commit a294d5b60c80c615081594382057f2ed19c841f1 Author: MSVSphere Packaging Team Date: Wed Mar 15 16:21:20 2023 +0300 import fapolicyd-1.1.3-102.el9 diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata new file mode 100644 index 0000000..69bf84e --- /dev/null +++ b/.fapolicyd.metadata @@ -0,0 +1,3 @@ +3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz +bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz +fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fe11fe7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/fapolicyd-1.1.3.tar.gz +SOURCES/fapolicyd-selinux-0.4.tar.gz +SOURCES/uthash-2.3.0.tar.gz diff --git a/SOURCES/fagenrules-group.patch b/SOURCES/fagenrules-group.patch new file mode 100644 index 0000000..744bb64 --- /dev/null +++ b/SOURCES/fagenrules-group.patch @@ -0,0 +1,13 @@ +diff -up ./init/fagenrules.fix ./init/fagenrules +--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200 ++++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200 +@@ -117,7 +117,8 @@ fi + + # We copy the file so that it gets the right selinux label + cp ${TmpRules} ${DestinationFile} +-chmod 0640 ${DestinationFile} ++chmod 0644 ${DestinationFile} ++chgrp fapolicyd ${DestinationFile} + + # Restore context on MLS system. + # /tmp is SystemLow & fapolicyd.rules is SystemHigh diff --git a/SOURCES/fapolicyd-cli-segfault.patch b/SOURCES/fapolicyd-cli-segfault.patch new file mode 100644 index 0000000..45c4699 --- /dev/null +++ b/SOURCES/fapolicyd-cli-segfault.patch @@ -0,0 +1,11 @@ +diff -up ./src/cli/fapolicyd-cli.c.segfault ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.segfault 2022-08-03 17:51:54.903081124 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 17:55:18.256458750 +0200 +@@ -77,6 +77,7 @@ static struct option long_opts[] = + {"ftype", 1, NULL, 't'}, + {"list", 0, NULL, 'l'}, + {"update", 0, NULL, 'u'}, ++ {NULL, 0, NULL, 0 } + }; + + static const char *_pipe = "/run/fapolicyd/fapolicyd.fifo"; diff --git a/SOURCES/fapolicyd-fgets-update-thread.patch b/SOURCES/fapolicyd-fgets-update-thread.patch new file mode 100644 index 0000000..bd8d8ec --- /dev/null +++ b/SOURCES/fapolicyd-fgets-update-thread.patch @@ -0,0 +1,215 @@ +diff -up ./src/cli/fapolicyd-cli.c.upgrade-thread ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.upgrade-thread 2022-08-03 18:00:02.374999369 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 18:00:09.802830497 +0200 +@@ -482,7 +482,7 @@ static int do_update(void) + } + } + +- ssize_t ret = write(fd, "1", 2); ++ ssize_t ret = write(fd, "1\n", 3); + + if (ret == -1) { + fprintf(stderr, "Write: %s -> %s\n", _pipe, strerror(errno)); +diff -up ./src/library/database.c.upgrade-thread ./src/library/database.c +--- ./src/library/database.c.upgrade-thread 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/database.c 2022-08-03 17:58:04.034689808 +0200 +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -43,6 +44,7 @@ + #include "message.h" + #include "llist.h" + #include "file.h" ++#include "fd-fgets.h" + + #include "fapolicyd-backend.h" + #include "backend-manager.h" +@@ -1181,6 +1183,7 @@ static void *update_thread_main(void *ar + return NULL; + } + ++ fcntl(ffd[0].fd, F_SETFL, O_NONBLOCK); + ffd[0].events = POLLIN; + + while (!stop) { +@@ -1200,97 +1203,102 @@ static void *update_thread_main(void *ar + } else { + msg(LOG_ERR, "Update poll error (%s)", + strerror_r(errno, err_buff, BUFFER_SIZE)); +- goto err_out; ++ goto finalize; + } + } else if (rc == 0) { + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll timeout expired"); + #endif +- if (db_operation != DB_NO_OP) +- goto handle_db_ops; + continue; + } else { + if (ffd[0].revents & POLLIN) { +- ssize_t count = read(ffd[0].fd, buff, +- BUFFER_SIZE-1); + +- if (count == -1) { +- msg(LOG_ERR, +- "Failed to read from a pipe %s (%s)", +- fifo_path, +- strerror_r(errno, err_buff, +- BUFFER_SIZE)); +- goto err_out; +- } ++ do { ++ fd_fgets_rewind(); ++ int res = fd_fgets(buff, sizeof(buff), ffd[0].fd); + +- if (count == 0) { +-#ifdef DEBUG +- msg(LOG_DEBUG, +- "Buffer contains zero bytes!"); +-#endif +- continue; +- } else // Manually terminate buff +- buff[count] = 0; +-#ifdef DEBUG +- msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff); +-#endif +- for (int i = 0 ; i < count ; i++) { +- // assume file name +- // operation = 0 +- if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ // nothing to read ++ if (res == -1) + break; +- } ++ else if (res > 0) { ++ char* end = strchr(buff, '\n'); + +- if (buff[i] == '1') { +- db_operation = RELOAD_DB; +- break; ++ if (end == NULL) { ++ msg(LOG_ERR, "Too long line?"); ++ continue; ++ } ++ ++ int count = end - buff; ++ ++ *end = '\0'; ++ ++ for (int i = 0 ; i < count ; i++) { ++ // assume file name ++ // operation = 0 ++ if (buff[i] == '/') { ++ db_operation = ONE_FILE; ++ break; ++ } ++ ++ if (buff[i] == '1') { ++ db_operation = RELOAD_DB; ++ break; ++ } ++ ++ if (buff[i] == '2') { ++ db_operation = FLUSH_CACHE; ++ break; ++ } ++ ++ if (isspace(buff[i])) ++ continue; ++ ++ msg(LOG_ERR, "Cannot handle data \"%s\" from pipe", buff); ++ break; ++ } ++ ++ *end = '\n'; ++ ++ // got "1" -> reload db ++ if (db_operation == RELOAD_DB) { ++ db_operation = DB_NO_OP; ++ msg(LOG_INFO, ++ "It looks like there was an update of the system... Syncing DB."); ++ ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); ++ // got "2" -> flush cache ++ } else if (db_operation == FLUSH_CACHE) { ++ db_operation = DB_NO_OP; ++ needs_flush = true; ++ } else if (db_operation == ONE_FILE) { ++ db_operation = DB_NO_OP; ++ if (handle_record(buff)) ++ continue; ++ } + } + +- if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; +- break; +- } +- } +- +-handle_db_ops: +- // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } else +- msg(LOG_INFO, "Updated"); +- +- // Conserve memory +- backend_close(); +- // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; +- needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; +- if (handle_record(buff)) +- continue; +- } ++ } while(!fd_fgets_eof()); + } + } +- + } + +-err_out: ++finalize: + close(ffd[0].fd); + unlink_fifo(); + diff --git a/SOURCES/fapolicyd-openssl.patch b/SOURCES/fapolicyd-openssl.patch new file mode 100644 index 0000000..9ef8ea2 --- /dev/null +++ b/SOURCES/fapolicyd-openssl.patch @@ -0,0 +1,195 @@ +diff -up ./BUILD.md.openssl ./BUILD.md +--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200 +@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL + * libudev-devel + * kernel-headers + * systemd-devel +-* libgcrypt-devel ++* libgcrypt-devel ( <= fapolicyd-1.1.3) ++* openssl ( >= fapolicyd-1.1.4) + * rpm-devel (optional) + * file + * file-devel +diff -U0 ./ChangeLog.openssl ./ChangeLog +diff -up ./configure.ac.openssl ./configure.ac +--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200 +@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt) ++AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto) + AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic) + AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng) + AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp) +diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec +--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200 +@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub + BuildRequires: gcc + BuildRequires: kernel-headers + BuildRequires: autoconf automake make gcc libtool +-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file ++BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file + BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel + BuildRequires: python3-devel + BuildRequires: uthash-devel +diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200 +@@ -39,7 +39,6 @@ + #include + #include + #include +-#include + #include "policy.h" + #include "database.h" + #include "file-cli.h" +@@ -670,11 +669,6 @@ static int check_trustdb(void) + if (rc) + return 1; + +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- + do { + unsigned int tsource; // unused + off_t size; +diff -up ./src/library/database.c.openssl ./src/library/database.c +--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200 ++++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200 +@@ -35,7 +35,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t + static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE; + static char *path_to_hash(const char *path, const size_t path_len) + { +- gcry_md_hd_t h; +- unsigned int len; +- unsigned char *hptr; ++ unsigned char hptr[80]; + char *digest; + +- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE)) ++ if (path_len == 0) + return NULL; + +- gcry_md_write(h, path, path_len); +- hptr = gcry_md_read(h, GCRY_MD_SHA512); +- +- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char); +- digest = malloc((2 * len) + 1); +- if (digest == NULL) { +- gcry_md_close(h); ++ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr); ++ digest = malloc((SHA512_LEN * 2) + 1); ++ if (digest == NULL) + return digest; +- } + +- bytes2hex(digest, hptr, len); +- gcry_md_close(h); ++ bytes2hex(digest, hptr, SHA512_LEN); + + return digest; + } +@@ -296,7 +288,7 @@ static int write_db(const char *idx, con + if (hash == NULL) + return 5; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)idx; + key.mv_size = len; +@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde + if (hash == NULL) + return NULL; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)index; + key.mv_size = len; +diff -up ./src/library/file.c.openssl ./src/library/file.c +--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200 +@@ -31,7 +31,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -51,7 +51,6 @@ static struct udev *udev; + magic_t magic_cookie; + struct cache { dev_t device; const char *devname; }; + static struct cache c = { 0, NULL }; +-static size_t hash_size = 32; // init so cli doesn't need to call file_init + + // readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]'; + static const char *interpreters[] = { +@@ -96,12 +95,6 @@ void file_init(void) + msg(LOG_ERR, "Unable to load magic database"); + exit(1); + } +- +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char); + } + + +@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s + if (mapped != MAP_FAILED) { + unsigned char hptr[40]; + +- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size); ++ SHA256(mapped, size, (unsigned char *)&hptr); + munmap(mapped, size); +- digest = malloc(65); ++ digest = malloc((SHA256_LEN * 2) + 1); + + // Convert to ASCII string +- bytes2hex(digest, hptr, hash_size); ++ bytes2hex(digest, hptr, SHA256_LEN); + } + return digest; + } +@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha) + } + + // Looks like it what we want... +- bytes2hex(sha, &tmp[2], 32); ++ bytes2hex(sha, &tmp[2], SHA256_LEN); + return 1; + } + +diff -up ./src/library/file.h.openssl ./src/library/file.h +--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200 +@@ -40,6 +40,9 @@ struct file_info + struct timespec time; + }; + ++#define SHA256_LEN 32 ++#define SHA512_LEN 64 ++ + void file_init(void); + void file_close(void); + struct file_info *stat_file_entry(int fd) MALLOCLIKE; diff --git a/SOURCES/fapolicyd-readme.patch b/SOURCES/fapolicyd-readme.patch new file mode 100644 index 0000000..5d93547 --- /dev/null +++ b/SOURCES/fapolicyd-readme.patch @@ -0,0 +1,30 @@ +From b4618d133f473b9bbc36f2a5e94b8b0f257ba3e0 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Fri, 5 Aug 2022 14:49:30 +0200 +Subject: [PATCH] Add mention that using of names requires name resolution + +- using of user and group names as uid and gid attributes + requires correct name resolution + +Signed-off-by: Radovan Sroka +--- + README.md | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/README.md b/README.md +index d932e00..abc5eee 100644 +--- a/README.md ++++ b/README.md +@@ -131,6 +131,12 @@ You can similarly do this for trusted users that have to execute things in + the home dir. You can create a trusted_user group, add them the group, + and then write a rule allowing them to execute from their home dir. + ++When you want to use user or group name (as a string). You have to guarantee ++that these names were correctly resolved. In case of systemd, you need to add ++a new after target 'After=nss-user-lookup.target'. ++To achieve that you can use `systemctl edit --full fapolicyd`, ++uncomment the respective line and save the change. ++ + ``` + allow perm=any gid=trusted_user : ftype=%languages dir=/home + deny_audit perm=any all : ftype=%languages dir=/home diff --git a/SOURCES/fapolicyd-selinux.patch b/SOURCES/fapolicyd-selinux.patch new file mode 100644 index 0000000..5f5fea5 --- /dev/null +++ b/SOURCES/fapolicyd-selinux.patch @@ -0,0 +1,173 @@ +diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.selinux ./fapolicyd-selinux-0.4/fapolicyd.if +--- ./fapolicyd-selinux-0.4/fapolicyd.if.selinux 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.if 2022-06-30 10:52:05.112355159 +0200 +@@ -2,6 +2,122 @@ + + ######################################## + ## ++## Watch_mount directories in /boot. