Compare commits

..

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

10 changed files with 266 additions and 385 deletions

3
.fapolicyd.metadata Normal file
View File

@ -0,0 +1,3 @@
0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz
ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

5
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/fapolicyd-1.3.2.tar.gz
SOURCES/fapolicyd-selinux-0.6.tar.gz
SOURCES/fapolicyd-1.3.3.tar.gz
SOURCES/fapolicyd-selinux-0.7.tar.gz
SOURCES/uthash-2.3.0.tar.gz

View File

@ -1,34 +0,0 @@
diff -up ./dnf/fapolicyd-dnf-plugin.py.fix ./dnf/fapolicyd-dnf-plugin.py
--- ./dnf/fapolicyd-dnf-plugin.py.fix 2023-06-20 13:21:21.098192421 +0200
+++ ./dnf/fapolicyd-dnf-plugin.py 2023-06-20 13:21:46.287412300 +0200
@@ -8,29 +8,10 @@ import sys
class Fapolicyd(dnf.Plugin):
name = "fapolicyd"
- pipe = "/run/fapolicyd/fapolicyd.fifo"
file = None
def __init__(self, base, cli):
pass
def transaction(self):
-
- if not os.path.exists(self.pipe):
- sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n")
- sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n")
- sys.stderr.write("or fapolicyd is not running...\n")
- return
-
- if not stat.S_ISFIFO(os.stat(self.pipe).st_mode):
- sys.stderr.write(self.pipe + ": is not a pipe!\n")
- return
-
- try:
- self.file = open(self.pipe, "w")
- except PermissionError:
- sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
- return
-
- self.file.write("1\n")
- self.file.close()
+ pass

View File

@ -1,78 +0,0 @@
From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 18 Jul 2023 17:05:11 +0200
Subject: [PATCH] Fix multiple leaks
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/filter.c | 3 +++
src/library/policy.c | 13 +++++++++++--
src/library/rules.c | 3 ---
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/library/filter.c b/src/library/filter.c
index d5d8cca..eb378ca 100644
--- a/src/library/filter.c
+++ b/src/library/filter.c
@@ -472,9 +472,12 @@ int filter_load_file(void)
msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
filter_destroy_obj(filter);
free(line);
+ line = NULL;
goto bad;
}
+ }
+ if (line) {
free(line);
line = NULL;
}
diff --git a/src/library/policy.c b/src/library/policy.c
index 7fe1210..31ff6e2 100644
--- a/src/library/policy.c
+++ b/src/library/policy.c
@@ -23,6 +23,7 @@
* Radovan Sroka <rsroka@redhat.com>
*/
+#include "attr-sets.h"
#include "config.h"
#include <stdbool.h>
#include <stdio.h>
@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
return 1;
FILE * f = open_file();
- if (f == NULL)
+ if (f == NULL) {
+ destroy_attr_sets();
return 1;
+ }
int res = _load_rules(_config, f);
fclose(f);
- return res;
+
+ if (res) {
+ destroy_attr_sets();
+ return 1;
+ }
+
+ return 0;
}
void destroy_rules(void)
diff --git a/src/library/rules.c b/src/library/rules.c
index 5ffa40e..4a8b098 100644
--- a/src/library/rules.c
+++ b/src/library/rules.c
@@ -65,9 +65,6 @@ int rules_create(llist *l)
l->cur = NULL;
l->cnt = 0;
- if (init_attr_sets())
- return 1;
-
return 0;
}

