeJqSNnnLVm4AhZ2OpKHMsjE7BEopvCe9JZWFIrjtQ9TrriByOx0
3anWkmm7b4lZ1HKDOI/Cxyz8BZvYizo7hSOdGjLrFBTD/Wk0swvpzB4NKh5I6N7k
gppXMTaWp36+KmQx66JzaZjepGl1VMNFdgiP6Sw6pO+5Ag0EZykRewEQAK4EY+06
GeuX4wLlUqAMWCnbFELuhBZGWFLEIvP6WJS1WOvee45RVcpVfYMp3AqymiNRahAl
RMtSQ9YtXSdlBPkhtNcoV/hqjcNywMdbsy+Rs27pRk/DJVC0yVL4ABrSSlwhfNa4
6X4ZvPr8GGDvjAUhK6NXQ7WrZJxYR9/U0nqRGtGuPBLhFey1H60n5axP8+2f9pFC
NbDJ13HbrhVju+RUeE8Gq5WJI5dea5SfYnXFERsT/zO+pw7ZaaSDmWKR1a88P6Bk
DD7e63ZIaAa849M/Dz+OgzNEgbyRjvgbO0OEIrS2x61lGoW7F9prEgzj97NIiBu6
qpNCYJefkpfPENrk+wmOUthJfh6E7uphlliQams6dqXAc3Z+xBN9jFf74RpzVmIP
K/MFNr0EcUMFgURpBtaTrk4dGMh++v5i4qKxxwJHf4RsGCDsgH9ZZDemKz5q8uFN
TI1kbTnsKNt+d7L45U+3/mRm4l22g8eu+AvD6R4GfKjsyzEFCyGK7TmVYj0Y+EGR
9+YbRQ1GahXqtrR/aLC09LSyxQTqYfKU8KusnoceEbBOigEZUNPybpzibwHl1VEV
9crR5eT8MPHgs8xdpjQ7gRuPi12fvc83unpUsNIHSCxZqXoilGsz2+zpX2si3PxB
tK/tTo6ZFRLijhHs250Y1agp4MyXYq91A2VTABEBAAGJAjwEGAEIACYWIQRo0hgj
NCoTaDrrPk77TGhbXcHBPgUCZykRewIbDAUJA8JnAAAKCRD7TGhbXcHBPozGD/0Y
fkktGwGq2vPZUI/Fscv+VnEqVt94dBnS0/6GyYvhI7Tf81v+72URlQeX8TUQox9B
8d3Aru5b2+iSkPcvH70PbY8jt/yTwHtSlFzf6+YPIl+oyTz7DoiILSjrO51ntl8g
KmIb8Q9W74xV6VFIJ4m8rH04MKFpIlzUDq660JYQIGtOUFugSfg7aLVU/0j4WKKE
KfAfg93wYTKKd+JgRFy4FZPriem7HvlUSi2VKffdrrUF/PX35X74iKdPQoEADZi8
KkMZULDtyQ6ZOu2hiDpArjo5hDadKM314Z65VnM11hjiEhmTF3IyGBllb0qBIk0L
nBVHuMYmiqBNJEbaqHLqIju8/RvFlYV+AMISeA7B68knbJcao13ogtDpuJ4hpgCj
j2B1n0NWMcju0gteu1sfsIaQbWHevH2vgl5LJDCNtUJN/NoWB2Uov27wEvsongwY
3du40TnM+5ejwf4r8D3wX+JpVCAhfr3Oc0knw14nRqFPAe1E7DNURJ8xfEV9iPRA
swo6qoh7IIxNETUG1rywRExNt6tHsojx0Wb0I0IB7CnWRK9F6oNRp0S4kVgp+Jeh
a9NGXFK2hn8qBD/rpUPsj/OdkiBN+C7Ai07rCNez+IKdnUfXkOJqLCOyeUwC9WPl
uFPB9RnnghYM4xhMWf8XvSLOOk/vgPxiqR5ANLObsbkCDQRnKRLhARAAuh+b2Oxj
9q+RRZ+pkDVf/M6P01yDmDhwtYHzi/LW8PFHC6iQlzMReyv1R5n3uCEpAZ++mdUe
Cgo2TmFnYdpmxEgdaMIW98uqe4fuHhoXU2Mh4eiN7jyJvXQCsijCDYzifoj03HY7
nTVjw4+BSSu9kA3/vEqU9A5YjG01MmVSMaIaTrqZqsnypK6r2exJa7YVRYwRqpLY
C5ksikDVK9ftdfhjnsnYGS4pYyfMNSHY1KBMpHjT7wEkM+KZ2WRpjTZZ7nP9u4Lf
fJMKgcclRgf+13CeSaJfVIhjJlxGVLkloE8XJbOeh2vkK257e9BenEFgQnyLCpGJ
8YNsnsJVhxU1aA62dT7jmnOVMBhnGoNhMyzzfvUw0REz2VbpZBkiwZRfZ9MWUBsy
bneH8NwzZMQQLCc/yo/jnPrmDS+tgl4CXGzBtpxPUZSMuY4tHZZ2vBb0zcfhY7P1
CrHuylXLFzkOO/XRP3w1F8I1UqJCjdTKjdjCDF/VWtedHee1iEsSHxPGH8fHp4Qp
rBDDwZ4NnfilYNHMDWm6U1bzhX2ynqcGArQSd1Ny/oL7JzE1qoH/nNrwVvOSSNWF
UTXFXeLy+SOXJdFJpGP+/wV+gYfyczoUP6vmCdK1Hs15WQvKzyP/nmLS5uLilfxV
KrxZDI6SNrS4f/XkHcGnYByFKUhq5gVN0ZcAEQEAAYkEcgQYAQgAJhYhBGjSGCM0
KhNoOus+TvtMaFtdwcE+BQJnKRLhAhsCBQkDwmcAAkAJEPtMaFtdwcE+wXQgBBkB
CAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmcpEuEACgkQzcroySfGvjExiQ//
TKQ2Ci+sqNSVIcwg/k0Go1i4cA7lhKNdYRBCaIThB9jMqNg2zgPzgELBcaVJL8xw
0E2x2ZvBejM4X+eTrmkdufcxHR8B/zBF8oPlD2pgs/zZmZEO1gq4Cdab7yIoVNNr
foCZShxOCPR2wIixcYZtt5f7Z3zSXqkjIec6sTOedT75ZXrpQbvINeUkvOJfMCOi
