rpms
/
fapolicyd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
..
compare: rpms:c10-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'c10-beta' have entirely different histories.
c9 ... c10-beta

7 changed files with 156 additions and 298 deletions
Show Stats

4
.fapolicyd.metadata
Unescape View File

@ -1,3 +1,3 @@
f4fc52c6ec16cec13405d66752c0b222fff893e7 SOURCES/fapolicyd-1.3.2.tar.gz 0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz
e61573db3de4d229377eebff8252765058ad4ab9 SOURCES/fapolicyd-selinux-0.6.tar.gz ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

4
.gitignore vendored
Unescape View File

@ -1,3 +1,3 @@
SOURCES/fapolicyd-1.3.2.tar.gz SOURCES/fapolicyd-1.3.3.tar.gz
SOURCES/fapolicyd-selinux-0.6.tar.gz SOURCES/fapolicyd-selinux-0.7.tar.gz
SOURCES/uthash-2.3.0.tar.gz SOURCES/uthash-2.3.0.tar.gz

78
SOURCES/fapolicyd-leaks.patch
Unescape View File

@ -1,78 +0,0 @@
From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 18 Jul 2023 17:05:11 +0200
Subject: [PATCH] Fix multiple leaks
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/filter.c | 3 +++
src/library/policy.c | 13 +++++++++++--
src/library/rules.c | 3 ---
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/library/filter.c b/src/library/filter.c
index d5d8cca..eb378ca 100644
--- a/src/library/filter.c
+++ b/src/library/filter.c
@@ -472,9 +472,12 @@ int filter_load_file(void)
msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
filter_destroy_obj(filter);
free(line);
+ line = NULL;
goto bad;
}
+ }
+ if (line) {
free(line);
line = NULL;
}
diff --git a/src/library/policy.c b/src/library/policy.c
index 7fe1210..31ff6e2 100644
--- a/src/library/policy.c
+++ b/src/library/policy.c
@@ -23,6 +23,7 @@
* Radovan Sroka <rsroka@redhat.com>
*/
+#include "attr-sets.h"
#include "config.h"
#include <stdbool.h>
#include <stdio.h>
@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
return 1;
FILE * f = open_file();
- if (f == NULL)
+ if (f == NULL) {
+ destroy_attr_sets();
return 1;
+ }
int res = _load_rules(_config, f);
fclose(f);
- return res;
+
+ if (res) {
+ destroy_attr_sets();
+ return 1;
+ }
+
+ return 0;
}
void destroy_rules(void)
diff --git a/src/library/rules.c b/src/library/rules.c
index 5ffa40e..4a8b098 100644
--- a/src/library/rules.c
+++ b/src/library/rules.c
@@ -65,9 +65,6 @@ int rules_create(llist *l)
l->cur = NULL;
l->cnt = 0;
- if (init_attr_sets())
- return 1;
-
return 0;
}

23
SOURCES/fapolicyd-selinux-links.patch
Unescape View File

@ -1,23 +0,0 @@
From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 19 Jul 2023 16:00:13 +0200
Subject: [PATCH] Allow links
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
index daf31bd..5d6f9aa 100644
--- a/fapolicyd-selinux-0.6/fapolicyd.te
+++ b/fapolicyd-selinux-0.6/fapolicyd.te
@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
files_watch_sb_all_mountpoints(fapolicyd_t)
')
+allow fapolicyd_t file_type : lnk_file { getattr read };
+
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

