Summary: Application Whitelisting Daemon

Name: fapolicyd

Version: 0.9.1

Release: 4%{?dist}

License: GPLv3+

URL: http://people.redhat.com/sgrubb/fapolicyd

Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz

BuildRequires: kernel-headers

BuildRequires: autoconf automake make gcc libtool

BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel

BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel

BuildRequires: python3-devel

BuildRequires: python2-devel

Requires(pre): shadow-utils

Requires(post): systemd-units

Requires(preun): systemd-units

Requires(postun): systemd-units

Patch1: fapolicyd-rules.patch

Patch2: fapolicyd-elf-parser.patch

%description

Fapolicyd (File Access Policy Daemon) implements application whitelisting

to decide file access rights. Applications that are known via a reputation

source are allowed access while unknown applications are not. The daemon

makes use of the kernel's fanotify interface to determine file access rights.

%prep

%setup -q

%patch1 -p1 -F3

%patch2 -p1 -b .elf-parser

# generate rules for python

sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules

sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules

sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules

%build

./autogen.sh

%configure --with-audit

make CFLAGS="%{optflags}" %{?_smp_mflags}

%install

make DESTDIR="%{buildroot}" INSTALL='install -p' install

mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/

install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/

install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf

mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}

mkdir -p %{buildroot}/run/%{name}

%pre

getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}

%post

%systemd_post %{name}.service

%preun

%systemd_preun %{name}.service

%postun

%systemd_postun_with_restart %{name}.service

%files

%doc README.md

%{!?_licensedir:%global license %%doc}

%license COPYING

%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}

%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules

%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf

%attr(644,root,root) %{_unitdir}/%{name}.service

%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf

%attr(755,root,root) %{_sbindir}/%{name}

%attr(755,root,root) %{_sbindir}/%{name}-cli

%attr(644,root,root) %{_mandir}/man8/*

%attr(644,root,root) %{_mandir}/man5/*

%attr(644,root,root) %{_mandir}/man1/*

%ghost %{_localstatedir}/log/%{name}-access.log

%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}

%attr(770,root,%{name}) %dir /run/%{name}

%ghost %{_localstatedir}/run/%{name}/%{name}.fifo

%ghost %{_localstatedir}/lib/%{name}/data.mdb

%ghost %{_localstatedir}/lib/%{name}/lock.mdb

%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py

%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc

%changelog

* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4

RHEL 8.2 ERRATUM

- fixed possible heap buffer overflow in elf parser

Resolves: rhbz#1807912

* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3

RHEL 8.2 ERRATUM

- fixed build time python interpreter detection (spec)

- added python2-devel as a BuildRequires (spec)

- allow running bash scripts in home directories

Resolves: rhbz#1801872

* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2

RHEL 8.2 ERRATUM

- rebase to v0.9.1

- updated default configuration with new syntax

- removed daemon mounts configuration

Resolves: rhbz#1759895

- default fapolicyd policy prevents Ansible from running

- added ansible rule to default ruleset

Resolves: rhbz#1746464

- suspicious logs on service start

Resolves: rhbz#1747494

- fapolicyd blocks dracut from generating initramfs

- added dracut rule to default configuration

Resolves: rhbz#1757736

- fapolicyd fails to identify perl interpreter

Resolves: rhbz#1765039

* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3

- added missing manpage for fapolicyd-cli

Resolves: rhbz#1708015

* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2

- Convert hashes to lowercase like sha256sum outputs

- Stop littering STDOUT output for dnf plugin in fapolicyd

Resolves: rhbz#1721496

* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1

- new upstream release

Resolves: rhbz#1673323

* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1

- New upstream release

- imported from fedora30

  resolves: rhbz#1673323

* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2

- backport some patches to resolve dac_override for fapolicyd

* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1

- New upstream release

- Added new DNF plugin that can update the trust database when rpms are installed

- Added support for FAN_OPEN_EXEC_PERM

* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1

- New upstream bugfix release

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1

- New upstream feature release

* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2

- Add dist tag (#1579362)

* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1

- New release