ailauvDfv8k5iJUVbP+Dx1vOc88bvewVJcbLID4HIRr/PS+k1D10zGbnF71TnxGZ
r7anMZCSFCHJ5WV+BSwHHKtxRy+bJ1x9ML45Jcr1anTXeaHIeSKNzFBigJQSgHv0
euegkD3Rmw+IcxNb4l536selaNR0UAwx1DC1qpjBtnE9/pXdTEsZQxq9kMrj0d+f
VKFjOKADVIpkx7o0dZ1jmbUmdjQVyGDgHE+Emgdd726/2ftWriW2uPeUC6YZiqbt
vBnCnwF+aV6P1nrE0BWJchLyBjDCe5Y2oXBAYF6xwpDPfMPr4oscqzPV4TWVULBi
brtRWgSxmvinIGFx9T9wQCVfX254dqBaAEhRMImoT/YP+6evRZKqQODRhI44OG7u
V71IVAJ8BHEBN8hxvQM3WPs1fhwMBFCyGfr/x/U4/c78R9JhxkU9VwmMbLGQP7VP
1QgfiHqZpHMk8ZUmQn6KLeurzWcnwPFkwgFPZED8OQOMXxAAio3DhWr5KDd3mICH
ALNY0A2ipb/JH6LSHxu0S3MLa/bF6PbqRY1+fKMT/cFVxln99rNUrX+hDRbc7qbh
KkxvGmcnXnkcTHah9bfUghEanlKkBr1g1ik3zgEnpO/x3+X39Ov+ge92MDawV0nq
k9R/9tS+ZD/ph72Q9kx3ZfVNSL0eWxjuwBzFW0Zwh5TAX4raSmyQCmAXi05O3YmN
iq4arSUg5oAOMRZ+d96DsrAS4Sdtlx6/CuKTBzEaGPQLQ9wJNB0Vmd/eQWTP99KY
cAdIwj5BJ5P0Z7+xhsVjQOntn4otnP6vN6RuDtYrS6M7TCN/ZeKCvN/G0nRac4D+
IJX3CYYtYXgaoDuoetUWtc7O5PzHRETaBt/46ob2lzf6cT5QyVujTfz+i0rGEc63
pvXK8mV+K7BFY/DHpdEhl1pDw2YYLbBmUthQWdsL6/TVvpMe/wZadvJ/by3AeRzQ
eusUucuSo9UNN7Yj8u3dRhxNgsSiU96A/SFlAoB5s3Onh5K4WEVCBu/INjdi+r2B
LJePSnA3I7VkRE9Haf1D28jtBzm3Xbft2rs3lO18FcCqw6kd7Ih3e0tZ8uUG9UDv
qTDHTUHLAWvwrq38gKKAu2RMaU06A5kR87RcQiizxOwBIwiHuUWMU4/Hyx6fXsOD
hEs0O6AFDarNDZGee2amKTAyZpG5Ag0EZykTxQEQAOwGV1boBD3vDLsoAT62nGxb
SqXiBsObxnpWbNifOzM9BUGPOIpHsSH32PZGG/+LNjNdECfyyP1RysH5OT7j92Q8
vgRQoG3X985gbOjYyZc0xvAkTSvWxOiy5CuF3X8sJ3NSerQDXwjP9qVqLVj/3FB8
nka1HFS7KzC3Zo/kzCoxeZ3/hV3PTWIjcoJvtBSCKPZyOJxnRqWfi5BNJo3S2SR1
mxV967zawXiZ8MeeBl6rLhOfCBtz9g+bqrXZYoenuMn5Js2mcH0haYeMSV3UWIC4
kinzr1EJxs+L1/hVCVBNiiDc6DXcFXoz9ZVc9kjpZTOMoZVDkRkyOeen+5Sya9wK
4teLmDLME4+pgeHCS/Wa4KrYyEWe7NpG1VTkSJnRS+fyYGTWtwEiuwT6J9U0t1d5
hbxhM7YAhlnOEnNVmqa3Bq3yqJs9G/7gicZ7CIJ9JBHKTJzOnKfpGhxBSOgOoCOa
WW6uVCzDqfrYPmCUIKQmanB441xJFGuHVPMLBjVjswoMKGkK3gM6KMRCDYQ53u6s
FK+Jcl8HobBSezVIUKpKVX3IW9d506cE0FhSW/NvWJv0FIMVloyC2BpOjSWVgEwX
tk/m3SKPsgCAcCqzi7xlloR8+E9C2xci9cdGG5faghgSjaP6j0qDww/slRPQJc5A
DIeukkOYTCiSiDwQtblJABEBAAGJAjMEGAEIACcWIQRo0hgjNCoTaDrrPk77TGhb
XcHBPgUCZykTxQMbIAQFCQPCZwAAADcWD/4qJRLn7TcMtRMF43Yn+dX+O13YrxBC
T4n1QVmiPsGrUca4Vg1J+trV6IMsGrhktpiaV0qeL/km0h02m4gEDZKDyWWXdeWh
EXFaTVy9yCpSXUWJl5gSXTSwxrqBWyWLlLLk4UT9l9sk5mMdy0JA8unobV4M/eXQ
ggR11DL3ji7aO0hsqxyxXkJcawWjVGW5KL1EaoDKIJ/CwxOI5ipFueMIRQjQvw9A
o/w2fq11qVXY9zknk6pFkp/RDHLes+wVHDtebZfJ9xV7Mb1mf/k03dT56GaA/U3E
XvJ2FdgWR+zf+YMEa9MPDHYo2UNEvk9mOk247M8s+OeexdlkPgyKW5A8mtYuY/dR
j8W6C4pLcMWa+d/vIUpm5Guw0F5q0AWk9/FbBe9HLztEevvRnuHXmfTZeto/nCAi
Yg4pCj6p3JoN5CLebR8YtWm9AJBbX1kgVvqSU2VgwYIFsxBEz8Wu2h7z/eSCSeIg
ARFbTlJ6cBrRkXCVyhbv0LPWWUfAUqiEtdGxrA4Xx/jKrI02JjRdW/bZkXjSka8K
+cDlpcr9ixBWW5LkWsOdiL8jExfTGw25FA7Wd1HiHnBv36Mu/zb+0/I63d+fLq93
e3lmmVx9qQF8p5Okf4ojY9YoIHVkLS7t9AgFjm/ucmpEGbXxyPk2Cr3l+b5R41x3
dBW9kxiuWpZN3Q==
=iuRK
-----END PGP PUBLIC KEY BLOCK-----

