Blob Blame History Raw
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.2


Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.0
Release: 3%{?dist}.4
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
BuildRequires: python2-devel
Recommends: %{name}-selinux

Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units

Patch1: selinux.patch
Patch2: fapolicyd-0.9.5-integrity.patch
Patch3: selinux-pid.patch
Patch4: fapolicyd-cli-args.patch
Patch5: fapolicyd-magic-override.patch
Patch6: fapolicyd-magic-override2.patch
Patch7: fapolicyd-man-page.patch

Patch8: fapolicyd-trust.patch
Patch9: fapolicyd-cli-empty-db.patch
Patch10: fapolicyd-cli-big-buffer.patch
Patch11: fapolicyd-get-line.patch
Patch12: fapolicyd-man-page-trust.patch

Patch13: fapolicyd-deleted-suffix.patch
Patch14: fapolicyd-java1.patch
Patch15: fapolicyd-java2.patch
Patch16: fapolicyd-java3.patch
Patch17: fapolicyd-java4.patch
Patch18: fapolicyd-java5.patch

%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation
source are allowed access while unknown applications are not. The daemon
makes use of the kernel's fanotify interface to determine file access rights.

%package        selinux
Summary:        Fapolicyd selinux
Group:          Applications/System
Requires:       %{name} = %{version}-%{release}
BuildRequires:  selinux-policy
BuildRequires:  selinux-policy-devel
BuildArch: noarch
#%%{?selinux_requires}
Requires: selinux-policy >= 3.14.3-54.el8
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
Requires(post): selinux-policy-base >= 3.14.3-54.el8
Requires(post): libselinux-utils
Requires(post): policycoreutils
%if 032 || 0 > 7
Requires(post): policycoreutils-python-utils
%else
Requires(post): policycoreutils-python
%endif


%description    selinux
The %{name}-selinux package contains selinux policy for the %{name} daemon.

%prep

%setup -q

# selinux
%setup -q -D -T -a 1

# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*

%patch1 -p1 -b .selinux
%patch2 -p1 -b .integrity
%patch3 -p1 -b .pid
%patch4 -p1 -b .args
%patch5 -p1
%patch6 -p1
%patch7 -p1 -b .man-page

%patch8 -p1 -b .trust
%patch9 -p1 -b .cli-empty-db
%patch10 -p1 -b .cli-big-buffer
%patch11 -p1 -b .get-line
%patch12 -p1 -b .man-page-trust

# zstream
%patch13 -p1 -b .deleted
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1

%build
./autogen.sh
%configure \
    --with-audit \
    --with-rpm \
    --disable-shared

make CFLAGS="%{optflags}" %{?_smp_mflags}

# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd

# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}

%install
make DESTDIR="%{buildroot}" INSTALL='install -p' install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}

# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if

#cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'

%pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}

%pretrans -p <lua>
if posix.access("/run/fapolicyd.pid", "f") then
  os.execute([[
    c=/etc/fapolicyd/fapolicyd.rules
    release=/etc/redhat-release
    rule="allow perm=any uid=0 : all"
    if test -e $release; then
       if grep -q '8.1' $release; then
          rule="allow uid=0 all"
       fi
    fi

    if test -e $c; then
       if systemctl is-active fapolicyd &> /dev/null; then
          tmp=`mktemp`
          cat $c > $tmp
          echo "$rule" > $c
          cat $tmp >> $c
          systemctl restart fapolicyd || true
          cat $tmp > $c
          rm -f $tmp
        fi
    fi
    ]])
end

%post
%systemd_post %{name}.service

%preun
%systemd_preun %{name}.service

%postun
%systemd_postun_with_restart %{name}.service

%files
%doc README.md
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(755,root,root) %{_sbindir}/%{name}
%attr(755,root,root) %{_sbindir}/%{name}-cli
%attr(644,root,root) %{_mandir}/man8/*
%attr(644,root,root) %{_mandir}/man5/*
%attr(644,root,root) %{_mandir}/man1/*
%attr(644,root,root) %{_datadir}/%{name}/*
%ghost %{_localstatedir}/log/%{name}-access.log
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
%attr(770,root,%{name}) %dir /run/%{name}
%ghost %{_localstatedir}/run/%{name}/%{name}.fifo
%ghost %{_localstatedir}/lib/%{name}/data.mdb
%ghost %{_localstatedir}/lib/%{name}/lock.mdb
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc

# selinux
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if

%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2

%postun selinux
if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{name}
fi

%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}

%changelog
* Thu Dec 10 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.4
RHEL 8.3.Z ERRATUM
- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail [rhel-8.3.0.z]
- fixed java detection
Resolves: rhbz#1905895
- Erratum RHBA-2020:4969 is of no help when upgrading partially RHEL 8.2 systems [rhel-8.3.0.z]
Resolves: rhbz#1906472

* Fri Nov 13 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.3
RHEL 8.3.Z ERRATUM
Resolves: rhbz#1897090

* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.2
RHEL 8.3.Z ERRATUM
- selinux requires inlined
Resolves: rhbz#1895513

* Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.1
RHEL 8.3.Z ERRATUM
- allow root everything
- ensure that root rule is in .rules
Resolves: rhbz#1895513

* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3
RHEL 8.3 ERRATUM
- fixed manpage fapolicyd-conf
Resolves: rhbz#1817413

* Mon May 25 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-2
RHEL 8.3 ERRATUM
- rebase to v1.0
- installed multiple policies to /usr/share/fapolicyd
  - known-libs (default)
  - restrictive
- installed fapolicyd.trust file
- enhanced fapolicyd-cli
Resolves: rhbz#1817413
- introduced fapolicyd-selinux that provides SELinux policy module
Resolves: rhbz#1714529

* Tue Mar 03 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-4
RHEL 8.2 ERRATUM
- fixed possible heap buffer overflow in elf parser
Resolves: rhbz#1807912

* Tue Feb 11 2020 Radovan Sroka <rsroka@redhat.com> - 0.9.1-3
RHEL 8.2 ERRATUM
- fixed build time python interpreter detection (spec)
- added python2-devel as a BuildRequires (spec)
- allow running bash scripts in home directories
Resolves: rhbz#1801872

* Wed Nov 20 2019 Radovan Sroka <rsroka@redhat.com> - 0.9.1-2
RHEL 8.2 ERRATUM
- rebase to v0.9.1
- updated default configuration with new syntax
- removed daemon mounts configuration
Resolves: rhbz#1759895
- default fapolicyd policy prevents Ansible from running
- added ansible rule to default ruleset
Resolves: rhbz#1746464
- suspicious logs on service start
Resolves: rhbz#1747494
- fapolicyd blocks dracut from generating initramfs
- added dracut rule to default configuration
Resolves: rhbz#1757736
- fapolicyd fails to identify perl interpreter
Resolves: rhbz#1765039

* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-3
- added missing manpage for fapolicyd-cli
Resolves: rhbz#1708015

* Mon Jul 22 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-2
- Convert hashes to lowercase like sha256sum outputs
- Stop littering STDOUT output for dnf plugin in fapolicyd
Resolves: rhbz#1721496

* Tue Jun 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.10-1
- new upstream release
Resolves: rhbz#1673323

* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
- New upstream release
- imported from fedora30
  resolves: rhbz#1673323

* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
- backport some patches to resolve dac_override for fapolicyd

* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-1
- New upstream release
- Added new DNF plugin that can update the trust database when rpms are installed
- Added support for FAN_OPEN_EXEC_PERM

* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild


* Wed Oct 03 2018 Steve Grubb <sgrubb@redhat.com> 0.8.7-1
- New upstream bugfix release

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Thu Jun 07 2018 Steve Grubb <sgrubb@redhat.com> 0.8.6-1
- New upstream feature release

* Fri May 18 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-2
- Add dist tag (#1579362)

* Fri Feb 16 2018 Steve Grubb <sgrubb@redhat.com> 0.8.5-1
- New release