From 10e79426173ffabe30367d35217707ccba0d1c7e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 27 2021 04:13:53 +0000 Subject: import fapolicyd-1.0.2-6.el8 --- diff --git a/SOURCES/fapolicyd-fanotify-read-error.patch b/SOURCES/fapolicyd-fanotify-read-error.patch new file mode 100644 index 0000000..7023449 --- /dev/null +++ b/SOURCES/fapolicyd-fanotify-read-error.patch @@ -0,0 +1,30 @@ +From d12dde7f3fdeb82a9fb064e26d260f40fb2036c0 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 22 Mar 2021 10:38:31 -0400 +Subject: [PATCH] Do not exit on fanotify_event read failure + +--- + ChangeLog | 1 + + src/daemon/notify.c | 11 ++++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/notify.c b/src/daemon/notify.c +index 3e42b92..a83db39 100644 +--- a/src/daemon/notify.c ++++ b/src/daemon/notify.c +@@ -337,8 +337,13 @@ void handle_events(void) + len = read(fd, (void *) buf, sizeof(buf)); + } while (len == -1 && errno == EINTR && stop == 0); + if (len == -1 && errno != EAGAIN) { +- msg(LOG_ERR,"Error reading (%s)", strerror(errno)); +- exit(1); ++ // If we get this, we have no access to the file. We ++ // cannot formulate a reply either to deny it because ++ // we have nothing to work with. ++ msg(LOG_ERR, ++ "Error receiving fanotify_event (%s)", ++ strerror(errno)); ++ return; + } + if (stop) + return; diff --git a/SOURCES/selinux.patch b/SOURCES/selinux.patch index 9f304fb..ebedb50 100644 --- a/SOURCES/selinux.patch +++ b/SOURCES/selinux.patch @@ -1,8 +1,12 @@ diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te ---- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-11-16 20:26:57.777902314 +0100 -+++ ./fapolicyd-selinux-0.3/fapolicyd.te 2020-11-16 20:28:17.659857140 +0100 -@@ -64,7 +64,10 @@ files_read_all_files(fapolicyd_t) +--- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-06-01 14:41:37.000000000 +0200 ++++ ./fapolicyd-selinux-0.3/fapolicyd.te 2021-03-19 10:50:13.885358270 +0100 +@@ -62,9 +62,14 @@ domain_read_all_domains_state(fapolicyd_ + files_mmap_usr_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) fs_getattr_xattr_fs(fapolicyd_t) ++kernel_read_all_sysctls(fapolicyd_t) ++kernel_read_all_proc(fapolicyd_t) logging_send_syslog_msg(fapolicyd_t) +dbus_system_bus_client(fapolicyd_t) diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index fd1a6c3..d14fde9 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.0.2 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -44,6 +44,8 @@ Patch8: fapolicyd-unlink3.patch Patch9: fapolicyd-unlink-fifo1.patch Patch10: fapolicyd-unlink-fifo2.patch +Patch11: fapolicyd-fanotify-read-error.patch + %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation @@ -83,6 +85,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch9 -p1 -b .unlink_fifo1 %patch10 -p1 -b .unlink_fifo2 +%patch11 -p1 -b .fanotify_read + # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* @@ -213,7 +217,12 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Tue Mar 18 2021 Radovan Sroka - 1.0.2-5 +* Tue Mar 23 2021 Radovan Sroka - 1.0.2-6 +RHEL 8.4.0 ERRATUM +- fapolicyd abnormally exits by executing sosreport +Resolves: rhbz#1940289 + +* Thu Mar 18 2021 Radovan Sroka - 1.0.2-5 RHEL 8.4.0 ERRATUM - fixed multiple problems with unlink() - fapolicyd breaks system upgrade, leaving system in dead state - complete fix