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_mount_boot_dirs',` ++ interface(`files_watch_mount_boot_dirs',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir watch_mount_dir_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Watch_mount home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_mount_home',` ++ interface(`files_watch_mount_home',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ allow $1 home_root_t:dir watch_mount_dir_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Watch_with_perm home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_with_perm_home',` ++interface(`files_watch_with_perm_home',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ allow $1 home_root_t:dir watch_with_perm_dir_perms; ++') ++') ++ ++ ++######################################## ++## ++## Watch_mount dirs on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`fs_watch_mount_dos_dirs',` ++interface(`fs_watch_mount_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ watch_mount_dirs_pattern($1, dosfs_t, dosfs_t) ++') ++') ++ ++ ++ ++######################################## ++## ++## Watch_with_perm dirs on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`fs_watch_with_perm_dos_dirs',` ++interface(`fs_watch_with_perm_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t) ++') ++') ++ ++ ++################################################################################################### ++ ++ ++ ++ ++######################################## ++## + ## Execute fapolicyd_exec_t in the fapolicyd domain. + ## + ## +diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te +--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-30 10:53:01.693055971 +0200 +@@ -1,5 +1,6 @@ + policy_module(fapolicyd, 1.0.0) + ++ + ######################################## + # + # Declarations +@@ -36,6 +37,12 @@ allow fapolicyd_t self:process { setcap + allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; + allow fapolicyd_t self:unix_dgram_socket create_socket_perms; + ++gen_require(` ++ attribute file_type; ++') ++allow fapolicyd_t file_type:dir { watch_mount watch_with_perm }; ++allow fapolicyd_t file_type:file { watch_mount watch_with_perm }; ++ + manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) + logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) + +@@ -61,16 +68,22 @@ corecmd_exec_bin(fapolicyd_t) + + domain_read_all_domains_state(fapolicyd_t) + +-files_mmap_usr_files(fapolicyd_t) ++files_mmap_all_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) ++files_watch_mount_boot_dirs(fapolicyd_t) ++files_watch_with_perm_boot_dirs(fapolicyd_t) + files_watch_mount_generic_tmp_dirs(fapolicyd_t) + files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) ++files_watch_mount_home(fapolicyd_t) ++files_watch_with_perm_home(fapolicyd_t) + files_watch_mount_root_dirs(fapolicyd_t) + files_watch_with_perm_root_dirs(fapolicyd_t) + + fs_getattr_xattr_fs(fapolicyd_t) + fs_watch_mount_tmpfs_dirs(fapolicyd_t) + fs_watch_with_perm_tmpfs_dirs(fapolicyd_t) ++fs_watch_mount_dos_dirs(fapolicyd_t) ++fs_watch_with_perm_dos_dirs(fapolicyd_t) + + logging_send_syslog_msg(fapolicyd_t) + dbus_system_bus_client(fapolicyd_t) diff --git a/SOURCES/fapolicyd-sighup.patch b/SOURCES/fapolicyd-sighup.patch new file mode 100644 index 0000000..47ee190 --- /dev/null +++ b/SOURCES/fapolicyd-sighup.patch @@ -0,0 +1,141 @@ +diff -up ./src/daemon/fapolicyd.c.sighup ./src/daemon/fapolicyd.c +--- ./src/daemon/fapolicyd.c.sighup 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/daemon/fapolicyd.c 2022-08-04 11:07:10.245069443 +0200 +@@ -527,6 +527,7 @@ int main(int argc, const char *argv[]) + while (!stop) { + if (hup) { + hup = 0; ++ msg(LOG_INFO, "Got SIGHUP"); + reconfigure(); + } + rc = poll(pfd, 2, -1); +diff -up ./src/library/database.c.sighup ./src/library/database.c +--- ./src/library/database.c.sighup 2022-08-04 11:07:10.237069609 +0200 ++++ ./src/library/database.c 2022-08-04 11:08:44.852057119 +0200 +@@ -68,7 +68,7 @@ static int lib_symlink=0, lib64_symlink= + static struct pollfd ffd[1] = { {0, 0, 0} }; + static const char *fifo_path = "/run/fapolicyd/fapolicyd.fifo"; + static integrity_t integrity; +-static atomic_int db_operation; ++static atomic_int reload_db = 0; + + static pthread_t update_thread; + static pthread_mutex_t update_lock; +@@ -1147,7 +1147,31 @@ static int handle_record(const char * bu + + void update_trust_database(void) + { +- db_operation = RELOAD_DB; ++ reload_db = 1; ++} ++ ++static void do_reload_db(conf_t* config) ++{ ++ msg(LOG_INFO,"It looks like there was an update of the system... Syncing DB."); ++ ++ int rc; ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); + } + + static void *update_thread_main(void *arg) +@@ -1158,6 +1182,8 @@ static void *update_thread_main(void *ar + char err_buff[BUFFER_SIZE]; + conf_t *config = (conf_t *)arg; + ++ int do_operation = DB_NO_OP;; ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update thread main started"); + #endif +@@ -1182,6 +1208,12 @@ static void *update_thread_main(void *ar + + rc = poll(ffd, 1, 1000); + ++ // got SIGHUP ++ if (reload_db) { ++ reload_db = 0; ++ do_reload_db(config); ++ } ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll interrupted"); + #endif +@@ -1228,17 +1260,17 @@ static void *update_thread_main(void *ar + // assume file name + // operation = 0 + if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ do_operation = ONE_FILE; + break; + } + + if (buff[i] == '1') { +- db_operation = RELOAD_DB; ++ do_operation = RELOAD_DB; + break; + } + + if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; ++ do_operation = FLUSH_CACHE; + break; + } + +@@ -1252,34 +1284,16 @@ static void *update_thread_main(void *ar + *end = '\n'; + + // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } +- +- msg(LOG_INFO, "Updated"); ++ if (do_operation == RELOAD_DB) { ++ do_operation = DB_NO_OP; ++ do_reload_db(config); + +- // Conserve memory +- backend_close(); + // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == FLUSH_CACHE) { ++ do_operation = DB_NO_OP; + needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == ONE_FILE) { ++ do_operation = DB_NO_OP; + if (handle_record(buff)) + continue; + } diff --git a/SOURCES/fapolicyd-user-group-doc.patch b/SOURCES/fapolicyd-user-group-doc.patch new file mode 100644 index 0000000..c8cdd75 --- /dev/null +++ b/SOURCES/fapolicyd-user-group-doc.patch @@ -0,0 +1,47 @@ +From fb4c274f4857f2d652014b0189abafb1df4b001a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 19 Jul 2022 12:18:18 -0400 +Subject: [PATCH] Add documentation describing support for user/group names + +--- + doc/fapolicyd.rules.5 | 6 +++--- + init/fapolicyd.service | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 +index aa77177..3b8ec09 100644 +--- a/doc/fapolicyd.rules.5 ++++ b/doc/fapolicyd.rules.5 +@@ -35,13 +35,13 @@ The subject is the process that is performing actions on system resources. The f + This matches against any subject. When used, this must be the only subject in the rule. + .TP + .B auid +-This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. ++This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. The given value may be numeric or the account name. + .TP + .B uid +-This is the user id that the program is running under. ++This is the user id that the program is running under. The given value may be numeric or the account name. + .TP + .B gid +-This is the group id that the program is running under. ++This is the group id that the program is running under. The given value may be numeric or the group name. + .TP + .B sessionid + This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1. +diff --git a/init/fapolicyd.service b/init/fapolicyd.service +index 715de98..a5a6a3f 100644 +--- a/init/fapolicyd.service ++++ b/init/fapolicyd.service +@@ -11,6 +11,8 @@ PIDFile=/run/fapolicyd.pid + ExecStartPre=/usr/sbin/fagenrules + ExecStart=/usr/sbin/fapolicyd + Restart=on-abnormal ++# Uncomment the following line if rules need user/group name lookup ++#After=nss-user-lookup.target + + [Install] + WantedBy=multi-user.target +-- +2.37.1 + diff --git a/SOURCES/fapolicyd-uthash-bundle.patch b/SOURCES/fapolicyd-uthash-bundle.patch new file mode 100644 index 0000000..0131884 --- /dev/null +++ b/SOURCES/fapolicyd-uthash-bundle.patch @@ -0,0 +1,39 @@ +diff --color -ru a/configure.ac b/configure.ac +--- a/configure.ac 2021-11-12 20:21:54.000000000 +0100 ++++ b/configure.ac 2021-12-14 13:47:11.890649552 +0100 +@@ -67,10 +67,6 @@ + ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) + AC_CHECK_FUNCS(fexecve, [], []) + +-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( +-["Couldn't find uthash.h...uthash-devel is