View File

@ -1,93 +0,0 @@
diff -up ./src/daemon/fapolicyd.c.librpm-workaround ./src/daemon/fapolicyd.c
--- ./src/daemon/fapolicyd.c.librpm-workaround 2023-07-10 11:19:19.507044648 +0200
+++ ./src/daemon/fapolicyd.c 2023-07-10 11:19:19.509044621 +0200
@@ -572,7 +572,7 @@ int main(int argc, const char *argv[])
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
- CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, -1);
+ CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, CAP_CHOWN, -1);
if (capng_change_id(config.uid, config.gid,
CAPNG_DROP_SUPP_GRP)) {
msg(LOG_ERR, "Cannot change to uid %d", config.uid);
diff -up ./src/library/rpm-backend.c.librpm-workaround ./src/library/rpm-backend.c
--- ./src/library/rpm-backend.c.librpm-workaround 2023-06-15 16:45:14.000000000 +0200
+++ ./src/library/rpm-backend.c 2023-07-10 11:22:07.066794595 +0200
@@ -32,7 +32,12 @@
#include <rpm/rpmdb.h>
#include <rpm/rpmpgp.h>
#include <fnmatch.h>
+#include <glob.h>
+#include <pwd.h>
+#include <grp.h>
+#include <fcntl.h>
+#include <unistd.h>
#include <uthash.h>
#include "message.h"
@@ -59,6 +64,50 @@ backend rpm_backend =
static rpmts ts = NULL;
static rpmdbMatchIterator mi = NULL;
+static void fix_files(void)
+{
+ glob_t glob_result;
+ const char *pattern = "/var/lib/rpm/__*";
+
+ struct passwd * usr = getpwnam("fapolicyd");
+ if (usr == NULL) {
+ return;
+ }
+
+ struct group * grp = getgrnam("fapolicyd");
+ if (grp == NULL) {
+ return;
+ }
+
+ int return_value = glob(pattern, 0, NULL, &glob_result);
+ if (return_value != 0) {
+ return;
+ }
+
+ for (int i = 0; i < glob_result.gl_pathc; ++i) {
+
+ int fd = open(glob_result.gl_pathv[i], O_NOFOLLOW);
+
+ if (fd == -1)
+ continue;
+
+ struct stat file_stat;
+ if (fstat(fd, &file_stat) != 0) {
+ continue;
+ }
+
+ if (file_stat.st_uid == usr->pw_uid &&
+ file_stat.st_gid == grp->gr_gid) {
+
+ fchown(fd, 0, 0);
+ }
+
+ close(fd);
+ }
+
+ globfree(&glob_result);
+}
+
static int init_rpm(void)
{
return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL);
@@ -201,8 +250,13 @@ static int rpm_load_list(const conf_t *c
return rc;
}
+ int fixed = 0;
// Loop across the rpm database
while (get_next_package_rpm()) {
+ if (!fixed) {
+ fixed = 1;
+ fix_files();
+ }
// Loop across the packages
while (get_next_file_rpm()) {
// We do not want directories or symlinks in the

View File

@ -1,23 +0,0 @@
From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 19 Jul 2023 16:00:13 +0200
Subject: [PATCH] Allow links
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
index daf31bd..5d6f9aa 100644
--- a/fapolicyd-selinux-0.6/fapolicyd.te
+++ b/fapolicyd-selinux-0.6/fapolicyd.te
@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
files_watch_sb_all_mountpoints(fapolicyd_t)
')
+allow fapolicyd_t file_type : lnk_file { getattr read };
+
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

View File

@ -0,0 +1,39 @@
diff -up ./configure.ac.uthash ./configure.ac
--- ./configure.ac.uthash 2022-09-27 16:34:59.000000000 +0200
+++ ./configure.ac 2022-09-29 11:57:26.297879027 +0200
@@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
AC_CHECK_FUNCS(fexecve, [], [])
AC_CHECK_FUNCS([gettid])
-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
-["Couldn't find uthash.h...uthash-devel is missing"] )])
-
-
echo .
echo Checking for required libraries
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
--- ./src/library/rpm-backend.c.uthash 2022-09-29 11:57:26.297879027 +0200
+++ ./src/library/rpm-backend.c 2022-09-29 11:58:45.470119807 +0200
@@ -33,7 +33,7 @@
#include <rpm/rpmpgp.h>
#include <fnmatch.h>
-#include <uthash.h>
+#include "uthash.h"
#include "message.h"
#include "gcc-attributes.h"
diff -up ./src/Makefile.am.uthash ./src/Makefile.am
--- ./src/Makefile.am.uthash 2022-09-27 16:34:59.000000000 +0200
+++ ./src/Makefile.am 2022-09-29 11:57:26.297879027 +0200
@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
-I${top_srcdir} \
-I${top_srcdir}/src/library
+AM_CPPFLAGS += \
+ -I${top_srcdir}/uthash-2.3.0/include
+
sbin_PROGRAMS = fapolicyd fapolicyd-cli
lib_LTLIBRARIES= libfapolicyd.la