16
SOURCES/fapolicyd-1.4.3.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmlkvqUACgkQzcroySfG
vjFJRg//STH9OAKct2RoxkIhLFyiF3ua0mgCLb+xYxsPY+/ix0xhenPD1eVsi3x1
wt+bsustW/gpRKYg+bgKxx4TEatwBTd6S5lJB9m56KnlPks8v/yljPFqWK7Nbnvc
ZSatcXbF0XOe+3mlyHf2IW6wXiKfPYCmbFQbADpNR6oYKM/p6Sn6ph3bP6yCKq3J
IwdabBF+iKsh1a/kOlBbpY49JmXsb+02nWFPnDMlO3k9SEVPpNGGQWnJv98KMHN/
Pf61sVw413jE22T+smy1NdxauMwr2AZ9lK1512HNC++rQ7RO3ChchF8lH0aewNcB
8R5ve1ojJQPEeaePrfrIDoyJbEfjoQPcsFGRQjrNeAj1Qq3mAkk+q2VUz+qWNRjQ
XXp0ut3P5RVgVJN2ysqKlpNG9LfkpZ7JgAK5eDkFVYGlZERVj8zu7yxi0zk9M0FY
arXHHxqCCnvUS4Ysj1IUFSoPZGeHO5AqDYpv4cGNEk1MAZlDJeimvreRVGFIZ4lL
GO1zbXvXP9zFgJJH4puZzq0JmfiH19vnhjXVbjzkQnDQ5boFp2XxQKHS4ljEQAkD
AUGibmycRpnpJm8jBgRjq/icJwghbyqcvxQYCsBSRNoDywgvW7xCdrGJr0hfJW6i
535CMh7NnEY5H/27jl24aPgRV5VM3UUp533urRIk/Y85PzprWnY=
=Cf+E
-----END PGP SIGNATURE-----