missing"] )]) +- +- + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +diff --color -ru a/src/library/rpm-backend.c b/src/library/rpm-backend.c +--- a/src/library/rpm-backend.c 2021-11-12 20:21:54.000000000 +0100 ++++ b/src/library/rpm-backend.c 2021-12-14 13:47:26.833926203 +0100 +@@ -32,7 +32,7 @@ + #include + #include + +-#include ++#include "uthash.h" + + #include "message.h" + #include "gcc-attributes.h" +diff --color -ru a/src/Makefile.am b/src/Makefile.am +--- a/src/Makefile.am 2021-11-12 20:21:54.000000000 +0100 ++++ b/src/Makefile.am 2021-12-14 13:48:03.218599808 +0100 +@@ -5,6 +5,9 @@ + -I${top_srcdir} \ + -I${top_srcdir}/src/library + ++AM_CPPFLAGS += \ ++ -I${top_srcdir}/uthash-2.3.0/include ++ + sbin_PROGRAMS = fapolicyd fapolicyd-cli + lib_LTLIBRARIES= libfapolicyd.la + diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec new file mode 100644 index 0000000..ba4a5f5 --- /dev/null +++ b/SPECS/fapolicyd.spec @@ -0,0 +1,463 @@ +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.4 + +Summary: Application Whitelisting Daemon +Name: fapolicyd +Version: 1.1.3 +Release: 102%{?dist} +License: GPLv3+ +URL: http://people.redhat.com/sgrubb/fapolicyd +Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz +Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz +# we bundle uthash for rhel9 +Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz +BuildRequires: gcc +BuildRequires: kernel-headers +BuildRequires: autoconf automake make gcc libtool +BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file +BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel +BuildRequires: python3-devel + +%if 0%{?rhel} == 0 +BuildRequires: uthash-devel +%endif + +Requires: %{name}-plugin +Recommends: %{name}-selinux +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Patch1: fapolicyd-uthash-bundle.patch +Patch2: fapolicyd-selinux.patch +Patch3: fagenrules-group.patch +Patch4: fapolicyd-fgets-update-thread.patch +Patch5: fapolicyd-openssl.patch +Patch6: fapolicyd-user-group-doc.patch +Patch7: fapolicyd-cli-segfault.patch +Patch8: fapolicyd-sighup.patch +Patch9: fapolicyd-readme.patch + +%description +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + +%package selinux +Summary: Fapolicyd selinux +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the %{name} daemon. + +%prep + +%setup -q + +# selinux +%setup -q -D -T -a 1 + +%if 0%{?rhel} != 0 +# uthash +%setup -q -D -T -a 2 +%patch1 -p1 -b .uthash +%endif + +%patch2 -p1 -b .selinux +%patch3 -p1 -b .group +%patch4 -p1 -b .update-thread +%patch5 -p1 -b .openssl +%patch6 -p1 -b .user-group-doc +%patch7 -p1 -b .cli-segfault +%patch8 -p1 -b .sighup +%patch9 -p1 -b .readme + +# generate rules for python +sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules +sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules + +interpret=`readelf -e /usr/bin/bash \ + | grep Requesting \ + | sed 's/.$//' \ + | rev | cut -d" " -f1 \ + | rev` + +sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules + +%build +./autogen.sh +%configure \ + --with-audit \ + --with-rpm \ + --disable-shared + +make CFLAGS="%{optflags}" %{?_smp_mflags} + +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +%check +make check + +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%install +%make_install +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} +mkdir -p %{buildroot}/run/%{name} +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d +# get list of file names between known-libs and restrictive from sample-rules/README-rules +cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \ + | grep -A 100 'known-libs' \ + | grep -B 100 'restrictive' \ + | grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs +chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +#cleanup +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete + +%define manage_default_rules default_changed=0 \ + # check changed fapolicyd.rules \ + if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \ + diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in fapolicyd.rules"; \ + } \ + fi \ + if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \ + default_ruleset='' \ + # get listing of default rule files in known-libs \ + [ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \ + # check for removed or added files \ + default_count=`echo "$default_ruleset" | wc -l` \ + current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \ + [ $default_count -eq $current_count ] || { \ + default_changed=1; \ + #echo "change detected in number of rule files d:$default_count vs c:$current_count"; \ + } \ + for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \ + if echo "$default_ruleset" | grep -q "`basename $file`"; then \ + # compare content of the rule files \ + diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in `basename $file`"; \ + } \ + else \ + # added file detected \ + default_changed=1 \ + #echo "change detected in added rules file `basename $file`"; \ + fi \ + done \ + fi \ + # remove files if no change against default rules detected \ + [ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \ + + +%pre +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +if [ $1 -eq 2 ]; then +# detect changed default rules in case of upgrade +%manage_default_rules +fi + +%post +# if no pre-existing rule file +if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` + # Only if no pre-existing component rules + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do + cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/ + done + chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* + if [ -x /usr/sbin/restorecon ] ; then + # restore correct label + /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* + fi + fagenrules >/dev/null + fi +fi +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service +if [ $1 -eq 0 ]; then +# detect changed default rules in case of uninstall +%manage_default_rules +else + [ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || : +fi + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%doc README.md +%{!?_licensedir:%global license %%doc} +%license COPYING +%attr(755,root,%{name}) %dir %{_datadir}/%{name} +%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs +%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* +%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/* +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust +%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules +%attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf +%attr(755,root,root) %{_sbindir}/%{name} +%attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(755,root,root) %{_sbindir}/fagenrules +%attr(644,root,root) %{_mandir}/man8/* +%attr(644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man1/* +%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log +%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} +%attr(770,root,%{name}) %dir /run/%{name} +%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb + + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%changelog +* Wed Mar 15 2023 MSVSphere Packaging Team - 1.1.3-102 +- Rebuilt for MSVSphere 9.1. + +* Fri Aug 05 2022 Radovan Sroka - 1.1.3-102 +RHEL 9.1.0 ERRATUM +- rebase fapolicyd to the latest stable vesion +Resolves: rhbz#2100041 +- fapolicyd gets way too easily killed by OOM killer +Resolves: rhbz#2097385 +- fapolicyd does not correctly handle SIGHUP +Resolves: rhbz#2070655 +- Introduce ppid rule attribute +Resolves: rhbz#2102558 +- fapolicyd often breaks package updates +Resolves: rhbz#2111244 +- drop libgcrypt in favour of openssl +Resolves: rhbz#2111938 +- Remove dnf plugin +Resolves: rhbz#2113959 +- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works +Resolves: rhbz#2115849 + +* Thu Jun 16 2022 Radovan Sroka - 1.1-104 +RHEL 9.1.0 ERRATUM +- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path +Resolves: rhbz#2069123 +- Faulty handling of static applications +Resolves: rhbz#2096457 + +* Sun Apr 3 2022 Radovan Sroka - 1.1-101 +RHEL 9.1.0 ERRATUM +- fapolicyd denies access to /usr/lib64/ld-2.28.so +Resolves: rhbz#2067493 + +* Wed Feb 16 2022 Radovan Sroka - 1.1-100 +RHEL 9.0.0 ERRATUM +- rebase to 1.1 +Resolves: rhbz#2032408 +- introduce rules.d +Resolves: rhbz#2054740 +- remove pretrans scriptlet +Resolve: rhbz#2051481 + +* Tue Dec 14 2021 Zoltan Fridrich - 1.0.4-101 +RHEL 9.0.0 ERRATUM +- rebase to 1.0.4 +- added rpm_sha256_only option +- added trust.d directory +- allow file names with whitespaces in trust files +- use full paths in trust files +Resolves: rhbz#2032408 +- fix libc.so getting identified as application/x-executable +Resolves: rhbz#2015307 +- fix selinux DSP module definition in spec file +Resolves: rhbz#2014449 + +* Mon Aug 09 2021 Mohan Boddu - 1.0.3-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Tue Jul 20 2021 Radovan Sroka - 1.0.3-3 +RHEL 9 BETA +- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm +Resolves: rhbz#1932225 +Resolves: rhbz#1977731 + +* Thu Apr 15 2021 Mohan Boddu - 1.0.3-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Thu Apr 01 2021 Radovan Sroka - 1.0.3-1 +- rebase to 1.0.3 +- sync fedora with rhel + +* Tue Jan 26 2021 Fedora Release Engineering - 1.