From 25361f1245948121bcbe6902470b7c2bd341eda6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 06 2021 08:58:41 +0000 Subject: import fapolicyd-1.0.2-6.el8 --- diff --git a/SOURCES/fapolicyd-fanotify-read-error.patch b/SOURCES/fapolicyd-fanotify-read-error.patch new file mode 100644 index 0000000..7023449 --- /dev/null +++ b/SOURCES/fapolicyd-fanotify-read-error.patch @@ -0,0 +1,30 @@ +From d12dde7f3fdeb82a9fb064e26d260f40fb2036c0 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 22 Mar 2021 10:38:31 -0400 +Subject: [PATCH] Do not exit on fanotify_event read failure + +--- + ChangeLog | 1 + + src/daemon/notify.c | 11 ++++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/notify.c b/src/daemon/notify.c +index 3e42b92..a83db39 100644 +--- a/src/daemon/notify.c ++++ b/src/daemon/notify.c +@@ -337,8 +337,13 @@ void handle_events(void) + len = read(fd, (void *) buf, sizeof(buf)); + } while (len == -1 && errno == EINTR && stop == 0); + if (len == -1 && errno != EAGAIN) { +- msg(LOG_ERR,"Error reading (%s)", strerror(errno)); +- exit(1); ++ // If we get this, we have no access to the file. We ++ // cannot formulate a reply either to deny it because ++ // we have nothing to work with. ++ msg(LOG_ERR, ++ "Error receiving fanotify_event (%s)", ++ strerror(errno)); ++ return; + } + if (stop) + return; diff --git a/SOURCES/fapolicyd-unlink-fifo1.patch b/SOURCES/fapolicyd-unlink-fifo1.patch new file mode 100644 index 0000000..e92f3b6 --- /dev/null +++ b/SOURCES/fapolicyd-unlink-fifo1.patch @@ -0,0 +1,50 @@ +From 8cf74e7f147836e81c3583a046e4dc2b4673a14c Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Thu, 11 Mar 2021 14:45:50 +0100 +Subject: [PATCH] Ensure that fifo will be removed after termination + +- unlink_fifo() will be called after every succesful termination +because dnf/yum can hang if the pipe exists after daemon termination + +- move preconstruct_fifo() out of the scope because it is needed also +when the daemon is configured to run as root + +Signed-off-by: Radovan Sroka +--- + src/daemon/fapolicyd.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c +index 5dce666..c29611c 100644 +--- a/src/daemon/fapolicyd.c ++++ b/src/daemon/fapolicyd.c +@@ -446,6 +446,17 @@ int main(int argc, const char *argv[]) + openlog("fapolicyd", LOG_PID, LOG_DAEMON); + } + ++ // Set the exit function so there is always a fifo cleanup ++ if (atexit(unlink_fifo)) { ++ msg(LOG_ERR, "Cannot set exit function"); ++ exit(1); ++ } ++ ++ if (preconstruct_fifo(&config)) { ++ msg(LOG_ERR, "Cannot contruct a pipe"); ++ exit(1); ++ } ++ + // Setup filesystem to watch list + init_fs_list(config.watch_fs); + +@@ -454,8 +465,6 @@ int main(int argc, const char *argv[]) + + // If we are not going to be root, then setup necessary capabilities + if (config.uid != 0) { +- if (preconstruct_fifo(&config)) +- exit(1); + capng_clear(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE, +-- +2.26.2 + diff --git a/SOURCES/fapolicyd-unlink-fifo2.patch b/SOURCES/fapolicyd-unlink-fifo2.patch new file mode 100644 index 0000000..ea1f6f1 --- /dev/null +++ b/SOURCES/fapolicyd-unlink-fifo2.patch @@ -0,0 +1,35 @@ +From 7c2726e8d9c3aa5f8f6710a7ea147bf99877e1a5 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Tue, 16 Mar 2021 12:49:48 +0100 +Subject: [PATCH] Fixed problem with startup failed on unlink() (#120) + +- introduced in 128e22d0c638aed81337a6dbbfa664e5bfc9ea06 + +- daemon does not start when unlinking non existing db +- fapolicyd-cli returned error when there is no db to unlink + +Signed-off-by: Radovan Sroka +--- + src/library/database.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/library/database.c b/src/library/database.c +index a010923..59816cb 100644 +--- a/src/library/database.c ++++ b/src/library/database.c +@@ -718,13 +718,13 @@ int unlink_db(void) + + snprintf(path, sizeof(path), "%s/data.mdb", data_dir); + rc = unlink(path); +- if (rc) { ++ if (rc == -1 && errno != ENOENT) { + msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); + ret_val = 1; + } + snprintf(path, sizeof(path), "%s/lock.mdb", data_dir); + rc = unlink(path); +- if (rc) { ++ if (rc == -1 && errno != ENOENT) { + msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); + ret_val = 1; + } diff --git a/SOURCES/fapolicyd-unlink1.patch b/SOURCES/fapolicyd-unlink1.patch new file mode 100644 index 0000000..37dc715 --- /dev/null +++ b/SOURCES/fapolicyd-unlink1.patch @@ -0,0 +1,25 @@ +From a0d93349003100ec773c3253e515c7162737c4c2 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 3 Mar 2021 13:16:07 -0500 +Subject: [PATCH] Add error message for debugging + +--- + src/library/database.