34
SOURCES/fapolicyd-dnf-plugin.patch
View File

@ -1,34 +0,0 @@
diff -up ./dnf/fapolicyd-dnf-plugin.py.fix ./dnf/fapolicyd-dnf-plugin.py
--- ./dnf/fapolicyd-dnf-plugin.py.fix 2023-06-20 13:21:21.098192421 +0200
+++ ./dnf/fapolicyd-dnf-plugin.py 2023-06-20 13:21:46.287412300 +0200
@@ -8,29 +8,10 @@ import sys
class Fapolicyd(dnf.Plugin):
name = "fapolicyd"
- pipe = "/run/fapolicyd/fapolicyd.fifo"
file = None
def __init__(self, base, cli):
pass
def transaction(self):
-
- if not os.path.exists(self.pipe):
- sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n")
- sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n")
- sys.stderr.write("or fapolicyd is not running...\n")
- return
-
- if not stat.S_ISFIFO(os.stat(self.pipe).st_mode):
- sys.stderr.write(self.pipe + ": is not a pipe!\n")
- return
-
- try:
- self.file = open(self.pipe, "w")
- except PermissionError:
- sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
- return
-
- self.file.write("1\n")
- self.file.close()
+ pass

78
SOURCES/fapolicyd-leaks.patch
View File

@ -1,78 +0,0 @@
From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 18 Jul 2023 17:05:11 +0200
Subject: [PATCH] Fix multiple leaks
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/filter.c | 3 +++
src/library/policy.c | 13 +++++++++++--
src/library/rules.c | 3 ---
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/library/filter.c b/src/library/filter.c
index d5d8cca..eb378ca 100644
--- a/src/library/filter.c
+++ b/src/library/filter.c
@@ -472,9 +472,12 @@ int filter_load_file(void)
msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
filter_destroy_obj(filter);
free(line);
+ line = NULL;
goto bad;
}
+ }
+ if (line) {
free(line);
line = NULL;
}
diff --git a/src/library/policy.c b/src/library/policy.c
index 7fe1210..31ff6e2 100644
--- a/src/library/policy.c
+++ b/src/library/policy.c
@@ -23,6 +23,7 @@
* Radovan Sroka <rsroka@redhat.com>
*/
+#include "attr-sets.h"
#include "config.h"
#include <stdbool.h>
#include <stdio.h>
@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
return 1;
FILE * f = open_file();
- if (f == NULL)
+ if (f == NULL) {
+ destroy_attr_sets();
return 1;
+ }
int res = _load_rules(_config, f);
fclose(f);
- return res;
+
+ if (res) {
+ destroy_attr_sets();
+ return 1;
+ }
+
+ return 0;
}
void destroy_rules(void)
diff --git a/src/library/rules.c b/src/library/rules.c
index 5ffa40e..4a8b098 100644
--- a/src/library/rules.c
+++ b/src/library/rules.c
@@ -65,9 +65,6 @@ int rules_create(llist *l)
l->cur = NULL;
l->cnt = 0;
- if (init_attr_sets())
- return 1;
-
return 0;
}

93
SOURCES/fapolicyd-librpm-workaround.patch
View File

@ -1,93 +0,0 @@
diff -up ./src/daemon/fapolicyd.c.librpm-workaround ./src/daemon/fapolicyd.c
--- ./src/daemon/fapolicyd.c.librpm-workaround 2023-07-10 11:19:19.507044648 +0200
+++ ./src/daemon/fapolicyd.c 2023-07-10 11:19:19.509044621 +0200
@@ -572,7 +572,7 @@ int main(int argc, const char *argv[])
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
- CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, -1);
+ CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, CAP_CHOWN, -1);
if (capng_change_id(config.uid, config.gid,
CAPNG_DROP_SUPP_GRP)) {
msg(LOG_ERR, "Cannot change to uid %d", config.uid);
diff -up ./src/library/rpm-backend.c.librpm-workaround ./src/library/rpm-backend.c
--- ./src/library/rpm-backend.c.librpm-workaround 2023-06-15 16:45:14.000000000 +0200
+++ ./src/library/rpm-backend.c 2023-07-10 11:22:07.066794595 +0200
@@ -32,7 +32,12 @@
#include <rpm/rpmdb.h>
#include <rpm/rpmpgp.h>
#include <fnmatch.h>
+#include <glob.h>
+#include <pwd.h>
+#include <grp.h>
+#include <fcntl.h>
+#include <unistd.h>
#include <uthash.h>
#include "message.h"
@@ -59,6 +64,50 @@ backend rpm_backend =
static rpmts ts = NULL;
static rpmdbMatchIterator mi = NULL;
+static void fix_files(void)
+{
+ glob_t glob_result;
+ const char *pattern = "/var/lib/rpm/__*";
+
+ struct passwd * usr = getpwnam("fapolicyd");
+ if (usr == NULL) {
+ return;
+ }
+
+ struct group * grp = getgrnam("fapolicyd");
+ if (grp == NULL) {
+ return;
+ }
+
+ int return_value = glob(pattern, 0, NULL, &glob_result);
+ if (return_value != 0) {
+ return;
+ }
+
+ for (int i = 0; i < glob_result.gl_pathc; ++i) {
+
+ int fd = open(glob_result.gl_pathv[i], O_NOFOLLOW);
+
+ if (fd == -1)
+ continue;
+
+ struct stat file_stat;
+ if (fstat(fd, &file_stat) != 0) {
+ continue;
+ }
+
+ if (file_stat.st_uid == usr->pw_uid &&
+ file_stat.st_gid == grp->gr_gid) {
+
+ fchown(fd, 0, 0);
+ }
+
+ close(fd);
+ }
+
+ globfree(&glob_result);
+}
+
static int init_rpm(void)
{
return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL);
@@ -201,8 +250,13 @@ static int rpm_load_list(const conf_t *c
return rc;
}
+ int fixed = 0;
// Loop across the rpm database
while (get_next_package_rpm()) {
+ if (!fixed) {
+ fixed = 1;
+ fix_files();
+ }
// Loop across the packages
while (get_next_file_rpm()) {
// We do not want directories or symlinks in the