View File

@ -1,6 +1,6 @@
diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te
--- ./fapolicyd-selinux-0.6/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200
+++ ./fapolicyd-selinux-0.6/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200
diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te
--- ./fapolicyd-selinux-0.7/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200
+++ ./fapolicyd-selinux-0.7/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200
@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
ifdef(`fs_watch_all_fs',`

View File

@ -0,0 +1,26 @@
From 750c5e288f8253c71a9722da960addb078aee93c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 6 Feb 2024 21:17:27 +0100
Subject: [PATCH] Rename all /var/run file context entries to /run
With the 1f76e522a ("Rename all /var/run file context entries to /run")
selinux-policy commit, all /var/run file context entries moved to /run
and the equivalency was inverted. Subsequently, changes in fapolicyd.fc
need to be done, too, in a similar manner.
---
fapolicyd.fc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc
index 2bdc7aa..d081dc8 100644
--- a/fapolicyd-selinux-0.7/fapolicyd.fc
+++ b/fapolicyd-selinux-0.7/fapolicyd.fc
@@ -8,6 +8,6 @@
/var/log/fapolicyd-access.log -- gen_context(system_u:object_r:fapolicyd_log_t,s0)
-/var/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
-/var/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0)

View File

@ -1,39 +1,38 @@
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.6
%define semodule_version 0.7
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.3.2
Release: 1%{?dist}
Version: 1.3.3
Release: 100%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
# we bundle uthash for rhel9
Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
BuildRequires: python2-devel
%if 0%{?rhel} == 0
BuildRequires: uthash-devel
Requires: rpm-plugin-fapolicyd >= 4.14.3-12
%endif
Requires: %{name}-plugin
Recommends: %{name}-selinux
Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
# we are making the dnf-plugin completelly dummy because of
# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
# the fapolicyd package because it provides safe upgrade path
Patch1: fapolicyd-dnf-plugin.patch
Patch1: fapolicyd-uthash-bundle.patch
Patch2: selinux.patch
Patch3: fapolicyd-selinux-links.patch
Patch4: fapolicyd-leaks.patch
Patch5: fapolicyd-librpm-workaround.patch
Patch3: var-run-selinux.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -60,11 +59,15 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
# selinux
%setup -q -D -T -a 1
%patch -P 1 -p1 -b .dnf-plugin
%if 0%{?rhel} != 0
# uthash
%setup -q -D -T -a 2
%patch -P 1 -p1 -b .uthash
%endif
%patch -P 2 -p1 -b .selinux
%patch -P 3 -p1 -b .selinux-links
%patch -P 4 -p1 -b .leaks
%patch -P 5 -p1 -b .librpm-workaround
%patch -P 3 -p1 -R -b .var-run-selinux
# generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -86,7 +89,7 @@ cp INSTALL INSTALL.tmp
--with-rpm \
--disable-shared
%make_build
make CFLAGS="%{optflags}" %{?_smp_mflags}
# selinux
pushd %{name}-selinux-%{semodule_version}
@ -96,14 +99,12 @@ popd
%check
make check
# Selinux
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
%make_install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
@ -216,10 +217,10 @@ fi
%attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(755,root,root) %{_sbindir}/%{name}
@ -233,10 +234,8 @@ fi
%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
# selinux
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
@ -255,172 +254,213 @@ fi
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-1
RHEL 8.9.0 ERRATUM
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
RHEL 9.5.0 ERRATUM
- rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7
Resolves: RHEL-36285
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
RHEL 9.3.0 ERRATUM
- Rebase fapolicyd to the latest stable version
Resolves: RHEL-519
- RFE: send rule number to fanotify so it gets audited
Resolves: RHEL-628
- Default q_size doesn't match manpage's one
Resolves: RHEL-629
Resolves: RHEL-430
- fapolicyd can leak FDs and never answer request, causing target process to hang forever
Resolves: RHEL-632
Resolves: RHEL-621
- RFE: send rule number to fanotify so it gets audited
Resolves: RHEL-624
- fapolicyd needs to make sure the FD limit is never reached
Resolves: RHEL-631
Resolves: RHEL-623
- fapolicyd still allows execution of a program after "untrusting" it
Resolves: RHEL-630
Resolves: RHEL-622
- Default q_size doesn't match manpage's one
Resolves: RHEL-627
- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
Resolves: RHEL-817
- Fix broken backwards compatibility backend numbers
Resolves: RHEL-731
- fapolicyd can create RPM DB files /var/lib/rpm/__db.xxx with bad ownership causing AVCs to occur
Resolves: RHEL-829
