Rebase selinux tarball to v0.0.4
- enable forking style in unit file - set DevicePolicy to closed in unit file - usbguard prevented from writing conf via dontaudit rule Resolves: rhbz#1804713 Resolves: rhbz#1789923 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
Radovan Sroka
parent
a1fb6977df
commit
d327155d9f
1
.gitignore
vendored
1
.gitignore
vendored
@ -18,3 +18,4 @@
|
||||
/usbguard-0.7.7.tar.gz
|
||||
/usbguard-selinux-0.0.3.tar.gz
|
||||
/usbguard-0.7.8.tar.gz
|
||||
/usbguard-selinux-0.0.4.tar.gz
|
||||
|
||||
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (usbguard-0.7.8.tar.gz) = 315c25ed7eb61cc0920047836dcca035cb07aecb6dfece9e4f6dc2ad61aaf6fdbf86898e43493958f3d12a146eb4c8f88b90bb246da0df83bb2097ce5b853e88
|
||||
SHA512 (usbguard-selinux-0.0.3.tar.gz) = 61e4e969d44061182b286e1483409a606ecf2a3da08acf8ddd2b9af0d2143f61ff12f7a1b915e49232dd80d6c19efbdcdc43aff5b1f01e571f6abb7f8a826426
|
||||
SHA512 (usbguard-selinux-0.0.4.tar.gz) = b73b14396e40f847704511097bfed17c94b9b28cc70f3391a6effab763a315fe723aba37bb4c622d18ab691306c485fcd7632ccc8a837413f32c73cd9879c8b0
|
||||
|
||||
34
usbguard-forking-style.patch
Normal file
34
usbguard-forking-style.patch
Normal file
@ -0,0 +1,34 @@
|
||||
diff -up ./usbguard.service.in.forking ./usbguard.service.in
|
||||
--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200
|
||||
+++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200
|
||||
@@ -8,11 +8,12 @@ AmbientCapabilities=
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
||||
DeviceAllow=/dev/null rw
|
||||
DevicePolicy=strict
|
||||
-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
IPAddressDeny=any
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
+PIDFile=/var/run/usbguard.pid
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectControlGroups=yes
|
||||
@@ -20,14 +21,14 @@ ProtectHome=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectSystem=yes
|
||||
ReadOnlyPaths=-/
|
||||
-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
|
||||
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
|
||||
Restart=on-failure
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
-Type=simple
|
||||
+Type=forking
|
||||
UMask=0077
|
||||
|
||||
[Install]
|
||||
13
usbguard-service-fips.patch
Normal file
13
usbguard-service-fips.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
|
||||
--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200
|
||||
+++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200
|
||||
@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
|
||||
[Service]
|
||||
AmbientCapabilities=
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
||||
-DeviceAllow=/dev/null rw
|
||||
-DevicePolicy=strict
|
||||
+DevicePolicy=closed
|
||||
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
IPAddressDeny=any
|
||||
LockPersonality=yes
|
||||
@ -1,10 +1,10 @@
|
||||
%global selinuxtype targeted
|
||||
%global moduletype contrib
|
||||
%define semodule_version 0.0.3
|
||||
%define semodule_version 0.0.4
|
||||
|
||||
Name: usbguard
|
||||
Version: 0.7.8
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: A tool for implementing USB device usage policy
|
||||
License: GPLv2+
|
||||
## Not installed
|
||||
@ -38,13 +38,8 @@ BuildRequires: audit-libs-devel
|
||||
# For `pkg-config systemd` only
|
||||
BuildRequires: systemd
|
||||
|
||||
# dbus
|
||||
BuildRequires: dbus-glib-devel
|
||||
BuildRequires: dbus-devel
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: polkit-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
Patch1: usbguard-forking-style.patch
|
||||
Patch2: usbguard-service-fips.patch
|
||||
|
||||
%description
|
||||
The USBGuard software framework helps to protect your computer against rogue USB
|
||||
@ -74,6 +69,12 @@ software framework.
|
||||
%package dbus
|
||||
Summary: USBGuard D-Bus Service
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: dbus-glib-devel
|
||||
BuildRequires: dbus-devel
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: polkit-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
Requires: dbus
|
||||
Requires: polkit
|
||||
|
||||
@ -101,6 +102,9 @@ daemon.
|
||||
# selinux
|
||||
%setup -q -D -T -a 1
|
||||
|
||||
%patch1 -p1 -b .service1
|
||||
%patch2 -p1 -b .service2
|
||||
|
||||
# Remove bundled library sources before build
|
||||
rm -rf src/ThirdParty/{Catch,PEGTL}
|
||||
|
||||
@ -223,6 +227,14 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-3
|
||||
- rebase selinux tarball to v0.0.4
|
||||
- enable forking style in unit file
|
||||
- set DevicePolicy to closed in unit file
|
||||
- usbguard prevented from writing conf via dontaudit rule
|
||||
Resolves: rhbz#1804713
|
||||
Resolves: rhbz#1789923
|
||||
|
||||
* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-2
|
||||
- Rebuilt for protobuf 3.12
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user