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/library/database.c b/src/library/database.c +index db52000..9497c06 100644 +--- a/src/library/database.c ++++ b/src/library/database.c +@@ -161,8 +161,10 @@ static int init_db(const conf_t *config) + return 4; + + int rc = mdb_env_open(env, data_dir, flags, 0660); +- if (rc) ++ if (rc) { ++ msg(LOG_ERR, "env_open error: %s", mdb_strerror(rc)); + return 5; ++ } + + MDB_maxkeysize = mdb_env_get_maxkeysize(env); + integrity = config->integrity; diff --git a/SOURCES/fapolicyd-unlink2.patch b/SOURCES/fapolicyd-unlink2.patch new file mode 100644 index 0000000..0e1fb4a --- /dev/null +++ b/SOURCES/fapolicyd-unlink2.patch @@ -0,0 +1,33 @@ +From 1b862f3b7c489928f1861396cebb763ae0654371 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 3 Mar 2021 13:22:10 -0500 +Subject: [PATCH] Add error message for debugging + +--- + src/library/database.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/library/database.c b/src/library/database.c +index 9497c06..831ec74 100644 +--- a/src/library/database.c ++++ b/src/library/database.c +@@ -713,12 +713,17 @@ static int check_database_copy(void) + */ + void unlink_db(void) + { ++ int rc; + char path[64]; + + snprintf(path, sizeof(path), "%s/data.mdb", data_dir); +- unlink(path); ++ rc = unlink(path); ++ if (rc) ++ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); + snprintf(path, sizeof(path), "%s/lock.mdb", data_dir); +- unlink(path); ++ rc = unlink(path); ++ if (rc) ++ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); + } + + diff --git a/SOURCES/fapolicyd-unlink3.patch b/SOURCES/fapolicyd-unlink3.patch new file mode 100644 index 0000000..571cab5 --- /dev/null +++ b/SOURCES/fapolicyd-unlink3.patch @@ -0,0 +1,114 @@ +From 128e22d0c638aed81337a6dbbfa664e5bfc9ea06 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 3 Mar 2021 13:34:58 -0500 +Subject: [PATCH] If db migration fails due to unlinking problem, fail startup + +--- + ChangeLog | 1 + + src/cli/fapolicyd-cli.c | 5 +++-- + src/library/database.c | 22 ++++++++++++++++------ + src/library/database.h | 4 ++-- + 4 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c +index 994c9a6..fb9081b 100644 +--- a/src/cli/fapolicyd-cli.c ++++ b/src/cli/fapolicyd-cli.c +@@ -1,6 +1,6 @@ + /* + * fapolicy-cli.c - CLI tool for fapolicyd +- * Copyright (c) 2019,2020 Red Hat Inc. ++ * Copyright (c) 2019-2021 Red Hat Inc. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -89,7 +89,8 @@ static char *get_line(FILE *f, unsigned *lineno) + + static int do_delete_db(void) + { +- unlink_db(); ++ if (unlink_db()) ++ return 1; + return 0; + } + +diff --git a/src/library/database.c b/src/library/database.c +index 831ec74..a010923 100644 +--- a/src/library/database.c ++++ b/src/library/database.c +@@ -1,6 +1,6 @@ + /* + * database.c - Trust database +- * Copyright (c) 2016,2018-20 Red Hat Inc. ++ * Copyright (c) 2016,2018-21 Red Hat Inc. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -711,23 +711,32 @@ static int check_database_copy(void) + /* + * This function removes the trust database files. + */ +-void unlink_db(void) ++int unlink_db(void) + { +- int rc; ++ int rc, ret_val = 0; + char path[64]; + + snprintf(path, sizeof(path), "%s/data.mdb", data_dir); + rc = unlink(path); +- if (rc) ++ if (rc) { + msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); ++ ret_val = 1; ++ } + snprintf(path, sizeof(path), "%s/lock.mdb", data_dir); + rc = unlink(path); +- if (rc) ++ if (rc) { + msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); ++ ret_val = 1; ++ } ++ ++ return ret_val; + } + + + /* ++ * DB version 1 = unique keys (0.8 - 0.9.2) ++ * DB version 2 = allow duplicate keys (0.9.3 - ) ++ * + * This