rpms
/
fapolicyd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:i9c-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'i9c-beta' have entirely different histories.
c9 ... i9c-beta

8 changed files with 54 additions and 122 deletions
Show Stats

4
.fapolicyd.metadata
Unescape View File

@ -1,3 +1,3 @@
f4fc52c6ec16cec13405d66752c0b222fff893e7 SOURCES/fapolicyd-1.3.2.tar.gz 0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz
e61573db3de4d229377eebff8252765058ad4ab9 SOURCES/fapolicyd-selinux-0.6.tar.gz ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

4
.gitignore vendored
Unescape View File

@ -1,3 +1,3 @@
SOURCES/fapolicyd-1.3.2.tar.gz SOURCES/fapolicyd-1.3.3.tar.gz
SOURCES/fapolicyd-selinux-0.6.tar.gz SOURCES/fapolicyd-selinux-0.7.tar.gz
SOURCES/uthash-2.3.0.tar.gz SOURCES/uthash-2.3.0.tar.gz

78
SOURCES/fapolicyd-leaks.patch
Unescape View File

@ -1,78 +0,0 @@
From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 18 Jul 2023 17:05:11 +0200
Subject: [PATCH] Fix multiple leaks
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/filter.c | 3 +++
src/library/policy.c | 13 +++++++++++--
src/library/rules.c | 3 ---
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/library/filter.c b/src/library/filter.c
index d5d8cca..eb378ca 100644
--- a/src/library/filter.c
+++ b/src/library/filter.c
@@ -472,9 +472,12 @@ int filter_load_file(void)
msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
filter_destroy_obj(filter);
free(line);
+ line = NULL;
goto bad;
}
+ }
+ if (line) {
free(line);
line = NULL;
}
diff --git a/src/library/policy.c b/src/library/policy.c
index 7fe1210..31ff6e2 100644
--- a/src/library/policy.c
+++ b/src/library/policy.c
@@ -23,6 +23,7 @@
* Radovan Sroka <rsroka@redhat.com>
*/
+#include "attr-sets.h"
#include "config.h"
#include <stdbool.h>
#include <stdio.h>
@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
return 1;
FILE * f = open_file();
- if (f == NULL)
+ if (f == NULL) {
+ destroy_attr_sets();
return 1;
+ }
int res = _load_rules(_config, f);
fclose(f);
- return res;
+
+ if (res) {
+ destroy_attr_sets();
+ return 1;
+ }
+
+ return 0;
}
void destroy_rules(void)
diff --git a/src/library/rules.c b/src/library/rules.c
index 5ffa40e..4a8b098 100644
--- a/src/library/rules.c
+++ b/src/library/rules.c
@@ -65,9 +65,6 @@ int rules_create(llist *l)
l->cur = NULL;
l->cnt = 0;
- if (init_attr_sets())
- return 1;
-
return 0;
}

23
SOURCES/fapolicyd-selinux-links.patch
Unescape View File

@ -1,23 +0,0 @@
From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 19 Jul 2023 16:00:13 +0200
Subject: [PATCH] Allow links
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
index daf31bd..5d6f9aa 100644
--- a/fapolicyd-selinux-0.6/fapolicyd.te
+++ b/fapolicyd-selinux-0.6/fapolicyd.te
@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
files_watch_sb_all_mountpoints(fapolicyd_t)
')
+allow fapolicyd_t file_type : lnk_file { getattr read };
+
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

16
SOURCES/fapolicyd-uthash-bundle.patch
Unescape View File

@ -1,10 +1,10 @@
diff -up ./configure.ac.uthash ./configure.ac diff -up ./configure.ac.uthash ./configure.ac
--- ./configure.ac.uthash 2023-06-15 16:45:13.000000000 +0200 --- ./configure.ac.uthash 2022-09-27 16:34:59.000000000 +0200
+++ ./configure.ac 2023-06-16 14:32:53.112363230 +0200 +++ ./configure.ac 2022-09-29 11:57:26.297879027 +0200
@@ -96,10 +96,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS @@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
AC_CHECK_FUNCS(fexecve, [], []) AC_CHECK_FUNCS(fexecve, [], [])
AC_CHECK_FUNCS([gettid])
-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( -AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
-["Couldn't find uthash.h...uthash-devel is missing"] )]) -["Couldn't find uthash.h...uthash-devel is missing"] )])
- -
@ -13,8 +13,8 @@ diff -up ./configure.ac.uthash ./configure.ac
echo Checking for required libraries echo Checking for required libraries
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
--- ./src/library/rpm-backend.c.uthash 2023-06-16 14:32:53.112363230 +0200 --- ./src/library/rpm-backend.c.uthash 2022-09-29 11:57:26.297879027 +0200
+++ ./src/library/rpm-backend.c 2023-06-16 14:35:20.467338604 +0200 +++ ./src/library/rpm-backend.c 2022-09-29 11:58:45.470119807 +0200
@@ -33,7 +33,7 @@ @@ -33,7 +33,7 @@
#include <rpm/rpmpgp.h> #include <rpm/rpmpgp.h>
#include <fnmatch.h> #include <fnmatch.h>
@ -25,8 +25,8 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
#include "message.h" #include "message.h"
#include "gcc-attributes.h" #include "gcc-attributes.h"
diff -up ./src/Makefile.am.uthash ./src/Makefile.am diff -up ./src/Makefile.am.uthash ./src/Makefile.am
--- ./src/Makefile.am.uthash 2023-06-15 16:45:13.000000000 +0200 --- ./src/Makefile.am.uthash 2022-09-27 16:34:59.000000000 +0200
+++ ./src/Makefile.am 2023-06-16 14:32:53.112363230 +0200 +++ ./src/Makefile.am 2022-09-29 11:57:26.297879027 +0200
@@ -5,6 +5,9 @@ AM_CPPFLAGS = \ @@ -5,6 +5,9 @@ AM_CPPFLAGS = \
-I${top_srcdir} \ -I${top_srcdir} \
-I${top_srcdir}/src/library -I${top_srcdir}/src/library

