8 changed files with 51 additions and 122 deletions
--- a/.fapolicyd.metadata
+++ b/.fapolicyd.metadata
@ -1,3 +1,3 @@
-f4fc52c6ec16cec13405d66752c0b222fff893e7 SOURCES/fapolicyd-1.3.2.tar.gz
+0c3e18b68cc92611ed45fe884229351eaebdf170 SOURCES/fapolicyd-1.3.3.tar.gz
-e61573db3de4d229377eebff8252765058ad4ab9 SOURCES/fapolicyd-selinux-0.6.tar.gz
+ec91994fc4257a8d1a76e1c98eeccaf97ef4178f SOURCES/fapolicyd-selinux-0.7.tar.gz
 fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-SOURCES/fapolicyd-1.3.2.tar.gz
+SOURCES/fapolicyd-1.3.3.tar.gz
-SOURCES/fapolicyd-selinux-0.6.tar.gz
+SOURCES/fapolicyd-selinux-0.7.tar.gz
 SOURCES/uthash-2.3.0.tar.gz
--- a/SOURCES/fapolicyd-leaks.patch
+++ b/SOURCES/fapolicyd-leaks.patch
@ -1,78 +0,0 @@
 From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
 From: Radovan Sroka <rsroka@redhat.com>
 Date: Tue, 18 Jul 2023 17:05:11 +0200
 Subject: [PATCH] Fix multiple leaks
 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 ---
 src/library/filter.c |  3 +++
 src/library/policy.c | 13 +++++++++++--
 src/library/rules.c  |  3 ---
 3 files changed, 14 insertions(+), 5 deletions(-)
 diff --git a/src/library/filter.c b/src/library/filter.c
 index d5d8cca..eb378ca 100644
 --- a/src/library/filter.c
 +++ b/src/library/filter.c
@@ -472,9 +472,12 @@ int filter_load_file(void)
 			msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
 			filter_destroy_obj(filter);
 			free(line);
 +			line = NULL;
 			goto bad;
 		}
 +	}
 +	if (line) {
 		free(line);
 		line = NULL;
 	}
 diff --git a/src/library/policy.c b/src/library/policy.c
 index 7fe1210..31ff6e2 100644
 --- a/src/library/policy.c
 +++ b/src/library/policy.c
@@ -23,6 +23,7 @@
  *   Radovan Sroka <rsroka@redhat.com>
  */
 +#include "attr-sets.h"
 #include "config.h"
 #include <stdbool.h>
 #include <stdio.h>
@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
 		return 1;
 	FILE * f = open_file();
 -	if (f == NULL)
 +	if (f == NULL) {
 +		destroy_attr_sets();
 		return 1;
 +	}
 	int res = _load_rules(_config, f);
 	fclose(f);
 -	return res;
 +
 +	if (res) {
 +		destroy_attr_sets();
 +		return 1;
 +	}
 +
 +	return 0;
 }
 void destroy_rules(void)
 diff --git a/src/library/rules.c b/src/library/rules.c
 index 5ffa40e..4a8b098 100644
 --- a/src/library/rules.c
 +++ b/src/library/rules.c
@@ -65,9 +65,6 @@ int rules_create(llist *l)
 	l->cur = NULL;
 	l->cnt = 0;
 -	if (init_attr_sets())
 -		return 1;
 -
 	return  0;
 }
--- a/SOURCES/fapolicyd-selinux-links.patch
+++ b/SOURCES/fapolicyd-selinux-links.patch
@ -1,23 +0,0 @@
 From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
 From: Radovan Sroka <rsroka@redhat.com>
 Date: Wed, 19 Jul 2023 16:00:13 +0200
 Subject: [PATCH] Allow links
 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 ---
 fapolicyd.te | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
 index daf31bd..5d6f9aa 100644
 --- a/fapolicyd-selinux-0.6/fapolicyd.te
 +++ b/fapolicyd-selinux-0.6/fapolicyd.te
@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
     files_watch_sb_all_mountpoints(fapolicyd_t)
 ')
 +allow fapolicyd_t file_type : lnk_file { getattr read };
 +
 manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
 logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
--- a/SOURCES/fapolicyd-uthash-bundle.patch
+++ b/SOURCES/fapolicyd-uthash-bundle.patch
@ -1,10 +1,10 @@
 diff -up ./configure.ac.uthash ./configure.ac
--- ./configure.ac.uthash	2023-06-15 16:45:13.000000000 +0200
+--- ./configure.ac.uthash	2022-09-27 16:34:59.000000000 +0200
-+++ ./configure.ac	2023-06-16 14:32:53.112363230 +0200
+++ ./configure.ac	2022-09-29 11:57:26.297879027 +0200
-@@ -96,10 +96,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
+@@ -162,10 +162,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
 ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
 AC_CHECK_FUNCS(fexecve, [], [])
- 
+ AC_CHECK_FUNCS([gettid])
 -AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
 -["Couldn't find uthash.h...uthash-devel is missing"] )])
 -