16
SOURCES/fapolicyd-selinux-1.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmlmAo4ACgkQzcroySfG
vjGK4w//eaZET4l52F5pZWq6R59X1pC4/9vqD82hFTwum96fznDjJsqApOUzJcvX
b1u+EkkFkvGsvNZVzCTnaCnJmh2EceerlOy9KwwtLFXCMQWe3ZX4fQLiUt70CGfE
dsbr58+pd5BoaZcXwTuHoh66q2RPqxI7sA9zeVYuAUsqa63mM3YGNfkUp57klT1Z
Mbvw9TIoO/oXuahHtEucWCmQDtNKGz3QBrBOxSeL3eGGduFKDnya4GWh7c/QYpJO
/2Sbzx04JD7jJJ2DuqySy2JV+MNitwjvbjc3ffDBNpvuqqzEjkMRbSSRZyWJcgAa
GWF4zx0DOMltOrWJ05qxcXwqRqoVWNXRe1wH32c7wp/l/zstQ6v1+R2HsNXyLMR9
kbvAPpTXjRtKGmUY9Gq1vibpC943U2PjQlENS/yCJlSK5dKx7KPwmHn5rEwoSsJr
DUzik3+NIraiqF3os4c5D/Fc8Of8/U4X/G3P+sfQma8BAYSu+D09rdEFX+XOea5f
0XKoFF7uDZ6iBmPw7f/JoSDOJk25bDf+QGbQsk/h/ao5AUVy0BXsy6+Uof2+7Qr0
bDY8nE8hmgo5A9ssdnnXTg71i4g1+/berFpGv3soW9FTeBsLmhJeNo+lzSUj9KUE
uKoiDaaZSNMJfvCJpJqjz0hNjIfnbXAnVNs/QgXvBbjnRatKqcI=
=HP8O
-----END PGP SIGNATURE-----

23
SOURCES/fapolicyd-selinux-links.patch
View File

@ -1,23 +0,0 @@
From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 19 Jul 2023 16:00:13 +0200
Subject: [PATCH] Allow links
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
index daf31bd..5d6f9aa 100644
--- a/fapolicyd-selinux-0.6/fapolicyd.te
+++ b/fapolicyd-selinux-0.6/fapolicyd.te
@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
files_watch_sb_all_mountpoints(fapolicyd_t)
')
+allow fapolicyd_t file_type : lnk_file { getattr read };
+
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

1
SOURCES/fapolicyd.sysusers Normal file
View File

@ -0,0 +1 @@
u fapolicyd - "Application Whitelisting Daemon" /var/lib/fapolicyd

13
SOURCES/selinux.patch
View File

@ -1,13 +0,0 @@
diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te
--- ./fapolicyd-selinux-0.6/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200
+++ ./fapolicyd-selinux-0.6/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200
@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
ifdef(`fs_watch_all_fs',`
fs_watch_all_fs(fapolicyd_t)
+')
+
+ifdef(`files_watch_sb_all_mountpoints',`
files_watch_sb_all_mountpoints(fapolicyd_t)
')

