import usbguard-1.0.0-2.el8

2021-10-05 22:11:54 -04:00 · 2021-10-05 22:11:54 -04:00 · 3c53126e2e
commit 3c53126e2e
parent a08ceb7cc9
3 changed files with 33 additions and 1 deletions
--- a/SOURCES/usbguard-audit-capability.patch
+++ b/SOURCES/usbguard-audit-capability.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2021-03-17 14:16:21.675374844 +0100
+++ usbguard-1.0.0/usbguard.service.in	2021-03-17 14:16:29.056373213 +0100
+@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+ AmbientCapabilities=
+-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
--- a/SOURCES/usbguard-selinux-audit-capability.patch
+++ b/SOURCES/usbguard-selinux-audit-capability.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2021-03-17 15:08:59.975712403 +0100
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2021-03-17 15:09:21.565708348 +0100
+@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
+ # Local policy
+ #
+ 
+-allow usbguard_t self:capability { chown fowner };
+allow usbguard_t self:capability { chown fowner audit_write };
+ allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
+ allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ 
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@ -8,7 +8,7 @@

 Name:           usbguard
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@ -53,6 +53,8 @@ Patch1: usbguard-0.7.6-notifier.patch
 Patch2: usbguard-selinux-rules-d.patch
 Patch3: usbguard-selinux-list-dir.patch
 Patch4: usbguard-selinux-cpuinfo.patch
+Patch5: usbguard-audit-capability.patch
+Patch6: usbguard-selinux-audit-capability.patch

 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -133,6 +135,8 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch2 -p1 -b .rules-d-selinux
 %patch3 -p1 -b .list-dir
 %patch4 -p1 -b .cpuinfo
+%patch5 -p1 -b .audit-capability
+%patch6 -p1 -b .selinux-audit-capability

 %build
 mkdir -p ./m4
@ -297,6 +301,10 @@ fi


 %changelog
+* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
+- Add CAP_AUDIT_WRITE capability to service file
+Resolves: rhbz#1940060
+
 * Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
 - Rebase to 1.0.0
 Resolves: rhbz#1887448