From 3c53126e2e7fd7f43e0bb6667d4c342e8a532135 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 5 Oct 2021 22:11:54 -0400
Subject: [PATCH] import usbguard-1.0.0-2.el8

---
 SOURCES/usbguard-audit-capability.patch         | 12 ++++++++++++
 SOURCES/usbguard-selinux-audit-capability.patch | 12 ++++++++++++
 SPECS/usbguard.spec                             | 10 +++++++++-
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/usbguard-audit-capability.patch
 create mode 100644 SOURCES/usbguard-selinux-audit-capability.patch

diff --git a/SOURCES/usbguard-audit-capability.patch b/SOURCES/usbguard-audit-capability.patch
new file mode 100644
index 0000000..934a25a
--- /dev/null
+++ b/SOURCES/usbguard-audit-capability.patch
@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2021-03-17 14:16:21.675374844 +0100
++++ usbguard-1.0.0/usbguard.service.in	2021-03-17 14:16:29.056373213 +0100
+@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+ AmbientCapabilities=
+-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
++CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
diff --git a/SOURCES/usbguard-selinux-audit-capability.patch b/SOURCES/usbguard-selinux-audit-capability.patch
new file mode 100644
index 0000000..46bc72e
--- /dev/null
+++ b/SOURCES/usbguard-selinux-audit-capability.patch
@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2021-03-17 15:08:59.975712403 +0100
++++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2021-03-17 15:09:21.565708348 +0100
+@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
+ # Local policy
+ #
+ 
+-allow usbguard_t self:capability { chown fowner };
++allow usbguard_t self:capability { chown fowner audit_write };
+ allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
+ allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ 
diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec
index 952c572..e2a7abb 100644
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@@ -8,7 +8,7 @@
 
 Name:           usbguard
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -53,6 +53,8 @@ Patch1: usbguard-0.7.6-notifier.patch
 Patch2: usbguard-selinux-rules-d.patch
 Patch3: usbguard-selinux-list-dir.patch
 Patch4: usbguard-selinux-cpuinfo.patch
+Patch5: usbguard-audit-capability.patch
+Patch6: usbguard-selinux-audit-capability.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -133,6 +135,8 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch2 -p1 -b .rules-d-selinux
 %patch3 -p1 -b .list-dir
 %patch4 -p1 -b .cpuinfo
+%patch5 -p1 -b .audit-capability
+%patch6 -p1 -b .selinux-audit-capability
 
 %build
 mkdir -p ./m4
@@ -297,6 +301,10 @@ fi
 
 
 %changelog
+* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
+- Add CAP_AUDIT_WRITE capability to service file
+Resolves: rhbz#1940060
+
 * Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
 - Rebase to 1.0.0
 Resolves: rhbz#1887448