457
SPECS/fapolicyd.spec
View File

@ -1,40 +1,60 @@
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.6
%global moduletype distributed
%define semodule_version 1.1
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.3.2
Release: 1%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
Version: 1.4.3
Release: 3%{?dist}
License: GPL-3.0-or-later
URL: https://github.com/linux-application-whitelisting/fapolicyd
Source0: https://github.com/linux-application-whitelisting/fapolicyd/releases/download/v%{version}/fapolicyd-%{version}.tar.gz
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
Source2: https://github.com/bachradsusi.gpg
Source3: fapolicyd.sysusers
Source10: https://github.com/linux-application-whitelisting/fapolicyd/releases/download/v%{version}/fapolicyd-%{version}.tar.gz.asc
Source11: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz.asc
# we bundle uthash for eln
Source20: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
# https://github.com/linux-application-whitelisting/fapolicyd
# $ git format-patch -N v1.4.3
# https://github.com/linux-application-whitelisting/fapolicyd-selinux
# $ git format-patch -N --start-number 100 --src-prefix=a/fapolicyd-selinux-1.1/ --dst-prefix=b/fapolicyd-selinux-1.1/ v1.1
# $ for j in [0-9]*.patch; do printf "Patch: %s\n" $j; done
# Patch list start
Patch: 0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch
Patch: 0003-Fix-binary-path-of-rpm-loader.patch
Patch: 0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
Patch: 0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
Patch: 0006-Potential-memory-leak-on-early-return-in-file_append.patch
Patch: 0007-whitespace-fix.patch
Patch: 0008-Fix-32-bit-ELF-dynamic-section-parsing.patch
# Patch list end
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
BuildRequires: systemd systemd-devel openssl-devel rpm-devel file-devel file
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
BuildRequires: python2-devel
%if 0%{?fedora} || 0%{?rhel} > 10
BuildRequires: gpgverify
%else
BuildRequires: gnupg
%endif
%if 0%{?rhel} == 0
BuildRequires: uthash-devel
Requires: rpm-plugin-fapolicyd >= 4.14.3-12
%endif
Requires: rpm-plugin-fapolicyd
Recommends: %{name}-selinux
Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
# we are making the dnf-plugin completelly dummy because of
# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
# the fapolicyd package because it provides safe upgrade path
Patch1: fapolicyd-dnf-plugin.patch
Patch2: selinux.patch
Patch3: fapolicyd-selinux-links.patch
Patch4: fapolicyd-leaks.patch
Patch5: fapolicyd-librpm-workaround.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation
@ -45,7 +65,8 @@ makes use of the kernel's fanotify interface to determine file access rights.
Summary: Fapolicyd selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
@ -54,32 +75,41 @@ BuildArch: noarch
The %{name}-selinux package contains selinux policy for the %{name} daemon.
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE10}' --data='%{SOURCE0}'
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE11}' --data='%{SOURCE1}'
%setup -q
# selinux
%setup -q -D -T -a 1
%autosetup -D -T -a 1 -p 1
%patch -P 1 -p1 -b .dnf-plugin
%patch -P 2 -p1 -b .selinux
%patch -P 3 -p1 -b .selinux-links
%patch -P 4 -p1 -b .leaks
%patch -P 5 -p1 -b .librpm-workaround
%if 0%{?rhel} != 0
%setup -q -D -T -b 20
%endif
# generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
# Detect run time linker directly from bash
interpret=`readelf -e /usr/bin/bash \
| grep Requesting \
| sed 's/.$//' \
| rev | cut -d" " -f1 \
| rev`
| grep Requesting \
| sed 's/.$//' \
| rev | cut -d" " -f1 \
| rev`
sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules
%build
cp INSTALL INSTALL.tmp
# necessary for updating CFLAGS below
%set_build_flags
%if 0%{?rhel} != 0
export CFLAGS="$CFLAGS -I%{_builddir}/uthash-2.3.0/include"
%endif
./autogen.sh
%configure \
--with-audit \
@ -96,15 +126,14 @@ popd
%check
make check
# Selinux
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
%make_install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
@ -164,6 +193,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
%pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
if [ $1 -eq 2 ]; then
# detect changed default rules in case of upgrade
%manage_default_rules
@ -205,23 +235,25 @@ fi
%doc README.md
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
%attr(755,root,root) %dir %{_datadir}/%{name}
%attr(755,root,root) %dir %{_datadir}/%{name}/sample-rules
%attr(644,root,root) %{_datadir}/%{name}/default-ruleset.known-libs
%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,root) %{_datadir}/%{name}/fapolicyd-magic.mgc
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
%attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_sysusersdir}/%{name}.conf
%attr(755,root,root) %{_bindir}/%{name}-rpm-loader
%attr(755,root,root) %{_sbindir}/%{name}
%attr(755,root,root) %{_sbindir}/%{name}-cli
%attr(755,root,root) %{_sbindir}/fagenrules
@ -233,14 +265,11 @@ fi
%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
# selinux
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%{_datadir}/selinux/devel
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
@ -255,172 +284,258 @@ fi
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-1
RHEL 8.9.0 ERRATUM
* Fri Feb 06 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.3-3
- Fix 32-bit ELF dynamic section parsing
* Tue Jan 27 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.3-2
- Fix binary path of rpm-loader
- Map file with MAP_SHARED instead of MAP_PRIVATE
- Fix segfault when interrupting fapolicyd startup
* Tue Jan 13 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.3-1
- fapolicyd-1.4.3
https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.3
https://github.com/linux-application-whitelisting/fapolicyd-selinux/releases/tag/v1.1