16
SOURCES/fapolicyd-uthash-bundle.patch
Unescape View File

@ -1,10 +1,10 @@
diff -up ./configure.ac.uthash ./configure.ac diff -up ./configure.ac.uthash ./configure.ac
--- ./configure.ac.uthash 2023-06-15 16:45:13.000000000 +0200 --- ./configure.ac.uthash 2022-09-27 16:34:59.000000000 +0200
+++ ./configure.ac 2023-06-16 14:32:53.112363230 +0200 +++ ./configure.ac 2022-09-29 11:57:26.297879027 +0200
@@ -96,10 +96,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS @@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
AC_CHECK_FUNCS(fexecve, [], []) AC_CHECK_FUNCS(fexecve, [], [])
AC_CHECK_FUNCS([gettid])
-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( -AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
-["Couldn't find uthash.h...uthash-devel is missing"] )]) -["Couldn't find uthash.h...uthash-devel is missing"] )])
- -
@ -13,8 +13,8 @@ diff -up ./configure.ac.uthash ./configure.ac
echo Checking for required libraries echo Checking for required libraries
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
--- ./src/library/rpm-backend.c.uthash 2023-06-16 14:32:53.112363230 +0200 --- ./src/library/rpm-backend.c.uthash 2022-09-29 11:57:26.297879027 +0200
+++ ./src/library/rpm-backend.c 2023-06-16 14:35:20.467338604 +0200 +++ ./src/library/rpm-backend.c 2022-09-29 11:58:45.470119807 +0200
@@ -33,7 +33,7 @@ @@ -33,7 +33,7 @@
#include <rpm/rpmpgp.h> #include <rpm/rpmpgp.h>
#include <fnmatch.h> #include <fnmatch.h>
@ -25,8 +25,8 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
#include "message.h" #include "message.h"
#include "gcc-attributes.h" #include "gcc-attributes.h"
diff -up ./src/Makefile.am.uthash ./src/Makefile.am diff -up ./src/Makefile.am.uthash ./src/Makefile.am
--- ./src/Makefile.am.uthash 2023-06-15 16:45:13.000000000 +0200 --- ./src/Makefile.am.uthash 2022-09-27 16:34:59.000000000 +0200
+++ ./src/Makefile.am 2023-06-16 14:32:53.112363230 +0200 +++ ./src/Makefile.am 2022-09-29 11:57:26.297879027 +0200
@@ -5,6 +5,9 @@ AM_CPPFLAGS = \ @@ -5,6 +5,9 @@ AM_CPPFLAGS = \
-I${top_srcdir} \ -I${top_srcdir} \
-I${top_srcdir}/src/library -I${top_srcdir}/src/library

6
SOURCES/selinux.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te
--- ./fapolicyd-selinux-0.6/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200 --- ./fapolicyd-selinux-0.7/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200
+++ ./fapolicyd-selinux-0.6/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200 +++ ./fapolicyd-selinux-0.7/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200
@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',` @@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
ifdef(`fs_watch_all_fs',` ifdef(`fs_watch_all_fs',`

