From 54fe72ef31f68b4c593b5861d4fa7fd103151ff5 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 7 Oct 2024 19:32:07 +0300 Subject: [PATCH] import fapolicyd-1.3.3-100.el9 --- .fapolicyd.metadata | 4 +- .gitignore | 4 +- SOURCES/fapolicyd-leaks.patch | 78 --------------------------- SOURCES/fapolicyd-selinux-links.patch | 23 -------- SOURCES/fapolicyd-uthash-bundle.patch | 16 +++--- SOURCES/selinux.patch | 6 +-- SOURCES/var-run-selinux.patch | 26 +++++++++ SPECS/fapolicyd.spec | 16 +++--- 8 files changed, 51 insertions(+), 122 deletions(-) delete mode 100644 SOURCES/fapolicyd-leaks.patch delete mode 100644 SOURCES/fapolicyd-selinux-links.patch create mode 100644 SOURCES/var-run-selinux.patch diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata index c180e01..7806769 100644 --- a/.fapolicyd.metadata +++ b/.fapolicyd.metadata @@ -1,3 +1,3 @@ -f4fc52c6ec16cec13405d66752c0b222fff893e7 SOURCES/fapolicyd-1.3.2.tar.gz -e61573db3de4d229377eebff8252765058ad4ab9 SOURCES/fapolicyd-selinux-0.6.tar.gz +0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz +ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz diff --git a/.gitignore b/.gitignore index eb76e71..64d7ef1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/fapolicyd-1.3.2.tar.gz -SOURCES/fapolicyd-selinux-0.6.tar.gz +SOURCES/fapolicyd-1.3.3.tar.gz +SOURCES/fapolicyd-selinux-0.7.tar.gz SOURCES/uthash-2.3.0.tar.gz diff --git a/SOURCES/fapolicyd-leaks.patch b/SOURCES/fapolicyd-leaks.patch deleted file mode 100644 index dc6f8e2..0000000 --- a/SOURCES/fapolicyd-leaks.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Tue, 18 Jul 2023 17:05:11 +0200 -Subject: [PATCH] Fix multiple leaks - -Signed-off-by: Radovan Sroka ---- - src/library/filter.c | 3 +++ - src/library/policy.c | 13 +++++++++++-- - src/library/rules.c | 3 --- - 3 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/src/library/filter.c b/src/library/filter.c -index d5d8cca..eb378ca 100644 ---- a/src/library/filter.c -+++ b/src/library/filter.c -@@ -472,9 +472,12 @@ int filter_load_file(void) - msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line); - filter_destroy_obj(filter); - free(line); -+ line = NULL; - goto bad; - } -+ } - -+ if (line) { - free(line); - line = NULL; - } -diff --git a/src/library/policy.c b/src/library/policy.c -index 7fe1210..31ff6e2 100644 ---- a/src/library/policy.c -+++ b/src/library/policy.c -@@ -23,6 +23,7 @@ - * Radovan Sroka - */ - -+#include "attr-sets.h" - #include "config.h" - #include - #include -@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config) - return 1; - - FILE * f = open_file(); -- if (f == NULL) -+ if (f == NULL) { -+ destroy_attr_sets(); - return 1; -+ } - - int res = _load_rules(_config, f); - fclose(f); -- return res; -+ -+ if (res) { -+ destroy_attr_sets(); -+ return 1; -+ } -+ -+ return 0; - } - - void destroy_rules(void) -diff --git a/src/library/rules.c b/src/library/rules.c -index 5ffa40e..4a8b098 100644 ---- a/src/library/rules.c -+++ b/src/library/rules.c -@@ -65,9 +65,6 @@ int rules_create(llist *l) - l->cur = NULL; - l->cnt = 0; - -- if (init_attr_sets()) -- return 1; -- - return 0; - } - diff --git a/SOURCES/fapolicyd-selinux-links.patch b/SOURCES/fapolicyd-selinux-links.patch deleted file mode 100644 index b0496c1..0000000 --- a/SOURCES/fapolicyd-selinux-links.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Wed, 19 Jul 2023 16:00:13 +0200 -Subject: [PATCH] Allow links - -Signed-off-by: Radovan Sroka ---- - fapolicyd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te -index daf31bd..5d6f9aa 100644 ---- a/fapolicyd-selinux-0.6/fapolicyd.te -+++ b/fapolicyd-selinux-0.6/fapolicyd.te -@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',` - files_watch_sb_all_mountpoints(fapolicyd_t) - ') - -+allow fapolicyd_t file_type : lnk_file { getattr read }; -+ - manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) - logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) - diff --git a/SOURCES/fapolicyd-uthash-bundle.patch b/SOURCES/fapolicyd-uthash-bundle.patch index 676c566..13f7662 100644 --- a/SOURCES/fapolicyd-uthash-bundle.patch +++ b/SOURCES/fapolicyd-uthash-bundle.patch @@ -1,10 +1,10 @@ diff -up ./configure.ac.uthash ./configure.ac ---- ./configure.ac.uthash 2023-06-15 16:45:13.000000000 +0200 -+++ ./configure.ac 2023-06-16 14:32:53.112363230 +0200 -@@ -96,10 +96,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS +--- ./configure.ac.uthash 