* Wed Nov 26 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.4.2-1
- fapolicyd-1.4.2
https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.2
* Fri Oct 31 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.4.1-1
- Fix deadlock on reconfigure
- On reconfigure, update the trust list and reload the rpm filter
* Thu Oct 30 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.4-1
- fapolicyd-1.4 and fapolicyd-selinux-1.0
https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4
* Thu Oct 16 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.3.7-1
- fapolicyd-1.3.7 and fapolicyd-selinux-0.9
* Mon Aug 18 2025 Petr Lautrbach <lautrbach@redhat.com> - 1.3.3-106
- Add /var/lib/fapolicyd to tmpfiles
Resolves: RHEL-104873
* Wed May 28 2025 Radovan Sroka <rsroka@redhat.com> - 1.3.3-105
RHEL 9.7.0 ERRATUM
- RPMDB crashes with SIGBUS when updating the RPMDB repeatedly
Resolves: RHEL-63090
- File /run/fapolicyd differs from RPM expectations
Resolves: RHEL-59626
- fapolicyd.service badly instructs how to start after nss-user-lookup.target
Resolves: RHEL-21871
- fapolicy rule containing 'pattern=normal' produces error
Resolves: RHEL-30020
- "fapolicyd-cli --file add" crashes when processing sockets
Resolves: RHEL-69136
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
RHEL 9.5.0 ERRATUM
- rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7
Resolves: RHEL-36285
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
RHEL 9.3.0 ERRATUM
- Rebase fapolicyd to the latest stable version
Resolves: RHEL-519
- RFE: send rule number to fanotify so it gets audited
Resolves: RHEL-628
- Default q_size doesn't match manpage's one
Resolves: RHEL-629
Resolves: RHEL-430
- fapolicyd can leak FDs and never answer request, causing target process to hang forever
Resolves: RHEL-632
Resolves: RHEL-621
- RFE: send rule number to fanotify so it gets audited
Resolves: RHEL-624
- fapolicyd needs to make sure the FD limit is never reached
Resolves: RHEL-631
Resolves: RHEL-623
- fapolicyd still allows execution of a program after "untrusting" it
Resolves: RHEL-630
Resolves: RHEL-622
- Default q_size doesn't match manpage's one
Resolves: RHEL-627
- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
Resolves: RHEL-817
- Fix broken backwards compatibility backend numbers
Resolves: RHEL-731
- fapolicyd can create RPM DB files /var/lib/rpm/__db.xxx with bad ownership causing AVCs to occur
Resolves: RHEL-829
Resolves: RHEL-730
- SELinux prevents the fapolicyd from reading symlink (cert_t)
Resolves: RHEL-820
Resolves: RHEL-816
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-12
RHEL 8.8.0 ERRATUM
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
RHEL 9.2.0 ERRATUM
- statically linked app can execute untrusted app
Resolves: rhbz#2088349
Resolves: rhbz#2097077
- fapolicyd ineffective with systemd DynamicUser=yes
Resolves: rhbz#2136802
- Starting manually fapolicyd while the service is already running breaks the system
Resolves: rhbz#2103352
Resolves: rhbz#2160517
- Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
Resolves: rhbz#2087040
Resolves: rhbz#2160518
- fapolicyd: Introduce filtering of rpmdb
Resolves: rhbz#2165645
Resolves: RHEL-192
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8
RHEL 8.7.0 ERRATUM
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
RHEL 9.1.0 ERRATUM
- rebase fapolicyd to the latest stable vesion
Resolves: rhbz#2100087
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070639
- fapolicyd often breaks package updates
Resolves: rhbz#2111243
- drop libgcrypt in favour of openssl
Resolves: rhbz#2111935
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
Resolves: rhbz#2103914
Resolves: rhbz#2100041
- fapolicyd gets way too easily killed by OOM killer
Resolves: rhbz#2100089
- compiled.rules file ownership and mode
Resolves: rhbz#2066653
- Faulty handling of static applications
Resolves: rhbz#2084497
Resolves: rhbz#2097385
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070655
- Introduce ppid rule attribute
Resolves: rhbz#2102563
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]
Resolves: rhbz#2069121
- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0]
Resolves: rhbz#2068105
Resolves: rhbz#2102558
- fapolicyd often breaks package updates
Resolves: rhbz#2111244
- drop libgcrypt in favour of openssl
Resolves: rhbz#2111938
- Remove dnf plugin
Resolves: rhbz#2113959
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
Resolves: rhbz#2115849
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
RHEL 8.6.0 ERRATUM
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
RHEL 9.1.0 ERRATUM
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
Resolves: rhbz#2069123
- Faulty handling of static applications
Resolves: rhbz#2096457
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
RHEL 9.1.0 ERRATUM
- fapolicyd denies access to /usr/lib64/ld-2.28.so
Resolves: rhbz#2067493
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
RHEL 9.0.0 ERRATUM
- rebase to 1.1
Resolves: rhbz#1939379
- introduce rules.d feature
Resolves: rhbz#2054741
Resolves: rhbz#2032408
- introduce rules.d
Resolves: rhbz#2054740
- remove pretrans scriptlet
Resolves: rhbz#2051485
Resolve: rhbz#2051481
* Mon Dec 13 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-2
RHEL 8.6.0 ERRATUM
* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
RHEL 9.0.0 ERRATUM
- rebase to 1.0.4
- added rpm_sha256_only option
- added trust.d directory
- allow file names with whitespace in trust files
- allow file names with whitespaces in trust files
- use full paths in trust files
Resolves: rhbz#1939379
Resolves: rhbz#2032408
- fix libc.so getting identified as application/x-executable
Resolves: rhbz#1989272
- fix fapolicyd-dnf-plugin reporting as '<invalid>'
Resolves: rhbz#1997414
Resolves: rhbz#2015307
- fix selinux DSP module definition in spec file
Resolves: rhbz#2014445
Resolves: rhbz#2014449