@ -13,8 +13,8 @@ diff -up ./configure.ac.uthash ./configure.ac
 echo Checking for required libraries
 AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
 diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
--- ./src/library/rpm-backend.c.uthash	2023-06-16 14:32:53.112363230 +0200
+--- ./src/library/rpm-backend.c.uthash	2022-09-29 11:57:26.297879027 +0200
-+++ ./src/library/rpm-backend.c	2023-06-16 14:35:20.467338604 +0200
+++ ./src/library/rpm-backend.c	2022-09-29 11:58:45.470119807 +0200
@@ -33,7 +33,7 @@
 #include <rpm/rpmpgp.h>
 #include <fnmatch.h>
@ -25,8 +25,8 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
 #include "message.h"
 #include "gcc-attributes.h"
 diff -up ./src/Makefile.am.uthash ./src/Makefile.am
--- ./src/Makefile.am.uthash	2023-06-15 16:45:13.000000000 +0200
+--- ./src/Makefile.am.uthash	2022-09-27 16:34:59.000000000 +0200
-+++ ./src/Makefile.am	2023-06-16 14:32:53.112363230 +0200
+++ ./src/Makefile.am	2022-09-29 11:57:26.297879027 +0200
@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
 	-I${top_srcdir} \
 	-I${top_srcdir}/src/library
--- a/SOURCES/selinux.patch
+++ b/SOURCES/selinux.patch
@ -1,6 +1,6 @@
-diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te
+diff -up ./fapolicyd-selinux-0.7/fapolicyd.te.fix ./fapolicyd-selinux-0.7/fapolicyd.te
--- ./fapolicyd-selinux-0.6/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
+--- ./fapolicyd-selinux-0.7/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
-+++ ./fapolicyd-selinux-0.6/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
+++ ./fapolicyd-selinux-0.7/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
 ifdef(`fs_watch_all_fs',`
--- a/SOURCES/var-run-selinux.patch
+++ b/SOURCES/var-run-selinux.patch
@ -0,0 +1,26 @@
 From 750c5e288f8253c71a9722da960addb078aee93c Mon Sep 17 00:00:00 2001
 From: Zdenek Pytela <zpytela@redhat.com>
 Date: Tue, 6 Feb 2024 21:17:27 +0100
 Subject: [PATCH] Rename all /var/run file context entries to /run
 With the 1f76e522a ("Rename all /var/run file context entries to /run")
 selinux-policy commit, all /var/run file context entries moved to /run
 and the equivalency was inverted. Subsequently, changes in fapolicyd.fc
 need to be done, too, in a similar manner.
 ---
 fapolicyd.fc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/fapolicyd-selinux-0.7/fapolicyd.fc b/fapolicyd-selinux-0.7/fapolicyd.fc
 index 2bdc7aa..d081dc8 100644
 --- a/fapolicyd-selinux-0.7/fapolicyd.fc
 +++ b/fapolicyd-selinux-0.7/fapolicyd.fc
@@ -8,6 +8,6 @@
 /var/log/fapolicyd-access.log    --      gen_context(system_u:object_r:fapolicyd_log_t,s0)
 -/var/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
 +/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
 -/var/run/fapolicyd\.pid	--	 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
 +/run/fapolicyd\.pid	--	 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)
--- a/SPECS/fapolicyd.spec
+++ b/SPECS/fapolicyd.spec
@ -1,10 +1,10 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.6
+%define semodule_version 0.7
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.3.2
+Version: 1.3.3
 Release: 100%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
@ -32,8 +32,7 @@ Requires(postun): systemd-units
 Patch1: fapolicyd-uthash-bundle.patch
 Patch2: selinux.patch
-Patch3: fapolicyd-leaks.patch
+Patch3: var-run-selinux.patch
 Patch4: fapolicyd-selinux-links.patch
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -67,8 +66,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 %endif
 %patch -P 2 -p1 -b .selinux
-%patch -P 3 -p1 -b .leaks
+%patch -P 3 -p1 -R -b .var-run-selinux
-%patch -P 4 -p1 -b .links
+
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -255,6 +254,11 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 %changelog
 * Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.3-100
 RHEL 9.5.0 ERRATUM
 - rebase to fapolicyd-1.3.3 and fapolicyd-selinux-0.7
 Resolves: RHEL-36285
 * Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
 RHEL 9.3.0 ERRATUM
 - Rebase fapolicyd to the latest stable version