2022-09-27 16:34:59.000000000 +0200 ++++ ./configure.ac 2022-09-29 11:57:26.297879027 +0200 +@@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) AC_CHECK_FUNCS(fexecve, [], []) - + AC_CHECK_FUNCS([gettid]) -AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( -["Couldn't find uthash.h...uthash-devel is missing"] )]) - @@ -13,8 +13,8 @@ diff -up ./configure.ac.uthash ./configure.ac echo Checking for required libraries AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c ---- ./src/library/rpm-backend.c.uthash 2023-06-16 14:32:53.112363230 +0200 -+++ ./src/library/rpm-backend.c 2023-06-16 14:35:20.467338604 +0200 +--- ./src/library/rpm-backend.c.uthash 2022-09-29 11:57:26.297879027 +0200 ++++ ./src/library/rpm-backend.c 2022-09-29 11:58:45.470119807 +0200 @@ -33,7 +33,7 @@ #include #include @@ -25,8 +25,8 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c #include "message.h" #include "gcc-attributes.h" diff -up ./src/Makefile.am.uthash ./src/Makefile.am ---- ./src/Makefile.am.uthash 2023-06-15 16:45:13.000000000 +0200 -+++ ./src/Makefile.am 2023-06-16 14:32:53.112363230 +0200 +--- ./src/Makefile.am.uthash 2022-09-27 16:34:59.000000000 +0200 ++++ ./src/Makefile.am 2022-09-29 11:57:26.297879027 +0200 @@ -5,6 +5,9 @@ AM_CPPFLAGS = \ -I${top_srcdir} \ -I${top_srcdir}/src/library diff --git a/SOURCES/selinux.patch b/SOURCES/selinux.patch index 2ea84c6..e95313a 100644 --- a/SOURCES/selinux.patch +++ b/SOURCES/selinux.patch @@ -1,6 +1,6 @@ -diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te ---- ./fapolicyd-selinux-0.6/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200 -+++ ./fapolicyd-selinux-0.6/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200 +diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te +--- ./fapolicyd-selinux-0.7/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200 ++++ ./fapolicyd-selinux-0.7/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200 @@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',` ifdef(`fs_watch_all_fs',` diff --git a/SOURCES/var-run-selinux.patch b/SOURCES/var-run-selinux.patch new file mode 100644 index 0000000..511fe00 --- /dev/null +++ b/SOURCES/var-run-selinux.patch @@ -0,0 +1,26 @@ +From 750c5e288f8253c71a9722da960addb078aee93c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 6 Feb 2024 21:17:27 +0100 +Subject: [PATCH] Rename all /var/run file context entries to /run + +With the 1f76e522a ("Rename all /var/run file context entries to /run") +selinux-policy commit, all /var/run file context entries moved to /run +and the equivalency was inverted. Subsequently, changes in fapolicyd.fc +need to be done, too, in a similar manner. +--- + fapolicyd.fc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc +index 2bdc7aa..d081dc8 100644 +--- a/fapolicyd-selinux-0.7/fapolicyd.fc ++++ b/fapolicyd-selinux-0.7/fapolicyd.fc +@@ -8,6 +8,6 @@ + + /var/log/fapolicyd-access.log -- gen_context(system_u:object_r:fapolicyd_log_t,s0) + +-/var/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0) ++/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0) + +-/var/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0) ++/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0) diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 9e7561c..36dcfbe 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -1,10 +1,10 @@ %global selinuxtype targeted %global moduletype contrib -%define semodule_version 0.6 +%define semodule_version 0.7 Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.3.2 +Version: 1.3.3 Release: 100%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd @@ -32,8 +32,7 @@ Requires(postun): systemd-units Patch1: fapolicyd-uthash-bundle.patch Patch2: selinux.patch -Patch3: fapolicyd-leaks.patch -Patch4: fapolicyd-selinux-links.patch +Patch3: var-run-selinux.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -67,8 +66,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %endif %patch -P 2 -p1 -b .selinux -%patch -P 3 -p1 -b .leaks -%patch -P 4 -p1 -b .links +%patch -P 3 -p1 -R -b .var-run-selinux + # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules @@ -255,6 +254,11 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Wed Jul 19 2023 Radovan Sroka - 1.3.3-100 +RHEL 9.5.0 ERRATUM +- rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7 +Resolves: RHEL-36285 + * Wed Jul 19 2023 Radovan Sroka - 1.3.2-100 RHEL 9.3.0 ERRATUM - Rebase fapolicyd to the latest stable version