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 06 2021 Radovan Sroka - 1.0.2-1 +- rebase to 1.0.2 +- enabled make check +- dnf-plugin is now required subpackage + +* Mon Nov 16 2020 Radovan Sroka - 1.0.1-1 +- rebase to 1.0.1 +- introduced uthash dependency +- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket +Resolves: rhbz#1874491 +- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory +Resolves: rhbz#1876538 + +* Mon Jul 27 2020 Fedora Release Engineering - 1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 24 2020 Radovan Sroka - 1.0-3 +- backported few cosmetic small patches from upstream master +- rebase selinux tarbal to v0.3 +- file context pattern for /run/fapolicyd.pid is missing +Resolves: rhbz#1834674 + +* Tue May 26 2020 Miro Hrončok - 1.0-2 +- Rebuilt for Python 3.9 + +* Mon May 25 2020 Radovan Sroka - 1.0-1 +- rebase fapolicyd to 1.0 +- allowed sys_ptrace for user namespace + +* Mon Mar 23 2020 Radovan Sroka - 0.9.4-1 +- rebase fapolicyd to 0.9.4 +- polished the pattern detection engine +- rpm backend now drops most of the files in /usr/share/ to dramatically reduce + memory consumption and improve startup speed +- the commandline utility can now delete the lmdb trust database and manage + the file trust source + +* Mon Feb 24 2020 Radovan Sroka - 0.9.3-1 +- rebase fapolicyd to 0.9.3 +- dramatically improved startup time +- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy +- file type identification has been improved +- trust database statistics have been added to the reports + +* Tue Feb 04 2020 Radovan Sroka - 0.9.2-2 +- Label all fifo_file as fapolicyd_var_run_t in /var/run. +- Allow fapolicyd_t domain to create fifo files labeled as + fapolicyd_var_run_t + +* Fri Jan 31 2020 Radovan Sroka - 0.9.2-1 +- rebase fapolicyd to 0.9.2 +- allows watched mount points to be specified by file system types +- ELF file detection was improved +- the rules have been rewritten to express the policy based on subject + object trust for better performance and reliability +- exceptions for dracut and ansible were added to the rules to avoid problems + under normal system use +- adds an admin defined trust database (fapolicyd.trust) +- setting boost, queue, user, and group on the daemon + command line are deprecated + +* Tue Jan 28 2020 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 05 2019 Marek Tamaskovic - 0.9-3 +- Updated fapolicyd-selinux subpackage to v0.2 + Selinux subpackage is recommended for fapolicyd. + +* Mon Oct 07 2019 Radovan Sroka - 0.9-2 +- Added fapolicyd-selinux subpackage + +* Mon Oct 07 2019 Radovan Sroka - 0.9-1 +- rebase to v0.9 + +* Thu Oct 03 2019 Miro Hrončok - 0.8.10-2 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Wed Aug 28 2019 Radovan Sroka - 0.8.10-1 +- rebase to 0.8.10 +- generate python paths dynamically + +* Mon Aug 19 2019 Miro Hrončok - 0.8.9-5 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.8.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko - 0.8.9-3 +- Rebuild for RPM 4.15 + +* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko - 0.8.9-2 +- Rebuild for RPM 4.15 + +* Mon May 06 2019 Radovan Sroka - 0.8.9-1 +- New upstream release + +* Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 +- backport some patches to resolve dac_override for fapolicyd + +* Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 +- New upstream release +- Added new DNF plugin that can update the trust database when rpms are installed +- Added support for FAN_OPEN_EXEC_PERM + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + + +* Wed Oct 03 2018 Steve Grubb 0.8.7-1 +- New upstream bugfix release + +* Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 07 2018 Steve Grubb 0.8.6-1 +- New upstream feature release + +* Fri May 18 2018 Steve Grubb 0.8.5-2 +- Add dist tag (#1579362) + +* Fri Feb 16 2018 Steve Grubb 0.8.5-1 +- New release