import usbguard-0.7.8-5.el8

2020-07-14 02:03:30 +00:00 · 2020-07-14 02:03:30 +00:00 · 96eb0f7b90
commit 96eb0f7b90
parent f66f81c4c7
7 changed files with 137 additions and 11 deletions
--- a/SOURCES/usbguard-0.7.6-notifier.patch
+++ b/SOURCES/usbguard-0.7.6-notifier.patch
@ -1,6 +1,6 @@
-diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac.orig usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac
--- usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac.orig	2020-05-06 13:01:19.536595149 +0200
-+++ usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac	2020-05-06 13:01:24.499624513 +0200
+diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
+--- ./usbguard-notifier-0.0.6/configure.ac.notifier	2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac	2020-06-17 16:27:53.577151720 +0200
@@ -44,6 +44,32 @@ AC_ARG_WITH(
     [notificaiton_path="/tmp/usbguard-notifier"]
 )
@ -57,9 +57,9 @@ diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac.orig usbguard-0.7.6
 
 AC_CONFIG_FILES([
     Makefile
-diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am.orig usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am
--- usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am.orig	2020-05-06 13:01:17.410582575 +0200
-+++ usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am	2020-05-06 13:01:24.499624513 +0200
+diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
+--- ./usbguard-notifier-0.0.6/Makefile.am.notifier	2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am	2020-06-17 16:27:53.592151848 +0200
@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
 	@usbguard_CFLAGS@ \
 	-fPIC
@ -74,3 +74,15 @@ diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am.orig usbguard-0.7.6/
 BUILT_SOURCES = \
 	src/BuildConfig.h
 
+diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
+--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier	2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1	2020-06-17 19:56:46.551297432 +0200
+@@ -53,7 +53,7 @@ Show help\&.
+ .RE
+ .SH "SEE ALSO"
+ .sp
+-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
+ .SH "BUGS"
+ .sp
+ If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.
--- a/SOURCES/usbguard-forking-style.patch
+++ b/SOURCES/usbguard-forking-style.patch
@ -0,0 +1,34 @@
+diff -up ./usbguard.service.in.forking ./usbguard.service.in
+--- ./usbguard.service.in.forking	2020-06-17 20:07:04.720564149 +0200
+++ ./usbguard.service.in	2020-06-17 20:10:00.744063846 +0200
+@@ -8,11 +8,12 @@ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+ DeviceAllow=/dev/null rw
+ DevicePolicy=strict
+-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
+PIDFile=/var/run/usbguard.pid
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+@@ -20,14 +21,14 @@ ProtectHome=yes
+ ProtectKernelModules=yes
+ ProtectSystem=yes
+ ReadOnlyPaths=-/
+-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
+ Restart=on-failure
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ RestrictNamespaces=yes
+ RestrictRealtime=yes
+ SystemCallArchitectures=native
+ SystemCallFilter=@system-service
+-Type=simple
+Type=forking
+ UMask=0077
+ 
+ [Install]
--- a/SOURCES/usbguard-selinux-cpuinfo.patch
+++ b/SOURCES/usbguard-selinux-cpuinfo.patch
@ -0,0 +1,12 @@
+diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
+--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo	2020-06-18 15:53:40.161615146 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te	2020-06-18 15:54:28.399982328 +0200
+@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
+ dev_list_sysfs(usbguard_t)
+ dev_rw_sysfs(usbguard_t)
+ 
+kernel_read_system_state(usbguard_t)
+
+ list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ dontaudit usbguard_t usbguard_conf_t:file write;
--- a/SOURCES/usbguard-selinux-list-dir.patch
+++ b/SOURCES/usbguard-selinux-list-dir.patch
@ -0,0 +1,11 @@
+diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
+--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir	2020-06-09 10:53:03.191977241 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te	2020-06-09 10:54:21.441965315 +0200
+@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ dontaudit usbguard_t usbguard_conf_t:file write;
+ 
+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
+ 
+ manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)
--- a/SOURCES/usbguard-selinux-rules-d.patch
+++ b/SOURCES/usbguard-selinux-rules-d.patch
@ -0,0 +1,22 @@
+From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
+From: alakatos <alakatos@redhat.com>
+Date: Mon, 25 May 2020 15:27:38 +0200
+Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
+ after the installation
+
+---
+ usbguard.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/usbguard.fc b/usbguard.fc
+index bce3e8c..3e14720 100644
+--- a/usbguard-selinux-0.0.3/usbguard.fc
+++ b/usbguard-selinux-0.0.3/usbguard.fc
+@@ -13,6 +13,7 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ 
+/etc/usbguard/rules\.d(/.*)?                 gen_context(system_u:object_r:usbguard_rules_t,s0)
+ /etc/usbguard/rules.conf                  -- gen_context(system_u:object_r:usbguard_rules_t,s0)
+ /etc/usbguard(/.*)?                          gen_context(system_u:object_r:usbguard_conf_t,s0)
+ /dev/shm/qb-usbguard-.*                   -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)
--- a/SOURCES/usbguard-service-fips.patch
+++ b/SOURCES/usbguard-service-fips.patch
@ -0,0 +1,13 @@
+diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
+--- ./usbguard.service.in.service-fips	2020-06-22 10:44:44.815860376 +0200
+++ ./usbguard.service.in	2020-06-22 10:45:07.699135514 +0200
+@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
+ [Service]
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+-DeviceAllow=/dev/null rw
+-DevicePolicy=strict
+DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@ -8,7 +8,7 @@

