diff --git a/policykit-dbus-chat-selinux.patch b/policykit-dbus-chat-selinux.patch new file mode 100644 index 0000000..8f0200e --- /dev/null +++ b/policykit-dbus-chat-selinux.patch @@ -0,0 +1,22 @@ +diff -up ./usbguard-selinux-0.0.4/usbguard.te.policykit ./usbguard-selinux-0.0.4/usbguard.te +--- ./usbguard-selinux-0.0.4/usbguard.te.policykit 2022-03-15 10:32:21.002852930 +0100 ++++ ./usbguard-selinux-0.0.4/usbguard.te 2022-03-15 10:36:47.844040559 +0100 +@@ -99,9 +99,17 @@ logging_log_filetrans(usbguard_t, usbgua + + logging_send_syslog_msg(usbguard_t) + +-dbus_system_domain(usbguard_t, usbguard_exec_t) + usbguard_ipc_access(usbguard_t) + ++optional_policy(` ++ dbus_system_domain(usbguard_t, usbguard_exec_t) ++ ++ optional_policy(` ++ policykit_dbus_chat(usbguard_t) ++ ') ++') ++ ++ + tunable_policy(`usbguard_daemon_write_rules',` + rw_files_pattern(usbguard_t, usbguard_rules_t, usbguard_rules_t) + ') diff --git a/usbguard-restore-support-access-control-names.patch b/usbguard-restore-support-access-control-names.patch new file mode 100644 index 0000000..5f4bed2 --- /dev/null +++ b/usbguard-restore-support-access-control-names.patch @@ -0,0 +1,44 @@ +From 22eb68cde27046c684e3ee2061b085b18fad863b Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sat, 5 Mar 2022 17:22:05 +0100 +Subject: [PATCH] Restore support for access control filenames without a group + +Regression from commit b15ef713a9ac47e84525bbf829c7f444b84c3c81 +of release 1.1.0, detailed analysis online at +https://github.com/USBGuard/usbguard/issues/540#issuecomment-1059784284 +--- + src/Daemon/Daemon.cpp | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp +index 45ddb76d..4ec2d934 100644 +--- a/src/Daemon/Daemon.cpp ++++ b/src/Daemon/Daemon.cpp +@@ -446,12 +446,25 @@ namespace usbguard + void Daemon::parseIPCAccessControlFilename(const std::string& basename, std::string* const ptr_user, + std::string* const ptr_group) + { ++ // There are five supported forms: ++ // - ":" ++ // - ":" ++ // - "" ++ // - ":" ++ // - ":" + const auto ug_separator = basename.find_first_of(":"); + const bool has_group = ug_separator != std::string::npos; + const std::string user = basename.substr(0, ug_separator); + const std::string group = has_group ? basename.substr(ug_separator + 1) : std::string(); +- checkIPCAccessControlName(user); +- checkIPCAccessControlName(group); ++ ++ if (! user.empty()) { ++ checkIPCAccessControlName(user); ++ } ++ ++ if (! group.empty()) { ++ checkIPCAccessControlName(group); ++ } ++ + *ptr_user = user; + *ptr_group = group; + } diff --git a/usbguard.spec b/usbguard.spec index 0aa5e23..f3efa4f 100644 --- a/usbguard.spec +++ b/usbguard.spec @@ -4,7 +4,7 @@ Name: usbguard Version: 1.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A tool for implementing USB device usage policy License: GPLv2+ ## Not installed @@ -40,8 +40,8 @@ BuildRequires: audit-libs-devel BuildRequires: systemd Patch1: usbguard-revert-catch.patch - - +Patch2: policykit-dbus-chat-selinux.patch +Patch3: usbguard-restore-support-access-control-names.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -104,6 +104,8 @@ daemon. %setup -q -D -T -a 1 %patch1 -p1 -b .catch +%patch2 -p1 -b .policykit +%patch3 -p1 -b .access-contol-names # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} @@ -227,6 +229,10 @@ fi %changelog +* Tue Mar 15 2022 Radovan Sroka - 1.1.0-2 +- selinux: allow policykit dbus comunnication +- restore support for access control filenames without a group + * Thu Mar 03 2022 Radovan Sroka - 1.1.0-1 - rebase to 1.1.0 Resolves: rhbz#2058450