6
SOURCES/selinux.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te
--- ./fapolicyd-selinux-0.6/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200 --- ./fapolicyd-selinux-0.7/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200
+++ ./fapolicyd-selinux-0.6/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200 +++ ./fapolicyd-selinux-0.7/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200
@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',` @@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
ifdef(`fs_watch_all_fs',` ifdef(`fs_watch_all_fs',`

26
SOURCES/var-run-selinux.patch
Unescape View File

@ -0,0 +1,26 @@
From 750c5e288f8253c71a9722da960addb078aee93c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 6 Feb 2024 21:17:27 +0100
Subject: [PATCH] Rename all /var/run file context entries to /run
With the 1f76e522a ("Rename all /var/run file context entries to /run")
selinux-policy commit, all /var/run file context entries moved to /run
and the equivalency was inverted. Subsequently, changes in fapolicyd.fc
need to be done, too, in a similar manner.
---
fapolicyd.fc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc
index 2bdc7aa..d081dc8 100644
--- a/fapolicyd-selinux-0.7/fapolicyd.fc
+++ b/fapolicyd-selinux-0.7/fapolicyd.fc
@@ -8,6 +8,6 @@
/var/log/fapolicyd-access.log -- gen_context(system_u:object_r:fapolicyd_log_t,s0)
-/var/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+/run/fapolicyd(/.*)? gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
-/var/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
+/run/fapolicyd\.pid -- gen_context(system_u:object_r:fapolicyd_var_run_t,s0)

19
SPECS/fapolicyd.spec
Unescape View File

@ -1,10 +1,10 @@
%global selinuxtype targeted %global selinuxtype targeted
%global moduletype contrib %global moduletype contrib
%define semodule_version 0.6 %define semodule_version 0.7
Summary: Application Whitelisting Daemon Summary: Application Whitelisting Daemon
Name: fapolicyd Name: fapolicyd
Version: 1.3.2 Version: 1.3.3
Release: 100%{?dist} Release: 100%{?dist}
License: GPLv3+ License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd URL: http://people.redhat.com/sgrubb/fapolicyd
@ -32,8 +32,7 @@ Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch Patch1: fapolicyd-uthash-bundle.patch
Patch2: selinux.patch Patch2: selinux.patch
Patch3: fapolicyd-leaks.patch Patch3: var-run-selinux.patch
Patch4: fapolicyd-selinux-links.patch
%description %description
Fapolicyd (File Access Policy Daemon) implements application whitelisting Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -67,8 +66,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
%endif %endif
%patch -P 2 -p1 -b .selinux %patch -P 2 -p1 -b .selinux
%patch -P 3 -p1 -b .leaks %patch -P 3 -p1 -R -b .var-run-selinux
%patch -P 4 -p1 -b .links
# generate rules for python # generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -255,6 +254,11 @@ fi
%selinux_relabel_post -s %{selinuxtype} %selinux_relabel_post -s %{selinuxtype}
%changelog %changelog
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
RHEL 9.5.0 ERRATUM
- rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7
Resolves: RHEL-36285
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100 * Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
RHEL 9.3.0 ERRATUM RHEL 9.3.0 ERRATUM
- Rebase fapolicyd to the latest stable version - Rebase fapolicyd to the latest stable version
@ -276,6 +280,9 @@ Resolves: RHEL-730
- SELinux prevents the fapolicyd from reading symlink (cert_t) - SELinux prevents the fapolicyd from reading symlink (cert_t)
Resolves: RHEL-816 Resolves: RHEL-816
* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.1.3-104
- Rebuilt for MSVSphere 9.2 beta
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104 * Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
RHEL 9.2.0 ERRATUM RHEL 9.2.0 ERRATUM
- statically linked app can execute untrusted app - statically linked app can execute untrusted app

Write Preview
Loading…
Cancel
Save