315
SPECS/fapolicyd.spec
Unescape View File

@ -1,12 +1,12 @@
%global selinuxtype targeted %global selinuxtype targeted
%global moduletype contrib %global moduletype contrib
%define semodule_version 0.6 %define semodule_version 0.7
Summary: Application Whitelisting Daemon Summary: Application Whitelisting Daemon
Name: fapolicyd Name: fapolicyd
Version: 1.3.2 Version: 1.3.3
Release: 100%{?dist} Release: 101%{?dist}
License: GPLv3+ License: GPL-3.0-or-later
URL: http://people.redhat.com/sgrubb/fapolicyd URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
@ -15,7 +15,7 @@ Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/
BuildRequires: gcc BuildRequires: gcc
BuildRequires: kernel-headers BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file BuildRequires: systemd systemd-devel openssl-devel rpm-devel file-devel file
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel BuildRequires: python3-devel
@ -23,17 +23,17 @@ BuildRequires: python3-devel
BuildRequires: uthash-devel BuildRequires: uthash-devel
%endif %endif
Requires: %{name}-plugin Requires: rpm-plugin-fapolicyd
Recommends: %{name}-selinux Recommends: %{name}-selinux
Requires(pre): shadow-utils Requires(pre): shadow-utils
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch Patch1: selinux.patch
Patch2: selinux.patch
Patch3: fapolicyd-leaks.patch # RHEL-specific patches
Patch4: fapolicyd-selinux-links.patch Patch100: fapolicyd-uthash-bundle.patch
%description %description
Fapolicyd (File Access Policy Daemon) implements application whitelisting Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -45,7 +45,8 @@ makes use of the kernel's fanotify interface to determine file access rights.
Summary: Fapolicyd selinux Summary: Fapolicyd selinux
Group: Applications/System Group: Applications/System
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
BuildArch: noarch BuildArch: noarch
%{?selinux_requires} %{?selinux_requires}
@ -60,20 +61,19 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
# selinux # selinux
%setup -q -D -T -a 1 %setup -q -D -T -a 1
%patch 1 -p1 -b .selinux
%if 0%{?rhel} != 0 %if 0%{?rhel} != 0
# uthash # uthash
%setup -q -D -T -a 2 %setup -q -D -T -a 2
%patch -P 1 -p1 -b .uthash %patch 100 -p1 -b .uthash
%endif %endif
%patch -P 2 -p1 -b .selinux
%patch -P 3 -p1 -b .leaks
%patch -P 4 -p1 -b .links
# generate rules for python # generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
# Detect run time linker directly from bash
interpret=`readelf -e /usr/bin/bash \ interpret=`readelf -e /usr/bin/bash \
| grep Requesting \ | grep Requesting \
| sed 's/.$//' \ | sed 's/.$//' \
@ -90,7 +90,7 @@ cp INSTALL INSTALL.tmp
--with-rpm \ --with-rpm \
--disable-shared --disable-shared
make CFLAGS="%{optflags}" %{?_smp_mflags} %make_build
# selinux # selinux
pushd %{name}-selinux-%{semodule_version} pushd %{name}-selinux-%{semodule_version}
@ -111,12 +111,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name} mkdir -p %{buildroot}/run/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
# get list of file names between known-libs and restrictive from sample-rules/README-rules
cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \
| grep -A 100 'known-libs' \
| grep -B 100 'restrictive' \
| grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
# selinux # selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
@ -127,49 +122,8 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_
#cleanup #cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
%define manage_default_rules default_changed=0 \
# check changed fapolicyd.rules \
if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \
diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \
default_changed=1; \
#echo "change detected in fapolicyd.rules"; \
} \
fi \
if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \
default_ruleset='' \
# get listing of default rule files in known-libs \
[ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \
# check for removed or added files \
default_count=`echo "$default_ruleset" | wc -l` \
current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \
[ $default_count -eq $current_count ] || { \
default_changed=1; \
#echo "change detected in number of rule files d:$default_count vs c:$current_count"; \
} \
for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \
if echo "$default_ruleset" | grep -q "`basename $file`"; then \
# compare content of the rule files \
diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \
default_changed=1; \
#echo "change detected in `basename $file`"; \
} \
else \
# added file detected \
default_changed=1 \
#echo "change detected in added rules file `basename $file`"; \
fi \
done \
fi \
# remove files if no change against default rules detected \
[ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \
%pre %pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
if [ $1 -eq 2 ]; then
# detect changed default rules in case of upgrade
%manage_default_rules
fi
%post %post
# if no pre-existing rule file # if no pre-existing rule file
@ -178,27 +132,29 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
# Only if no pre-existing component rules # Only if no pre-existing component rules
if [ "$files" -eq 0 ] ; then if [ "$files" -eq 0 ] ; then
## Install the known libs policy ## Install the known libs policy
for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
done cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/
chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
if [ -x /usr/sbin/restorecon ] ; then if [ -x /usr/sbin/restorecon ] ; then
# restore correct label # restore correct label
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
fi fi
fagenrules >/dev/null fagenrules --load
fi fi
fi fi
%systemd_post %{name}.service %systemd_post %{name}.service
%preun %preun
%systemd_preun %{name}.service %systemd_preun %{name}.service
if [ $1 -eq 0 ]; then
# detect changed default rules in case of uninstall
%manage_default_rules
else
[ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || :
fi
%postun %postun
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
@ -209,15 +165,14 @@ fi
%license COPYING %license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name} %attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules %attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* %attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
%attr(644,root,root) %{_sysconfdir}/bash_completion.d/* %attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/* %ghost %{_sysconfdir}/%{name}/rules.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %ghost %{_sysconfdir}/%{name}/%{name}.rules
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
@ -236,7 +191,6 @@ fi
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
