From 4255d0dafa5626f0ed7120289f3f36fcf2d03ea1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 16 2020 16:34:19 +0000 Subject: import fapolicyd-1.0-3.el8_3.4 --- diff --git a/SOURCES/fapolicyd-deleted-suffix.patch b/SOURCES/fapolicyd-deleted-suffix.patch new file mode 100644 index 0000000..1c450ea --- /dev/null +++ b/SOURCES/fapolicyd-deleted-suffix.patch @@ -0,0 +1,49 @@ +From 8b7ea120670525d9ac7f1698ae7482d691e840a4 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Mon, 9 Nov 2020 17:02:22 +0100 +Subject: [PATCH] Added check for " (deleted)" suffix in get_program_from_fd() + (#97) + +- get rid of this suffix + +Signed-off-by: Radovan Sroka + +Removed strstr (#102) +--- + src/library/process.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/library/process.c b/src/library/process.c +index edd2cca..6406610 100644 +--- a/src/library/process.c ++++ b/src/library/process.c +@@ -146,10 +146,24 @@ char *get_program_from_pid(pid_t pid, size_t blen, char *buf) + + return buf; + } ++ ++ size_t len = 0; + if ((size_t)path_len < blen) +- buf[path_len] = 0; ++ len = path_len; + else +- buf[blen-1] = '\0'; ++ len = blen-1; ++ ++ buf[len] = '\0'; ++ // some binaries can be deleted after execution ++ // then we need to delete the suffix so they are ++ // trusted even after deletion ++ ++ // strlen(" deleted") == 10 ++ if (buf[len-1] == ')' && len > 10) { ++ ++ if (strcmp(&buf[len - 10], " (deleted)") == 0) ++ buf[len - 10] = '\0'; ++ } + + return buf; + } +-- +2.26.2 + diff --git a/SOURCES/fapolicyd-java1.patch b/SOURCES/fapolicyd-java1.patch new file mode 100644 index 0000000..336df8e --- /dev/null +++ b/SOURCES/fapolicyd-java1.patch @@ -0,0 +1,23 @@ +From 6810b42e04dd1f450862a647f05c62706f3a1c40 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 12 Nov 2020 22:21:36 -0500 +Subject: [PATCH] Add application/x-java-applet to languages in known.libs + +--- + ChangeLog | 1 + + init/fapolicyd.rules.known-libs | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/init/fapolicyd.rules.known-libs b/init/fapolicyd.rules.known-libs +index a847f71..d7ce529 100644 +--- a/init/fapolicyd.rules.known-libs ++++ b/init/fapolicyd.rules.known-libs +@@ -3,7 +3,7 @@ + # performance while ensuring that there is not much interference by + # the daemon. + +-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap ++%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap + + # Carve out an exception for dracut initramfs building + allow perm=any uid=0 : dir=/var/tmp/ diff --git a/SOURCES/fapolicyd-java2.patch b/SOURCES/fapolicyd-java2.patch new file mode 100644 index 0000000..29cac7c --- /dev/null +++ b/SOURCES/fapolicyd-java2.patch @@ -0,0 +1,65 @@ +From 32a47ce0557c9b38ee59acec97d8f5bd01b4751d Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 10 Nov 2020 11:47:37 -0500 +Subject: [PATCH] Pickup more languages in /usr/share + +It turns out that there is a lot of languages placing code for execution +in /usr/share. This patch widens the filter so that more file extensions +are included in the trust database. Without this, access to pki-ca.jar, +for example, is denied access. +--- + src/library/rpm-backend.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c +index 25f867a..6ce8a2d 100644 +--- a/src/library/rpm-backend.c ++++ b/src/library/rpm-backend.c +@@ -183,6 +183,7 @@ static int drop_path(const char *file_name) + // Drop anything in /usr/share that's + // not python, javascript, or has a libexec dir + if (file_name[6] == 'h' ) { ++ // These are roughly ordered by quantity + if (fnmatch("*.py?", + file_name, 0) == 0) + return 0; +@@ -192,9 +193,39 @@ static int drop_path(const char *file_name) + else if (fnmatch("*/libexec/*", + file_name, 0) == 0) + return 0; ++ else if (fnmatch("*.rb", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.pl", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.stp", ++ file_name, 0) == 0) ++ return 0; + else if (fnmatch("*.js", + file_name, 0) == 0) + return 0; ++ else if (fnmatch("*.jar", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.m4", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.php", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.el", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.pm", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.lua", ++ file_name, 0) == 0) ++ return 0; ++ else if (fnmatch("*.java", ++ file_name, 0) == 0) ++ return 0; + return 1; + // Akmod need scripts in /usr/src/kernel + } else if (file_name[6] == 'r' ) { diff --git a/SOURCES/fapolicyd-java3.patch b/SOURCES/fapolicyd-java3.patch new file mode 100644 index 0000000..4791869 --- /dev/null +++ b/SOURCES/fapolicyd-java3.patch @@ -0,0 +1,74 @@ +From 006a656205765ce26327d176b4ca07e44bd55422 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 10 Nov 2020 16:44:25 -0500 +Subject: [PATCH] Add comments about what each file extension is looking for in + the /usr/share filter + +--- + src/library/rpm-backend.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c +index 6ce8a2d..ba648d3 100644 +--- a/src/library/rpm-backend.c ++++ b/src/library/rpm-backend.c +@@ -184,45 +184,59 @@ static int drop_path(const char *file_name) + // not python, javascript, or has a libexec dir + if (file_name[6] == 'h' ) { + // These are roughly ordered by quantity ++ // Python byte code + if (fnmatch("*.py?", + file_name, 0) == 0) + return 0; ++ // Python text files + else if (fnmatch("*.py", + file_name, 0) == 0) + return 0; ++ // Some apps have a private libexec + else if (fnmatch("*/libexec/*", + file_name, 0) == 0) + return 0; ++ // Ruby + else if (fnmatch("*.rb", + file_name, 0) == 0) + return 0; ++ // Perl + else if (fnmatch("*.pl", + file_name, 0) == 0) + return 0; ++ // System Tap + else if (fnmatch("*.stp", + file_name, 0) == 0) + return 0; ++ // Javascript + else if (fnmatch("*.js", + file_name, 0) == 0) + return 0; ++ // Java + else if (fnmatch("*.jar", + file_name, 0) == 0) + return 0; ++ // M4 + else if (fnmatch("*.m4", + file_name, 0) == 0) + return 0; ++ // PHP + else if (fnmatch("*.php", + file_name, 0) == 0) + return 0; ++ // Lisp + else if (fnmatch("*.el", + file_name, 0) == 0) + return 0; ++ // Perl Modules + else if (fnmatch("*.pm", + file_name, 0) == 0) + return 0; ++ // Lua + else if (fnmatch("*.lua", + file_name, 0) == 0) + return 0; ++ // Java + else if (fnmatch("*.java", + file_name, 0) == 0) + return 0; diff --git a/SOURCES/fapolicyd-java4.patch b/SOURCES/fapolicyd-java4.patch new file mode 100644 index 0000000..a0bccf6 --- /dev/null +++ b/SOURCES/fapolicyd-java4.patch @@ -0,0 +1,32 @@ +From 2ac23e04f3f14716cf4493fc30eb6ad63760d945 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 11 Nov 2020 07:26:29 -0500 +Subject: [PATCH] Allow .class files instead of .java files (#101) + +.java files themselves aren't directly executable using the default java +program; instead, they must first be compiled to .class files (using +javac) before they can be executed via java. This means that .java files +shipped in RPMs (as say, API usage examples) won't be executed and don't +necessarily need to be. They could however, be compiled first and then +executed as .class; however, this resulting .class file should likely be +somewhere other than /usr/share if it wasn't distributed by the RPM +itself. + +Signed-off-by: Alexander Scheel +--- + src/library/rpm-backend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c +index ba648d3..111e9f2 100644 +--- a/src/library/rpm-backend.c ++++ b/src/library/rpm-backend.c +@@ -237,7 +237,7 @@ static int drop_path(const char *file_name) + file_name, 0) == 0) + return 0; + // Java +- else if (fnmatch("*.java", ++ else if (fnmatch("*.class", + file_name, 0) == 0) + return 0; + return 1; diff --git a/SOURCES/fapolicyd-java5.patch b/SOURCES/fapolicyd-java5.patch new file mode 100644 index 0000000..8052ddf --- /dev/null +++ b/SOURCES/fapolicyd-java5.patch @@ -0,0 +1,24 @@ +From 26fd69ab1df5025a4445ac533c2b273a2f1dda3b Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Wed, 2 Dec 2020 16:01:54 +0100 +Subject: [PATCH] Sync languages list + +Signed-off-by: Radovan Sroka +--- + init/fapolicyd.rules.restrictive | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/fapolicyd.rules.restrictive b/init/fapolicyd.rules.restrictive +index 1635ef3..50944f1 100644 +--- a/init/fapolicyd.rules.restrictive ++++ b/init/fapolicyd.rules.restrictive +@@ -14,8 +14,7 @@ + # %python=/usr/bin/python2.7,/usr/bin/python3.6 + # allow perm=open exe=%python : all + # +- +-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap ++%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap + + # Carve out an exception for dracut + allow perm=any uid=0 : dir=/var/tmp/ diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index ae1d6a9..17f0e89 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.0 -Release: 3%{?dist} +Release: 3%{?dist}.4 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -19,6 +19,7 @@ BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: python2-devel Recommends: %{name}-selinux + Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units @@ -38,6 +39,13 @@ Patch10: fapolicyd-cli-big-buffer.patch Patch11: fapolicyd-get-line.patch Patch12: fapolicyd-man-page-trust.patch +Patch13: fapolicyd-deleted-suffix.patch +Patch14: fapolicyd-java1.patch +Patch15: fapolicyd-java2.patch +Patch16: fapolicyd-java3.patch +Patch17: fapolicyd-java4.patch +Patch18: fapolicyd-java5.patch + %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation @@ -51,7 +59,20 @@ Requires: %{name} = %{version}-%{release} BuildRequires: selinux-policy BuildRequires: selinux-policy-devel BuildArch: noarch -%{?selinux_requires} +#%%{?selinux_requires} +Requires: selinux-policy >= 3.14.3-54.el8 +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires(post): selinux-policy-base >= 3.14.3-54.el8 +Requires(post): libselinux-utils +Requires(post): policycoreutils +%if 032 || 0 > 7 +Requires(post): policycoreutils-python-utils +%else +Requires(post): policycoreutils-python +%endif + %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. @@ -82,6 +103,14 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\// %patch11 -p1 -b .get-line %patch12 -p1 -b .man-page-trust +# zstream +%patch13 -p1 -b .deleted +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 + %build ./autogen.sh %configure \ @@ -121,6 +150,32 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +%pretrans -p +if posix.access("/run/fapolicyd.pid", "f") then + os.execute([[ + c=/etc/fapolicyd/fapolicyd.rules + release=/etc/redhat-release + rule="allow perm=any uid=0 : all" + if test -e $release; then + if grep -q '8.1' $release; then + rule="allow uid=0 all" + fi + fi + + if test -e $c; then + if systemctl is-active fapolicyd &> /dev/null; then + tmp=`mktemp` + cat $c > $tmp + echo "$rule" > $c + cat $tmp >> $c + systemctl restart fapolicyd || true + cat $tmp > $c + rm -f $tmp + fi + fi + ]]) +end + %post %systemd_post %{name}.service @@ -175,6 +230,29 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Thu Dec 10 2020 Radovan Sroka - 1.0-3.4 +RHEL 8.3.Z ERRATUM +- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail [rhel-8.3.0.z] +- fixed java detection +Resolves: rhbz#1905895 +- Erratum RHBA-2020:4969 is of no help when upgrading partially RHEL 8.2 systems [rhel-8.3.0.z] +Resolves: rhbz#1906472 + +* Fri Nov 13 2020 Radovan Sroka - 1.0-3.3 +RHEL 8.3.Z ERRATUM +Resolves: rhbz#1897090 + +* Fri Nov 06 2020 Radovan Sroka - 1.0-3.2 +RHEL 8.3.Z ERRATUM +- selinux requires inlined +Resolves: rhbz#1895513 + +* Fri Nov 06 2020 Radovan Sroka - 1.0-3.1 +RHEL 8.3.Z ERRATUM +- allow root everything +- ensure that root rule is in .rules +Resolves: rhbz#1895513 + * Tue Jun 30 2020 Radovan Sroka - 1.0-3 RHEL 8.3 ERRATUM - fixed manpage fapolicyd-conf