* Thu Aug 19 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-7
- fapolicyd abnormally exits by executing sosreport
- fixed multiple problems with unlink()
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
Resolves: rhbz#1943251
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
RHEL 8.4.0 ERRATUM
* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
RHEL 9 BETA
- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
Resolves: rhbz#1932225
Resolves: rhbz#1977731
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
- rebase to 1.0.3
- sync fedora with rhel
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-1
- rebase to 1.0.2
- strong dependency on rpm/rpm-plugin-fapolicyd
- installed dnf-plugin is dummy and we are not using it anymore
- enabled integrity setting
Resolves: rhbz#1887451
- added make check
- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail
- fixed java detection
Resolves: rhbz#1895435
- dnf update fails when fapolicyd is enabled
Resolves: rhbz#1876975
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
Resolves: rhbz#1896875
- enabled make check
- dnf-plugin is now required subpackage
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
RHEL 8.3 ERRATUM
- fixed manpage fapolicyd-conf
Resolves: rhbz#1817413
* Mon Nov 16 2020 Radovan Sroka <rsroka@redhat.com> - 1.0.1-1
- rebase to 1.0.1
- introduced uthash dependency
- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
Resolves: rhbz#1874491
- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
Resolves: rhbz#1876538
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
RHEL 8.3 ERRATUM
- rebase to v1.0
- installed multiple policies to /usr/share/fapolicyd
- known-libs (default)
- restrictive
- installed fapolicyd.trust file
- enhanced fapolicyd-cli
Resolves: rhbz#1817413
- introduced fapolicyd-selinux that provides SELinux policy module
Resolves: rhbz#1714529
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
RHEL 8.2 ERRATUM
- fixed possible heap buffer overflow in elf parser
Resolves: rhbz#1807912
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
- backported few cosmetic small patches from upstream master
- rebase selinux tarbal to v0.3
- file context pattern for /run/fapolicyd.pid is missing
Resolves: rhbz#1834674
* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
RHEL 8.2 ERRATUM
- fixed build time python interpreter detection (spec)
- added python2-devel as a BuildRequires (spec)
- allow running bash scripts in home directories
Resolves: rhbz#1801872
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
- Rebuilt for Python 3.9
* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
RHEL 8.2 ERRATUM
- rebase to v0.9.1
- updated default configuration with new syntax
- removed daemon mounts configuration
Resolves: rhbz#1759895
- default fapolicyd policy prevents Ansible from running
- added ansible rule to default ruleset
Resolves: rhbz#1746464
- suspicious logs on service start
Resolves: rhbz#1747494
- fapolicyd blocks dracut from generating initramfs
- added dracut rule to default configuration
Resolves: rhbz#1757736
- fapolicyd fails to identify perl interpreter
Resolves: rhbz#1765039
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
- rebase fapolicyd to 1.0
- allowed sys_ptrace for user namespace
* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
- added missing manpage for fapolicyd-cli
Resolves: rhbz#1708015
* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
- rebase fapolicyd to 0.9.4
- polished the pattern detection engine
- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
memory consumption and improve startup speed
- the commandline utility can now delete the lmdb trust database and manage
the file trust source
* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
- Convert hashes to lowercase like sha256sum outputs
- Stop littering STDOUT output for dnf plugin in fapolicyd
Resolves: rhbz#1721496
* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
- rebase fapolicyd to 0.9.3
- dramatically improved startup time
- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
- file type identification has been improved
- trust database statistics have been added to the reports
* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- new upstream release
Resolves: rhbz#1673323
* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
- Label all fifo_file as fapolicyd_var_run_t in /var/run.
- Allow fapolicyd_t domain to create fifo files labeled as
fapolicyd_var_run_t
* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
- rebase fapolicyd to 0.9.2
- allows watched mount points to be specified by file system types
- ELF file detection was improved
- the rules have been rewritten to express the policy based on subject
object trust for better performance and reliability
- exceptions for dracut and ansible were added to the rules to avoid problems
under normal system use
- adds an admin defined trust database (fapolicyd.trust)
- setting boost, queue, user, and group on the daemon
command line are deprecated
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
- Updated fapolicyd-selinux subpackage to v0.2
Selinux subpackage is recommended for fapolicyd.
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
- Added fapolicyd-selinux subpackage
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
- rebase to v0.9
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- rebase to 0.8.10
- generate python paths dynamically
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
- Rebuilt for Python 3.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
- Rebuild for RPM 4.15
* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
- Rebuild for RPM 4.15
* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
- New upstream release
- imported from fedora30
resolves: rhbz#1673323
* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
- backport some patches to resolve dac_override for fapolicyd