diff --git a/SOURCES/usbguard-0.7.6-notifier.patch b/SOURCES/usbguard-0.7.6-notifier.patch index 19b45ec..9d21147 100644 --- a/SOURCES/usbguard-0.7.6-notifier.patch +++ b/SOURCES/usbguard-0.7.6-notifier.patch @@ -1,6 +1,6 @@ -diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac.orig usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac ---- usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac.orig 2020-05-06 13:01:19.536595149 +0200 -+++ usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac 2020-05-06 13:01:24.499624513 +0200 +diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac +--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200 ++++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200 @@ -44,6 +44,32 @@ AC_ARG_WITH( [notificaiton_path="/tmp/usbguard-notifier"] ) @@ -57,9 +57,9 @@ diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/configure.ac.orig usbguard-0.7.6 AC_CONFIG_FILES([ Makefile -diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am.orig usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am ---- usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am.orig 2020-05-06 13:01:17.410582575 +0200 -+++ usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am 2020-05-06 13:01:24.499624513 +0200 +diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am +--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200 ++++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200 @@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \ @usbguard_CFLAGS@ \ -fPIC @@ -74,3 +74,15 @@ diff -up usbguard-0.7.6/usbguard-notifier-0.0.6/Makefile.am.orig usbguard-0.7.6/ BUILT_SOURCES = \ src/BuildConfig.h +diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200 ++++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200 +@@ -53,7 +53,7 @@ Show help\&. + .RE + .SH "SEE ALSO" + .sp +-usbguard\-notifier\-cli(1), usbguard(1) ++usbguard(1) + .SH "BUGS" + .sp + If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&. diff --git a/SOURCES/usbguard-forking-style.patch b/SOURCES/usbguard-forking-style.patch new file mode 100644 index 0000000..8a6500a --- /dev/null +++ b/SOURCES/usbguard-forking-style.patch @@ -0,0 +1,34 @@ +diff -up ./usbguard.service.in.forking ./usbguard.service.in +--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200 ++++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200 +@@ -8,11 +8,12 @@ AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER + DeviceAllow=/dev/null rw + DevicePolicy=strict +-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf ++ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes ++PIDFile=/var/run/usbguard.pid + PrivateDevices=yes + PrivateTmp=yes + ProtectControlGroups=yes +@@ -20,14 +21,14 @@ ProtectHome=yes + ProtectKernelModules=yes + ProtectSystem=yes + ReadOnlyPaths=-/ +-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ ++ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run + Restart=on-failure + RestrictAddressFamilies=AF_UNIX AF_NETLINK + RestrictNamespaces=yes + RestrictRealtime=yes + SystemCallArchitectures=native + SystemCallFilter=@system-service +-Type=simple ++Type=forking + UMask=0077 + + [Install] diff --git a/SOURCES/usbguard-selinux-cpuinfo.patch b/SOURCES/usbguard-selinux-cpuinfo.patch new file mode 100644 index 0000000..2371d64 --- /dev/null +++ b/SOURCES/usbguard-selinux-cpuinfo.patch @@ -0,0 +1,12 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200 +@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t) + dev_list_sysfs(usbguard_t) + dev_rw_sysfs(usbguard_t) + ++kernel_read_system_state(usbguard_t) ++ + list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; diff --git a/SOURCES/usbguard-selinux-list-dir.patch b/SOURCES/usbguard-selinux-list-dir.patch new file mode 100644 index 0000000..9334b45 --- /dev/null +++ b/SOURCES/usbguard-selinux-list-dir.patch @@ -0,0 +1,11 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200 +@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; + ++list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t) + + manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t) diff --git a/SOURCES/usbguard-selinux-rules-d.patch b/SOURCES/usbguard-selinux-rules-d.patch new file mode 100644 index 0000000..5d56573 --- /dev/null +++ b/SOURCES/usbguard-selinux-rules-d.patch @@ -0,0 +1,22 @@ +From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 25 May 2020 15:27:38 +0200 +Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right + after the installation + +--- + usbguard.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usbguard.fc b/usbguard.fc +index bce3e8c..3e14720 100644 +--- a/usbguard-selinux-0.0.3/usbguard.fc ++++ b/usbguard-selinux-0.0.3/usbguard.fc +@@ -13,6 +13,7 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0) + /dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0) diff --git a/SOURCES/usbguard-service-fips.patch b/SOURCES/usbguard-service-fips.patch new file mode 100644 index 0000000..fce50c9 --- /dev/null +++ b/SOURCES/usbguard-service-fips.patch @@ -0,0 +1,13 @@ +diff -up ./usbguard.service.in.service-fips ./usbguard.service.in +--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200 ++++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200 +@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8) + [Service] + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER +-DeviceAllow=/dev/null rw +-DevicePolicy=strict ++DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index 55f0644..737c85a 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -8,7 +8,7 @@ Name: usbguard Version: 0.7.8 -Release: 1%{?dist} +Release: 5%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -28,6 +28,7 @@ Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig Recommends: %{name}-selinux +BuildRequires: gcc-c++ BuildRequires: libqb-devel BuildRequires: libgcrypt-devel BuildRequires: libstdc++-devel @@ -49,6 +50,11 @@ BuildRequires: libxslt BuildRequires: libxml2 Patch1: usbguard-0.7.6-notifier.patch +Patch2: usbguard-selinux-rules-d.patch +Patch3: usbguard-selinux-list-dir.patch +Patch4: usbguard-forking-style.patch +Patch5: usbguard-selinux-cpuinfo.patch +Patch6: usbguard-service-fips.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -104,7 +110,6 @@ Summary: A tool for detecting usbguard policy and device presence changes Group: Applications/System Requires: %{name} = %{version}-%{release} Requires: systemd -Requires: %{name}-devel BuildRequires: librsvg2-devel BuildRequires: libnotify-devel BuildRequires: execstack @@ -127,6 +132,11 @@ device presence changes and displays them as pop-up notifications. rm -rf src/ThirdParty/{Catch,PEGTL} %patch1 -p1 -b .notifier +%patch2 -p1 -b .rules-d-selinux +%patch3 -p1 -b .list-dir +%patch4 -p1 -b .forking +%patch5 -p1 -b .cpuinfo +%patch6 -p1 -b .service-fips %build mkdir -p ./m4 @@ -290,10 +300,20 @@ fi %systemd_user_postun_with_restart %{name}-notifier.service - - %changelog -* Wed May 06 2020 Attila Lakatos - 0.7.8-1 +* Wed Jun 17 2020 Radovan Sroka - 0.7.8-5 +- RHEL 8.3.0 ERRATUM +- Use old-fasioned forking style in unit file +Resolves: rhbz#1846885 +- Allow usbguard to read /proc/cpuinfo +Resolves: rhbz#1847870 +- Removed notifier's Requires for usbguard-devel +Resolves: rhbz#1667395 +- Allow usbguard to read /dev/urandom +Resolves: rhbz#1848618 + +* Wed May 06 2020 Attila Lakatos - 0.7.8-4 +- RHEL 8.3.0 ERRATUM - Spec file clean up - Rebase to 0.7.8 Resolves: rhbz#1738590 @@ -302,6 +322,8 @@ Resolves: rhbz#1683567 - Added notifier subpackage - Installing /etc/usbguard/rules.d/ Resolves: rhbz#1667395 +- Fixed sigwaitinfo handling +Resolves: rhbz#1835210 * Mon Nov 25 2019 Marek Tamaskovic - 0.7.4-4 - add match-all keyword