%files selinux %files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
@ -255,110 +209,115 @@ fi
%selinux_relabel_post -s %{selinuxtype} %selinux_relabel_post -s %{selinuxtype}
%changelog %changelog
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.3.3-101
RHEL 9.3.0 ERRATUM - Bump release for June 2024 mass rebuild
- Rebase fapolicyd to the latest stable version
Resolves: RHEL-430 * Tue May 14 2024 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
- fapolicyd can leak FDs and never answer request, causing target process to hang forever RHEL 10.0.0 ERRATUM
Resolves: RHEL-621 - rebase to fapolicy-1.3.3 and fapolicyd-selinux-0.7
- RFE: send rule number to fanotify so it gets audited Resolves: RHEL-36287
Resolves: RHEL-624
- fapolicyd needs to make sure the FD limit is never reached * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-4
Resolves: RHEL-623 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
- fapolicyd still allows execution of a program after "untrusting" it
Resolves: RHEL-622 * Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
- Default q_size doesn't match manpage's one - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
Resolves: RHEL-627
- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D') * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
Resolves: RHEL-817 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
- Fix broken backwards compatibility backend numbers
Resolves: RHEL-730 * Mon Jul 10 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-1
- SELinux prevents the fapolicyd from reading symlink (cert_t) - rebase to fapolicyd v1.3.2
Resolves: RHEL-816
* Thu Jun 15 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.1-2
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104 - rebase to fapolicyd v1.3.1 and selinux v0.6
RHEL 9.2.0 ERRATUM
- statically linked app can execute untrusted app * Tue Jun 13 2023 Radovan Sroka <rsroka@redhat.com> - 1.2-6
Resolves: rhbz#2097077 - migrated to SPDX license
- fapolicyd ineffective with systemd DynamicUser=yes
Resolves: rhbz#2136802 * Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 1.2-5
- Starting manually fapolicyd while the service is already running breaks the system - Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
Resolves: rhbz#2160517
- Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled * Fri Feb 10 2023 Radovan Sroka <rsroka@redhat.com> - 1.2-1
Resolves: rhbz#2160518 - rebase to v1.2
- fapolicyd: Introduce filtering of rpmdb
Resolves: RHEL-192 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
RHEL 9.1.0 ERRATUM * Fri Dec 02 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.7-3
- rebase fapolicyd to the latest stable vesion - rebuild for eln
Resolves: rhbz#2100041
- fapolicyd gets way too easily killed by OOM killer * Mon Nov 28 2022 Florian Weimer <fweimer@redhat.com> - 1.1.7-2
Resolves: rhbz#2097385 - Avoid implicit declaration of rpmFreeCrypto
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070655 * Mon Nov 28 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.7.1
- Introduce ppid rule attribute - rebase fapolicyd to v1.1.7 and fapolicyd-selinux to v0.5
Resolves: rhbz#2102558
- fapolicyd often breaks package updates * Thu Sep 29 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.5.2
Resolves: rhbz#2111244 - rebase to 1.1.5
- drop libgcrypt in favour of openssl
Resolves: rhbz#2111938 * Wed Aug 31 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.4-4
- Remove dnf plugin - fix bash completition definition in spec
Resolves: rhbz#2113959 Resolves: rhbz#2123065
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
Resolves: rhbz#2115849 * Tue Aug 30 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.4-3
- rebuild with correct openssl and systemd dependency
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
RHEL 9.1.0 ERRATUM * Thu Aug 18 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.4-1
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path - rebase to 1.1.4
Resolves: rhbz#2069123
- Faulty handling of static applications * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-2
Resolves: rhbz#2096457 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101 * Wed Jun 22 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-1
RHEL 9.1.0 ERRATUM - rebase to 1.1.3
- fapolicyd denies access to /usr/lib64/ld-2.28.so - removal of dnf plugin
Resolves: rhbz#2067493
* Wed Jun 15 2022 Python Maint <python-maint@redhat.com> - 1.1.2-2
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100 - Rebuilt for Python 3.11
RHEL 9.0.0 ERRATUM
- rebase to 1.1 * Wed May 25 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.2-1
Resolves: rhbz#2032408 - rebase to v1.1.2
- introduce rules.d - fixed CVE-2022-1117
Resolves: rhbz#2054740 Resolves: rhbz#2089692
- remove pretrans scriptlet
Resolve: rhbz#2051481 * Wed Mar 30 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.1-2
- rebase to v1.1.1
* Tue Dec 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-101
RHEL 9.0.0 ERRATUM * Tue Feb 15 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-2
- old fapolicyd.rules needs to be ghost file
* Sun Jan 23 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
- rebase to v1.1
- added rules.d folder
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Dec 24 2021 Björn Esser <besser82@fedoraproject.org> - 1.0.4-2
- Rebuild(uthash)
* Fri Dec 10 2021 Radovan Sroka <rsoka@redhat.com> - 1.0.4-1
- rebase to 1.0.4 - rebase to 1.0.4
- added rpm_sha256_only option - enable trust.d folder
- added trust.d directory
- allow file names with whitespaces in trust files * Wed Sep 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-4
- use full paths in trust files - selinux: use watch perm correctly
Resolves: rhbz#2032408
- fix libc.so getting identified as application/x-executable * Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.3-3
Resolves: rhbz#2015307 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
- fix selinux DSP module definition in spec file
Resolves: rhbz#2014449 * Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.0.3-2
- Rebuilt for Python 3.10
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jul 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-3
RHEL 9 BETA
- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm
Resolves: rhbz#1932225
Resolves: rhbz#1977731
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.3-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1 * Thu Apr 01 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.3-1
- rebase to 1.0.3 - rebase to 1.0.3
- sync fedora with rhel - sync fedora with rhel
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.0.2-3
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save