Resolves: RHEL-730
- SELinux prevents the fapolicyd from reading symlink (cert_t)
Resolves: RHEL-820
Resolves: RHEL-816
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-12
RHEL 8.8.0 ERRATUM
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
RHEL 9.2.0 ERRATUM
- statically linked app can execute untrusted app
Resolves: rhbz#2088349
Resolves: rhbz#2097077
- fapolicyd ineffective with systemd DynamicUser=yes
Resolves: rhbz#2136802
- Starting manually fapolicyd while the service is already running breaks the system
Resolves: rhbz#2103352
Resolves: rhbz#2160517
- Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
Resolves: rhbz#2087040
Resolves: rhbz#2160518
- fapolicyd: Introduce filtering of rpmdb
Resolves: rhbz#2165645
Resolves: RHEL-192
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8
RHEL 8.7.0 ERRATUM
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
RHEL 9.1.0 ERRATUM
- rebase fapolicyd to the latest stable vesion
Resolves: rhbz#2100087
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070639
- fapolicyd often breaks package updates
Resolves: rhbz#2111243
- drop libgcrypt in favour of openssl
Resolves: rhbz#2111935
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
Resolves: rhbz#2103914
Resolves: rhbz#2100041
- fapolicyd gets way too easily killed by OOM killer
Resolves: rhbz#2100089
- compiled.rules file ownership and mode
Resolves: rhbz#2066653
- Faulty handling of static applications
Resolves: rhbz#2084497
Resolves: rhbz#2097385
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070655
- Introduce ppid rule attribute
Resolves: rhbz#2102563
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]
Resolves: rhbz#2069121
- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0]
Resolves: rhbz#2068105
Resolves: rhbz#2102558
- fapolicyd often breaks package updates
Resolves: rhbz#2111244
- drop libgcrypt in favour of openssl
Resolves: rhbz#2111938
- Remove dnf plugin
Resolves: rhbz#2113959
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
Resolves: rhbz#2115849
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
RHEL 8.6.0 ERRATUM
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
RHEL 9.1.0 ERRATUM
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
Resolves: rhbz#2069123
- Faulty handling of static applications
Resolves: rhbz#2096457
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
RHEL 9.1.0 ERRATUM
- fapolicyd denies access to /usr/lib64/ld-2.28.so
Resolves: rhbz#2067493
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
RHEL 9.0.0 ERRATUM
- rebase to 1.1
Resolves: rhbz#1939379
- introduce rules.d feature
Resolves: rhbz#2054741
Resolves: rhbz#2032408
- introduce rules.d
Resolves: rhbz#2054740
- remove pretrans scriptlet
Resolves: rhbz#2051485
Resolve: rhbz#2051481
* Mon Dec 13 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-2
RHEL 8.6.0 ERRATUM
* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
RHEL 9.0.0 ERRATUM
- rebase to 1.0.4
- added rpm_sha256_only option
- added trust.d directory
- allow file names with whitespace in trust files
- allow file names with whitespaces in trust files
- use full paths in trust files
Resolves: rhbz#1939379
Resolves: rhbz#2032408
- fix libc.so getting identified as application/x-executable
Resolves: rhbz#1989272
- fix fapolicyd-dnf-plugin reporting as '<invalid>'
Resolves: rhbz#1997414
Resolves: rhbz#2015307
- fix selinux DSP module definition in spec file
Resolves: rhbz#2014445
Resolves: rhbz#2014449
* Thu Aug 19 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-7
- fapolicyd abnormally exits by executing sosreport
- fixed multiple problems with unlink()
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
Resolves: rhbz#1943251
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
RHEL 8.4.0 ERRATUM
* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
RHEL 9 BETA
- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
Resolves: rhbz#1932225
Resolves: rhbz#1977731
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
- rebase to 1.0.3
- sync fedora with rhel
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-1
- rebase to 1.0.2
- strong dependency on rpm/rpm-plugin-fapolicyd
- installed dnf-plugin is dummy and we are not using it anymore
- enabled integrity setting
Resolves: rhbz#1887451
- added make check
- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail
- fixed java detection
Resolves: rhbz#1895435
- dnf update fails when fapolicyd is enabled
Resolves: rhbz#1876975
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
Resolves: rhbz#1896875
- enabled make check
- dnf-plugin is now required subpackage
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
RHEL 8.3 ERRATUM
- fixed manpage fapolicyd-conf
Resolves: rhbz#1817413
* Mon Nov 16 2020 Radovan Sroka <rsroka@redhat.com> - 1.0.1-1
- rebase to 1.0.1
- introduced uthash dependency
- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
Resolves: rhbz#1874491
- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory
Resolves: rhbz#1876538
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
RHEL 8.3 ERRATUM
- rebase to v1.0
- installed multiple policies to /usr/share/fapolicyd
- known-libs (default)
- restrictive
- installed fapolicyd.trust file
- enhanced fapolicyd-cli
Resolves: rhbz#1817413
- introduced fapolicyd-selinux that provides SELinux policy module
Resolves: rhbz#1714529
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
RHEL 8.2 ERRATUM
- fixed possible heap buffer overflow in elf parser
Resolves: rhbz#1807912
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
- backported few cosmetic small patches from upstream master
- rebase selinux tarbal to v0.3
- file context pattern for /run/fapolicyd.pid is missing
Resolves: rhbz#1834674
* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
RHEL 8.2 ERRATUM
- fixed build time python interpreter detection (spec)
- added python2-devel as a BuildRequires (spec)
- allow running bash scripts in home directories
Resolves: rhbz#1801872
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.0-2
- Rebuilt for Python 3.9
* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
RHEL 8.2 ERRATUM
- rebase to v0.9.1
- updated default configuration with new syntax
- removed daemon mounts configuration
Resolves: rhbz#1759895
- default fapolicyd policy prevents Ansible from running
- added ansible rule to default ruleset
Resolves: rhbz#1746464
- suspicious logs on service start
Resolves: rhbz#1747494
- fapolicyd blocks dracut from generating initramfs
- added dracut rule to default configuration
Resolves: rhbz#1757736
- fapolicyd fails to identify perl interpreter
Resolves: rhbz#1765039
* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-1
- rebase fapolicyd to 1.0
- allowed sys_ptrace for user namespace
* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
- added missing manpage for fapolicyd-cli
Resolves: rhbz#1708015
* Mon Mar 23 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.4-1
- rebase fapolicyd to 0.9.4
- polished the pattern detection engine
- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
memory consumption and improve startup speed
- the commandline utility can now delete the lmdb trust database and manage
the file trust source
* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
- Convert hashes to lowercase like sha256sum outputs
- Stop littering STDOUT output for dnf plugin in fapolicyd
Resolves: rhbz#1721496
* Mon Feb 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.3-1
- rebase fapolicyd to 0.9.3
- dramatically improved startup time
- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
- file type identification has been improved
- trust database statistics have been added to the reports
* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- new upstream release
Resolves: rhbz#1673323
* Tue Feb 04 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-2
- Label all fifo_file as fapolicyd_var_run_t in /var/run.
- Allow fapolicyd_t domain to create fifo files labeled as
fapolicyd_var_run_t
* Fri Jan 31 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.2-1
- rebase fapolicyd to 0.9.2
- allows watched mount points to be specified by file system types
- ELF file detection was improved
- the rules have been rewritten to express the policy based on subject
object trust for better performance and reliability
- exceptions for dracut and ansible were added to the rules to avoid problems
under normal system use
- adds an admin defined trust database (fapolicyd.trust)
- setting boost, queue, user, and group on the daemon
command line are deprecated
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 05 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.9-3
- Updated fapolicyd-selinux subpackage to v0.2
Selinux subpackage is recommended for fapolicyd.
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-2
- Added fapolicyd-selinux subpackage
* Mon Oct 07 2019 Radovan Sroka <rsroka@redhat.com> - 0.9-1
- rebase to v0.9
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.10-2
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Wed Aug 28 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- rebase to 0.8.10
- generate python paths dynamically
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.8.9-5
- Rebuilt for Python 3.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-3
- Rebuild for RPM 4.15
* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.8.9-2
- Rebuild for RPM 4.15
* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
- New upstream release
- imported from fedora30
resolves: rhbz#1673323
* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
- backport some patches to resolve dac_override for fapolicyd