From d327155d9f3761802e28f72bffb359b0b5d89aed Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 24 Jun 2020 16:08:10 +0200
Subject: [PATCH] Rebase selinux tarball to v0.0.4

- enable forking style in unit file
- set DevicePolicy to closed in unit file
- usbguard prevented from writing conf via dontaudit rule
  Resolves: rhbz#1804713
  Resolves: rhbz#1789923

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
 .gitignore                   |  1 +
 sources                      |  2 +-
 usbguard-forking-style.patch | 34 ++++++++++++++++++++++++++++++++++
 usbguard-service-fips.patch  | 13 +++++++++++++
 usbguard.spec                | 30 +++++++++++++++++++++---------
 5 files changed, 70 insertions(+), 10 deletions(-)
 create mode 100644 usbguard-forking-style.patch
 create mode 100644 usbguard-service-fips.patch

diff --git a/.gitignore b/.gitignore
index 0e1053c..037ab40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@
 /usbguard-0.7.7.tar.gz
 /usbguard-selinux-0.0.3.tar.gz
 /usbguard-0.7.8.tar.gz
+/usbguard-selinux-0.0.4.tar.gz
diff --git a/sources b/sources
index a8275fa..8c31e08 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (usbguard-0.7.8.tar.gz) = 315c25ed7eb61cc0920047836dcca035cb07aecb6dfece9e4f6dc2ad61aaf6fdbf86898e43493958f3d12a146eb4c8f88b90bb246da0df83bb2097ce5b853e88
-SHA512 (usbguard-selinux-0.0.3.tar.gz) = 61e4e969d44061182b286e1483409a606ecf2a3da08acf8ddd2b9af0d2143f61ff12f7a1b915e49232dd80d6c19efbdcdc43aff5b1f01e571f6abb7f8a826426
+SHA512 (usbguard-selinux-0.0.4.tar.gz) = b73b14396e40f847704511097bfed17c94b9b28cc70f3391a6effab763a315fe723aba37bb4c622d18ab691306c485fcd7632ccc8a837413f32c73cd9879c8b0
diff --git a/usbguard-forking-style.patch b/usbguard-forking-style.patch
new file mode 100644
index 0000000..8a6500a
--- /dev/null
+++ b/usbguard-forking-style.patch
@@ -0,0 +1,34 @@
+diff -up ./usbguard.service.in.forking ./usbguard.service.in
+--- ./usbguard.service.in.forking	2020-06-17 20:07:04.720564149 +0200
++++ ./usbguard.service.in	2020-06-17 20:10:00.744063846 +0200
+@@ -8,11 +8,12 @@ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+ DeviceAllow=/dev/null rw
+ DevicePolicy=strict
+-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
++ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
++PIDFile=/var/run/usbguard.pid
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+@@ -20,14 +21,14 @@ ProtectHome=yes
+ ProtectKernelModules=yes
+ ProtectSystem=yes
+ ReadOnlyPaths=-/
+-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
++ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
+ Restart=on-failure
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ RestrictNamespaces=yes
+ RestrictRealtime=yes
+ SystemCallArchitectures=native
+ SystemCallFilter=@system-service
+-Type=simple
++Type=forking
+ UMask=0077
+ 
+ [Install]
diff --git a/usbguard-service-fips.patch b/usbguard-service-fips.patch
new file mode 100644
index 0000000..fce50c9
--- /dev/null
+++ b/usbguard-service-fips.patch
@@ -0,0 +1,13 @@
+diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
+--- ./usbguard.service.in.service-fips	2020-06-22 10:44:44.815860376 +0200
++++ ./usbguard.service.in	2020-06-22 10:45:07.699135514 +0200
+@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
+ [Service]
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+-DeviceAllow=/dev/null rw
+-DevicePolicy=strict
++DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
diff --git a/usbguard.spec b/usbguard.spec
index 76da765..bfc4f67 100644
--- a/usbguard.spec
+++ b/usbguard.spec
@@ -1,10 +1,10 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.0.3
+%define semodule_version 0.0.4
 
 Name:           usbguard
 Version:        0.7.8
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A tool for implementing USB device usage policy
 License:        GPLv2+
 ## Not installed
@@ -38,13 +38,8 @@ BuildRequires: audit-libs-devel
 # For `pkg-config systemd` only
 BuildRequires: systemd
 
-# dbus
-BuildRequires: dbus-glib-devel
-BuildRequires: dbus-devel
-BuildRequires: glib2-devel
-BuildRequires: polkit-devel
-BuildRequires: libxslt
-BuildRequires: libxml2
+Patch1: usbguard-forking-style.patch
+Patch2: usbguard-service-fips.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -74,6 +69,12 @@ software framework.
 %package        dbus
 Summary:        USBGuard D-Bus Service
 Requires:       %{name} = %{version}-%{release}
+BuildRequires:	dbus-glib-devel
+BuildRequires:	dbus-devel
+BuildRequires:	glib2-devel
+BuildRequires:	polkit-devel
+BuildRequires:	libxslt
+BuildRequires:	libxml2
 Requires:       dbus
 Requires:       polkit
 
@@ -101,6 +102,9 @@ daemon.
 # selinux
 %setup -q -D -T -a 1
 
+%patch1 -p1 -b .service1
+%patch2 -p1 -b .service2
+
 # Remove bundled library sources before build
 rm -rf src/ThirdParty/{Catch,PEGTL}
 
@@ -223,6 +227,14 @@ fi
 
 
 %changelog
+* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-3
+- rebase selinux tarball to v0.0.4
+- enable forking style in unit file
+- set DevicePolicy to closed in unit file
+- usbguard prevented from writing conf via dontaudit rule
+Resolves: rhbz#1804713
+Resolves: rhbz#1789923
+
 * Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-2
 - Rebuilt for protobuf 3.12