 Name:           usbguard
 Version:        0.7.8
-Release:        1%{?dist}
+Release:        5%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@ -28,6 +28,7 @@ Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 Recommends: %{name}-selinux

+BuildRequires: gcc-c++
 BuildRequires: libqb-devel
 BuildRequires: libgcrypt-devel
 BuildRequires: libstdc++-devel
@ -49,6 +50,11 @@ BuildRequires: libxslt
 BuildRequires: libxml2

 Patch1: usbguard-0.7.6-notifier.patch
+Patch2: usbguard-selinux-rules-d.patch
+Patch3: usbguard-selinux-list-dir.patch
+Patch4: usbguard-forking-style.patch
+Patch5: usbguard-selinux-cpuinfo.patch
+Patch6: usbguard-service-fips.patch

 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -104,7 +110,6 @@ Summary:        A tool for detecting usbguard policy and device presence changes
 Group:          Applications/System
 Requires:       %{name} = %{version}-%{release}
 Requires:       systemd
-Requires:       %{name}-devel
 BuildRequires:  librsvg2-devel
 BuildRequires:  libnotify-devel
 BuildRequires:  execstack
@ -127,6 +132,11 @@ device presence changes and displays them as pop-up notifications.
 rm -rf src/ThirdParty/{Catch,PEGTL}

 %patch1 -p1 -b .notifier
+%patch2 -p1 -b .rules-d-selinux
+%patch3 -p1 -b .list-dir
+%patch4 -p1 -b .forking
+%patch5 -p1 -b .cpuinfo
+%patch6 -p1 -b .service-fips

 %build
 mkdir -p ./m4
@ -290,10 +300,20 @@ fi
 %systemd_user_postun_with_restart %{name}-notifier.service


-
-
 %changelog
-* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-1
+* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
+- RHEL 8.3.0 ERRATUM
+- Use old-fasioned forking style in unit file
+Resolves: rhbz#1846885
+- Allow usbguard to read /proc/cpuinfo
+Resolves: rhbz#1847870
+- Removed notifier's Requires for usbguard-devel
+Resolves: rhbz#1667395
+- Allow usbguard to read /dev/urandom
+Resolves: rhbz#1848618
+
+* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4
+- RHEL 8.3.0 ERRATUM
 - Spec file clean up
 - Rebase to 0.7.8
 Resolves: rhbz#1738590
@ -302,6 +322,8 @@ Resolves: rhbz#1683567
 - Added notifier subpackage
 - Installing /etc/usbguard/rules.d/
 Resolves: rhbz#1667395
+- Fixed sigwaitinfo handling
+Resolves: rhbz#1835210

 * Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4
 - add match-all keyword