function is used to detect if we are using version1 of the database. + * If so, we have to delete the database and rebuild it. We cannot mix + * database versions because lmdb doesn't do that. +@@ -744,7 +753,8 @@ static int migrate_database(void) + msg(LOG_INFO, "Database migration will be performed."); + + // Then we have a version1 db since it does not track versions +- unlink_db(); ++ if (unlink_db()) ++ return 1; + + // Create the new, db version tracker and write current version + fd = open(vpath, O_CREAT|O_EXCL|O_WRONLY, 0640); +diff --git a/src/library/database.h b/src/library/database.h +index e828503..f4516b2 100644 +--- a/src/library/database.h ++++ b/src/library/database.h +@@ -1,6 +1,6 @@ + /* + * database.h - Header file for trust database +- * Copyright (c) 2018-20 Red Hat Inc. ++ * Copyright (c) 2018-21 Red Hat Inc. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -41,7 +41,7 @@ int init_database(conf_t *config); + int check_trust_database(const char *path, struct file_info *info, int fd); + void close_database(void); + void database_report(FILE *f); +-void unlink_db(void); ++int unlink_db(void); + void unlink_fifo(void); + + #endif diff --git a/SOURCES/selinux.patch b/SOURCES/selinux.patch index 9f304fb..ebedb50 100644 --- a/SOURCES/selinux.patch +++ b/SOURCES/selinux.patch @@ -1,8 +1,12 @@ diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te ---- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-11-16 20:26:57.777902314 +0100 -+++ ./fapolicyd-selinux-0.3/fapolicyd.te 2020-11-16 20:28:17.659857140 +0100 -@@ -64,7 +64,10 @@ files_read_all_files(fapolicyd_t) +--- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-06-01 14:41:37.000000000 +0200 ++++ ./fapolicyd-selinux-0.3/fapolicyd.te 2021-03-19 10:50:13.885358270 +0100 +@@ -62,9 +62,14 @@ domain_read_all_domains_state(fapolicyd_ + files_mmap_usr_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) fs_getattr_xattr_fs(fapolicyd_t) ++kernel_read_all_sysctls(fapolicyd_t) ++kernel_read_all_proc(fapolicyd_t) logging_send_syslog_msg(fapolicyd_t) +dbus_system_bus_client(fapolicyd_t) diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 3d8a62f..d14fde9 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.0.2 -Release: 3%{?dist} +Release: 6%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -34,10 +34,18 @@ Patch4: fapolicyd-cli-hang.patch # we are making the dnf-plugin completelly dummy because of # https://bugzilla.redhat.com/show_bug.cgi?id=1929163 -# we requires rpm-plugin now and dnf-plugin still needs to be part of -# fapolicyd package because it provides safe upgrade path +# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of +# the fapolicyd package because it provides safe upgrade path Patch5: fapolicyd-dnf-plugin.patch +Patch6: fapolicyd-unlink1.patch +Patch7: fapolicyd-unlink2.patch +Patch8: fapolicyd-unlink3.patch +Patch9: fapolicyd-unlink-fifo1.patch +Patch10: fapolicyd-unlink-fifo2.patch + +Patch11: fapolicyd-fanotify-read-error.patch + %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation @@ -70,6 +78,15 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch5 -p1 -b .plugin +%patch6 -p1 -b .unlink1 +%patch7 -p1 -b .unlink2 +%patch8 -p1 -b .unlink3 + +%patch9 -p1 -b .unlink_fifo1 +%patch10 -p1 -b .unlink_fifo2 + +%patch11 -p1 -b .fanotify_read + # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* @@ -136,6 +153,7 @@ if posix.access("/run/fapolicyd.pid", "f") then echo "$rule" > $c cat $tmp >> $c systemctl restart fapolicyd || true + sleep 10 cat $tmp > $c rm -f $tmp fi @@ -188,6 +206,7 @@ end %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} %postun selinux if [ $1 -eq 0 ]; then @@ -198,6 +217,17 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Tue Mar 23 2021 Radovan Sroka - 1.0.2-6 +RHEL 8.4.0 ERRATUM +- fapolicyd abnormally exits by executing sosreport +Resolves: rhbz#1940289 + +* Thu Mar 18 2021 Radovan Sroka - 1.0.2-5 +RHEL 8.4.0 ERRATUM +- fixed multiple problems with unlink() +- fapolicyd breaks system upgrade, leaving system in dead state - complete fix +Resolves: rhbz#1896875 + * Tue Feb 16 2021 Radovan Sroka - 1.0.2-3 RHEL 8.4.0 ERRATUM - rebase to 1.0.2