From 0aabf8ce9a359d1ac54e025ce1b3151dc5616b17 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 09 2022 18:15:02 +0000 Subject: import fapolicyd-1.1.3-8.el8 --- diff --git a/SOURCES/fapolicyd-cli-segfault.patch b/SOURCES/fapolicyd-cli-segfault.patch new file mode 100644 index 0000000..45c4699 --- /dev/null +++ b/SOURCES/fapolicyd-cli-segfault.patch @@ -0,0 +1,11 @@ +diff -up ./src/cli/fapolicyd-cli.c.segfault ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.segfault 2022-08-03 17:51:54.903081124 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 17:55:18.256458750 +0200 +@@ -77,6 +77,7 @@ static struct option long_opts[] = + {"ftype", 1, NULL, 't'}, + {"list", 0, NULL, 'l'}, + {"update", 0, NULL, 'u'}, ++ {NULL, 0, NULL, 0 } + }; + + static const char *_pipe = "/run/fapolicyd/fapolicyd.fifo"; diff --git a/SOURCES/fapolicyd-fgets-update-thread.patch b/SOURCES/fapolicyd-fgets-update-thread.patch new file mode 100644 index 0000000..bd8d8ec --- /dev/null +++ b/SOURCES/fapolicyd-fgets-update-thread.patch @@ -0,0 +1,215 @@ +diff -up ./src/cli/fapolicyd-cli.c.upgrade-thread ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.upgrade-thread 2022-08-03 18:00:02.374999369 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 18:00:09.802830497 +0200 +@@ -482,7 +482,7 @@ static int do_update(void) + } + } + +- ssize_t ret = write(fd, "1", 2); ++ ssize_t ret = write(fd, "1\n", 3); + + if (ret == -1) { + fprintf(stderr, "Write: %s -> %s\n", _pipe, strerror(errno)); +diff -up ./src/library/database.c.upgrade-thread ./src/library/database.c +--- ./src/library/database.c.upgrade-thread 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/database.c 2022-08-03 17:58:04.034689808 +0200 +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -43,6 +44,7 @@ + #include "message.h" + #include "llist.h" + #include "file.h" ++#include "fd-fgets.h" + + #include "fapolicyd-backend.h" + #include "backend-manager.h" +@@ -1181,6 +1183,7 @@ static void *update_thread_main(void *ar + return NULL; + } + ++ fcntl(ffd[0].fd, F_SETFL, O_NONBLOCK); + ffd[0].events = POLLIN; + + while (!stop) { +@@ -1200,97 +1203,102 @@ static void *update_thread_main(void *ar + } else { + msg(LOG_ERR, "Update poll error (%s)", + strerror_r(errno, err_buff, BUFFER_SIZE)); +- goto err_out; ++ goto finalize; + } + } else if (rc == 0) { + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll timeout expired"); + #endif +- if (db_operation != DB_NO_OP) +- goto handle_db_ops; + continue; + } else { + if (ffd[0].revents & POLLIN) { +- ssize_t count = read(ffd[0].fd, buff, +- BUFFER_SIZE-1); + +- if (count == -1) { +- msg(LOG_ERR, +- "Failed to read from a pipe %s (%s)", +- fifo_path, +- strerror_r(errno, err_buff, +- BUFFER_SIZE)); +- goto err_out; +- } ++ do { ++ fd_fgets_rewind(); ++ int res = fd_fgets(buff, sizeof(buff), ffd[0].fd); + +- if (count == 0) { +-#ifdef DEBUG +- msg(LOG_DEBUG, +- "Buffer contains zero bytes!"); +-#endif +- continue; +- } else // Manually terminate buff +- buff[count] = 0; +-#ifdef DEBUG +- msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff); +-#endif +- for (int i = 0 ; i < count ; i++) { +- // assume file name +- // operation = 0 +- if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ // nothing to read ++ if (res == -1) + break; +- } ++ else if (res > 0) { ++ char* end = strchr(buff, '\n'); + +- if (buff[i] == '1') { +- db_operation = RELOAD_DB; +- break; ++ if (end == NULL) { ++ msg(LOG_ERR, "Too long line?"); ++ continue; ++ } ++ ++ int count = end - buff; ++ ++ *end = '\0'; ++ ++ for (int i = 0 ; i < count ; i++) { ++ // assume file name ++ // operation = 0 ++ if (buff[i] == '/') { ++ db_operation = ONE_FILE; ++ break; ++ } ++ ++ if (buff[i] == '1') { ++ db_operation = RELOAD_DB; ++ break; ++ } ++ ++ if (buff[i] == '2') { ++ db_operation = FLUSH_CACHE; ++ break; ++ } ++ ++ if (isspace(buff[i])) ++ continue; ++ ++ msg(LOG_ERR, "Cannot handle data \"%s\" from pipe", buff); ++ break; ++ } ++ ++ *end = '\n'; ++ ++ // got "1" -> reload db ++ if (db_operation == RELOAD_DB) { ++ db_operation = DB_NO_OP; ++ msg(LOG_INFO, ++ "It looks like there was an update of the system... Syncing DB."); ++ ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); ++ // got "2" -> flush cache ++ } else if (db_operation == FLUSH_CACHE) { ++ db_operation = DB_NO_OP; ++ needs_flush = true; ++ } else if (db_operation == ONE_FILE) { ++ db_operation = DB_NO_OP; ++ if (handle_record(buff)) ++ continue; ++ } + } + +- if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; +- break; +- } +- } +- +-handle_db_ops: +- // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } else +- msg(LOG_INFO, "Updated"); +- +- // Conserve memory +- backend_close(); +- // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; +- needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; +- if (handle_record(buff)) +- continue; +- } ++ } while(!fd_fgets_eof()); + } + } +- + } + +-err_out: ++finalize: + close(ffd[0].fd); + unlink_fifo(); + diff --git a/SOURCES/fapolicyd-openssl.patch b/SOURCES/fapolicyd-openssl.patch new file mode 100644 index 0000000..9ef8ea2 --- /dev/null +++ b/SOURCES/fapolicyd-openssl.patch @@ -0,0 +1,195 @@ +diff -up ./BUILD.md.openssl ./BUILD.md +--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200 +@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL + * libudev-devel + * kernel-headers + * systemd-devel +-* libgcrypt-devel ++* libgcrypt-devel ( <= fapolicyd-1.1.3) ++* openssl ( >= fapolicyd-1.1.4) + * rpm-devel (optional) + * file + * file-devel +diff -U0 ./ChangeLog.openssl ./ChangeLog +diff -up ./configure.ac.openssl ./configure.ac +--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200 +@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt) ++AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto) + AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic) + AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng) + AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp) +diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec +--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200 +@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub + BuildRequires: gcc + BuildRequires: kernel-headers + BuildRequires: autoconf automake make gcc libtool +-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file ++BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file + BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel + BuildRequires: python3-devel + BuildRequires: uthash-devel +diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200 +@@ -39,7 +39,6 @@ + #include + #include + #include +-#include + #include "policy.h" + #include "database.h" + #include "file-cli.h" +@@ -670,11 +669,6 @@ static int check_trustdb(void) + if (rc) + return 1; + +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- + do { + unsigned int tsource; // unused + off_t size; +diff -up ./src/library/database.c.openssl ./src/library/database.c +--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200 ++++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200 +@@ -35,7 +35,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t + static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE; + static char *path_to_hash(const char *path, const size_t path_len) + { +- gcry_md_hd_t h; +- unsigned int len; +- unsigned char *hptr; ++ unsigned char hptr[80]; + char *digest; + +- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE)) ++ if (path_len == 0) + return NULL; + +- gcry_md_write(h, path, path_len); +- hptr = gcry_md_read(h, GCRY_MD_SHA512); +- +- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char); +- digest = malloc((2 * len) + 1); +- if (digest == NULL) { +- gcry_md_close(h); ++ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr); ++ digest = malloc((SHA512_LEN * 2) + 1); ++ if (digest == NULL) + return digest; +- } + +- bytes2hex(digest, hptr, len); +- gcry_md_close(h); ++ bytes2hex(digest, hptr, SHA512_LEN); + + return digest; + } +@@ -296,7 +288,7 @@ static int write_db(const char *idx, con + if (hash == NULL) + return 5; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)idx; + key.mv_size = len; +@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde + if (hash == NULL) + return NULL; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)index; + key.mv_size = len; +diff -up ./src/library/file.c.openssl ./src/library/file.c +--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200 +@@ -31,7 +31,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -51,7 +51,6 @@ static struct udev *udev; + magic_t magic_cookie; + struct cache { dev_t device; const char *devname; }; + static struct cache c = { 0, NULL }; +-static size_t hash_size = 32; // init so cli doesn't need to call file_init + + // readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]'; + static const char *interpreters[] = { +@@ -96,12 +95,6 @@ void file_init(void) + msg(LOG_ERR, "Unable to load magic database"); + exit(1); + } +- +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char); + } + + +@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s + if (mapped != MAP_FAILED) { + unsigned char hptr[40]; + +- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size); ++ SHA256(mapped, size, (unsigned char *)&hptr); + munmap(mapped, size); +- digest = malloc(65); ++ digest = malloc((SHA256_LEN * 2) + 1); + + // Convert to ASCII string +- bytes2hex(digest, hptr, hash_size); ++ bytes2hex(digest, hptr, SHA256_LEN); + } + return digest; + } +@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha) + } + + // Looks like it what we want... +- bytes2hex(sha, &tmp[2], 32); ++ bytes2hex(sha, &tmp[2], SHA256_LEN); + return 1; + } + +diff -up ./src/library/file.h.openssl ./src/library/file.h +--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200 +@@ -40,6 +40,9 @@ struct file_info + struct timespec time; + }; + ++#define SHA256_LEN 32 ++#define SHA512_LEN 64 ++ + void file_init(void); + void file_close(void); + struct file_info *stat_file_entry(int fd) MALLOCLIKE; diff --git a/SOURCES/fapolicyd-readme.patch b/SOURCES/fapolicyd-readme.patch new file mode 100644 index 0000000..5d93547 --- /dev/null +++ b/SOURCES/fapolicyd-readme.patch @@ -0,0 +1,30 @@ +From b4618d133f473b9bbc36f2a5e94b8b0f257ba3e0 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Fri, 5 Aug 2022 14:49:30 +0200 +Subject: [PATCH] Add mention that using of names requires name resolution + +- using of user and group names as uid and gid attributes + requires correct name resolution + +Signed-off-by: Radovan Sroka +--- + README.md | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/README.md b/README.md +index d932e00..abc5eee 100644 +--- a/README.md ++++ b/README.md +@@ -131,6 +131,12 @@ You can similarly do this for trusted users that have to execute things in + the home dir. You can create a trusted_user group, add them the group, + and then write a rule allowing them to execute from their home dir. + ++When you want to use user or group name (as a string). You have to guarantee ++that these names were correctly resolved. In case of systemd, you need to add ++a new after target 'After=nss-user-lookup.target'. ++To achieve that you can use `systemctl edit --full fapolicyd`, ++uncomment the respective line and save the change. ++ + ``` + allow perm=any gid=trusted_user : ftype=%languages dir=/home + deny_audit perm=any all : ftype=%languages dir=/home diff --git a/SOURCES/fapolicyd-sighup.patch b/SOURCES/fapolicyd-sighup.patch new file mode 100644 index 0000000..47ee190 --- /dev/null +++ b/SOURCES/fapolicyd-sighup.patch @@ -0,0 +1,141 @@ +diff -up ./src/daemon/fapolicyd.c.sighup ./src/daemon/fapolicyd.c +--- ./src/daemon/fapolicyd.c.sighup 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/daemon/fapolicyd.c 2022-08-04 11:07:10.245069443 +0200 +@@ -527,6 +527,7 @@ int main(int argc, const char *argv[]) + while (!stop) { + if (hup) { + hup = 0; ++ msg(LOG_INFO, "Got SIGHUP"); + reconfigure(); + } + rc = poll(pfd, 2, -1); +diff -up ./src/library/database.c.sighup ./src/library/database.c +--- ./src/library/database.c.sighup 2022-08-04 11:07:10.237069609 +0200 ++++ ./src/library/database.c 2022-08-04 11:08:44.852057119 +0200 +@@ -68,7 +68,7 @@ static int lib_symlink=0, lib64_symlink= + static struct pollfd ffd[1] = { {0, 0, 0} }; + static const char *fifo_path = "/run/fapolicyd/fapolicyd.fifo"; + static integrity_t integrity; +-static atomic_int db_operation; ++static atomic_int reload_db = 0; + + static pthread_t update_thread; + static pthread_mutex_t update_lock; +@@ -1147,7 +1147,31 @@ static int handle_record(const char * bu + + void update_trust_database(void) + { +- db_operation = RELOAD_DB; ++ reload_db = 1; ++} ++ ++static void do_reload_db(conf_t* config) ++{ ++ msg(LOG_INFO,"It looks like there was an update of the system... Syncing DB."); ++ ++ int rc; ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); + } + + static void *update_thread_main(void *arg) +@@ -1158,6 +1182,8 @@ static void *update_thread_main(void *ar + char err_buff[BUFFER_SIZE]; + conf_t *config = (conf_t *)arg; + ++ int do_operation = DB_NO_OP;; ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update thread main started"); + #endif +@@ -1182,6 +1208,12 @@ static void *update_thread_main(void *ar + + rc = poll(ffd, 1, 1000); + ++ // got SIGHUP ++ if (reload_db) { ++ reload_db = 0; ++ do_reload_db(config); ++ } ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll interrupted"); + #endif +@@ -1228,17 +1260,17 @@ static void *update_thread_main(void *ar + // assume file name + // operation = 0 + if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ do_operation = ONE_FILE; + break; + } + + if (buff[i] == '1') { +- db_operation = RELOAD_DB; ++ do_operation = RELOAD_DB; + break; + } + + if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; ++ do_operation = FLUSH_CACHE; + break; + } + +@@ -1252,34 +1284,16 @@ static void *update_thread_main(void *ar + *end = '\n'; + + // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } +- +- msg(LOG_INFO, "Updated"); ++ if (do_operation == RELOAD_DB) { ++ do_operation = DB_NO_OP; ++ do_reload_db(config); + +- // Conserve memory +- backend_close(); + // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == FLUSH_CACHE) { ++ do_operation = DB_NO_OP; + needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == ONE_FILE) { ++ do_operation = DB_NO_OP; + if (handle_record(buff)) + continue; + } diff --git a/SOURCES/fapolicyd-user-group-doc.patch b/SOURCES/fapolicyd-user-group-doc.patch new file mode 100644 index 0000000..c8cdd75 --- /dev/null +++ b/SOURCES/fapolicyd-user-group-doc.patch @@ -0,0 +1,47 @@ +From fb4c274f4857f2d652014b0189abafb1df4b001a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 19 Jul 2022 12:18:18 -0400 +Subject: [PATCH] Add documentation describing support for user/group names + +--- + doc/fapolicyd.rules.5 | 6 +++--- + init/fapolicyd.service | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 +index aa77177..3b8ec09 100644 +--- a/doc/fapolicyd.rules.5 ++++ b/doc/fapolicyd.rules.5 +@@ -35,13 +35,13 @@ The subject is the process that is performing actions on system resources. The f + This matches against any subject. When used, this must be the only subject in the rule. + .TP + .B auid +-This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. ++This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. The given value may be numeric or the account name. + .TP + .B uid +-This is the user id that the program is running under. ++This is the user id that the program is running under. The given value may be numeric or the account name. + .TP + .B gid +-This is the group id that the program is running under. ++This is the group id that the program is running under. The given value may be numeric or the group name. + .TP + .B sessionid + This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1. +diff --git a/init/fapolicyd.service b/init/fapolicyd.service +index 715de98..a5a6a3f 100644 +--- a/init/fapolicyd.service ++++ b/init/fapolicyd.service +@@ -11,6 +11,8 @@ PIDFile=/run/fapolicyd.pid + ExecStartPre=/usr/sbin/fagenrules + ExecStart=/usr/sbin/fapolicyd + Restart=on-abnormal ++# Uncomment the following line if rules need user/group name lookup ++#After=nss-user-lookup.target + + [Install] + WantedBy=multi-user.target +-- +2.37.1 + diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 5848518..648724e 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -5,7 +5,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.1.3 -Release: 6%{?dist} +Release: 8%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -13,7 +13,7 @@ Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/relea BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool -BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file +BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: python2-devel @@ -33,6 +33,13 @@ Patch1: fapolicyd-dnf-plugin.patch Patch2: fapolicyd-selinux.patch Patch3: fagenrules-group.patch +Patch4: fapolicyd-fgets-update-thread.patch +Patch5: fapolicyd-openssl.patch +Patch6: fapolicyd-user-group-doc.patch +Patch7: fapolicyd-cli-segfault.patch +Patch8: fapolicyd-sighup.patch +Patch9: fapolicyd-readme.patch + %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation @@ -61,6 +68,12 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch1 -p1 -b .plugin %patch2 -p1 -b .selinux %patch3 -p1 -b .group +%patch4 -p1 -b .update-thread +%patch5 -p1 -b .openssl +%patch6 -p1 -b .user-group +%patch7 -p1 -b .segfault +%patch8 -p1 -b .sighup +%patch9 -p1 -b .readme # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules @@ -91,7 +104,7 @@ popd %check make check -# selinux +# Selinux %pre selinux %selinux_relabel_pre -s %{selinuxtype} @@ -179,7 +192,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi - fagenrules --load + fagenrules >/dev/null fi fi %systemd_post %{name}.service @@ -249,18 +262,24 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Wed Jun 22 2022 Radovan Sroka - 1.1.3-6 +* Fri Aug 05 2022 Radovan Sroka - 1.1.3-8 RHEL 8.7.0 ERRATUM - rebase fapolicyd to the latest stable vesion Resolves: rhbz#2100087 +- fapolicyd does not correctly handle SIGHUP +Resolves: rhbz#2070639 +- fapolicyd often breaks package updates +Resolves: rhbz#2111243 +- drop libgcrypt in favour of openssl +Resolves: rhbz#2111935 +- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works +Resolves: rhbz#2103914 - fapolicyd gets way too easily killed by OOM killer Resolves: rhbz#2100089 - compiled.rules file ownership and mode Resolves: rhbz#2066653 - Faulty handling of static applications Resolves: rhbz#2084497 -- fapolicyd does not correctly handle SIGHUP -Resolves: rhbz#2070639 - Introduce ppid rule attribute Resolves: rhbz#2102563 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0]