From e82ed5a6245eb2a9f42db1f9127dd7c12cb8e37d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 18 Jul 2022 10:29:51 +0200
Subject: [PATCH] remove sysctl_fs_protected_* rules from rhel9 ospp

Resolves: rhbz#2081719
---
 ...ove_sysctl_proteced_fs_rules-PR_9081.patch | 30 +++++++++++++++++++
 scap-security-guide.spec                      |  7 ++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch

diff --git a/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch b/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
new file mode 100644
index 0000000..271f117
--- /dev/null
+++ b/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
@@ -0,0 +1,30 @@
+From 5b0ff05c2377a8a8a5ef13d34fc71ce0587ed6df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 1 Jul 2022 13:04:48 +0200
+Subject: [PATCH] Remove sysctl_fs_protected_* rules from RHEL 9 OSPP
+
+The sysctl_fs_protected_hardlinks and sysctl_fs_protected_symlinks rules
+reenforce the RHEL 9 default value. While that protection is useful,
+there is no specific OSPP SFR or other reason for the SCAP rules in the
+OSPP profile.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2081719
+---
+ products/rhel9/profiles/ospp.profile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 1fad0031749..5536dd7b2b6 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -141,10 +141,6 @@ selections:
+     - sysctl_net_core_bpf_jit_harden
+     - service_kdump_disabled
+ 
+-    ## File System Settings
+-    - sysctl_fs_protected_hardlinks
+-    - sysctl_fs_protected_symlinks
+-
+     ### Audit
+     - service_auditd_enabled
+     - var_auditd_flush=incremental_async
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index fbaf46f..a178f78 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.62
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -24,6 +24,8 @@ BuildRequires:	python%{python3_pkgversion}-jinja2
 BuildRequires:	python%{python3_pkgversion}-PyYAML
 Requires:	xml-common, openscap-scanner >= 1.2.5
 
+Patch0:                scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
+
 %description
 The scap-security-guide project provides a guide for configuration of the
 system from the final system's security point of view. The guidance is specified
@@ -98,6 +100,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
+- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
+
 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)