From afdf3404fee24e1a99909291b8475c069711a334 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 02 2021 19:42:47 +0000 Subject: import fapolicyd-1.0.3-4.el9 --- diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata new file mode 100644 index 0000000..2895d71 --- /dev/null +++ b/.fapolicyd.metadata @@ -0,0 +1,3 @@ +ff34a919c42f1256d0f6507cce70773d9e663447 SOURCES/fapolicyd-1.0.3.tar.gz +bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz +fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..840245f --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/fapolicyd-1.0.3.tar.gz +SOURCES/fapolicyd-selinux-0.4.tar.gz +SOURCES/uthash-2.3.0.tar.gz diff --git a/SOURCES/fapolicyd-selinux-allow-boot-home.patch b/SOURCES/fapolicyd-selinux-allow-boot-home.patch new file mode 100644 index 0000000..f676d59 --- /dev/null +++ b/SOURCES/fapolicyd-selinux-allow-boot-home.patch @@ -0,0 +1,40 @@ +From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 6 Apr 2021 16:06:48 +0200 +Subject: [PATCH] Allow fapolicyd watch boot and home directories + +The fapolicyd service needs watch_mount and watch_with_perm permissions +for fanotify/inotify/dnotify calls on the following directories: +- /boot and /boot/efi directories +- /home directories + +Note the /boot/efi directory has the dosfs_t label. +--- + fapolicyd.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te +index f5d0052..c12f385 100644 +--- a/fapolicyd-selinux-0.4/fapolicyd.te ++++ b/fapolicyd-selinux-0.4/fapolicyd.te +@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t) + + files_mmap_usr_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) ++files_watch_mount_boot_dirs(fapolicyd_t) ++files_watch_with_perm_boot_dirs(fapolicyd_t) + files_watch_mount_generic_tmp_dirs(fapolicyd_t) + files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) ++files_watch_mount_home(fapolicyd_t) ++files_watch_with_perm_home(fapolicyd_t) + files_watch_mount_root_dirs(fapolicyd_t) + files_watch_with_perm_root_dirs(fapolicyd_t) + + fs_getattr_xattr_fs(fapolicyd_t) + fs_watch_mount_tmpfs_dirs(fapolicyd_t) + fs_watch_with_perm_tmpfs_dirs(fapolicyd_t) ++fs_watch_mount_dos_dirs(fapolicyd_t) ++fs_watch_with_perm_dos_dirs(fapolicyd_t) + + logging_send_syslog_msg(fapolicyd_t) + dbus_system_bus_client(fapolicyd_t) diff --git a/SOURCES/fapolicyd-selinux-watch-perm.patch b/SOURCES/fapolicyd-selinux-watch-perm.patch new file mode 100644 index 0000000..4128b8e --- /dev/null +++ b/SOURCES/fapolicyd-selinux-watch-perm.patch @@ -0,0 +1,31 @@ +From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 15 Apr 2021 16:56:08 +0200 +Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and + directories + +For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag +to mark the file's mount point to monitor. As this can be any file or +directory on the filesystem, the SELinux watch_mount and watch_with_perm +permissions are allowed for the file_type attribute. +--- + fapolicyd.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te +index c12f385..582e03f 100644 +--- a/fapolicyd-selinux-0.4/fapolicyd.te ++++ b/fapolicyd-selinux-0.4/fapolicyd.te +@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched }; + allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; + allow fapolicyd_t self:unix_dgram_socket create_socket_perms; + ++gen_require(` ++ attribute file_type; ++') ++allow fapolicyd_t file_type:dir { watch_mount watch_with_perm }; ++allow fapolicyd_t file_type:file { watch_mount watch_with_perm }; ++ + manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) + logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) + diff --git a/SOURCES/fapolicyd-uthash-bundle.patch b/SOURCES/fapolicyd-uthash-bundle.patch new file mode 100644 index 0000000..c482992 --- /dev/null +++ b/SOURCES/fapolicyd-uthash-bundle.patch @@ -0,0 +1,39 @@ +diff -up ./configure.ac.uthash ./configure.ac +--- ./configure.ac.uthash 2021-03-25 22:12:48.164450403 +0100 ++++ ./configure.ac 2021-03-25 22:13:01.067282788 +0100 +@@ -67,10 +67,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS + ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) + AC_CHECK_FUNCS(fexecve, [], []) + +-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( +-["Couldn't find uthash.h...uthash-devel is missing"] )]) +- +- + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c +--- ./src/library/rpm-backend.c.uthash 2021-01-05 16:27:53.000000000 +0100 ++++ ./src/library/rpm-backend.c 2021-03-25 22:12:33.212644641 +0100 +@@ -32,7 +32,7 @@ + #include + #include + +-#include ++#include "uthash.h" + + #include "message.h" + +diff -up ./src/Makefile.am.uthash ./src/Makefile.am +--- ./src/Makefile.am.uthash 2021-01-05 16:27:53.000000000 +0100 ++++ ./src/Makefile.am 2021-03-25 22:12:33.212644641 +0100 +@@ -5,6 +5,9 @@ AM_CPPFLAGS = \ + -I${top_srcdir} \ + -I${top_srcdir}/src/library + ++AM_CPPFLAGS += \ ++ -I${top_srcdir}/uthash-2.3.0/include ++ + sbin_PROGRAMS = fapolicyd fapolicyd-cli + lib_LTLIBRARIES= libfapolicyd.la + diff --git a/SOURCES/selinux-backport.patch b/SOURCES/selinux-backport.patch new file mode 100644 index 0000000..9666860 --- /dev/null +++ b/SOURCES/selinux-backport.patch @@ -0,0 +1,136 @@ +diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.backport ./fapolicyd-selinux-0.4/fapolicyd.if +--- ./fapolicyd-selinux-0.4/fapolicyd.if.backport 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.if 2021-07-20 17:38:51.266053356 +0200 +@@ -2,6 +2,122 @@ + + ######################################## + ## ++## Watch_mount directories in /boot. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_mount_boot_dirs',` ++ interface(`files_watch_mount_boot_dirs',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir watch_mount_dir_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Watch_mount home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_mount_home',` ++ interface(`files_watch_mount_home',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ allow $1 home_root_t:dir watch_mount_dir_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Watch_with_perm home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`files_watch_with_perm_home',` ++interface(`files_watch_with_perm_home',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ allow $1 home_root_t:dir watch_with_perm_dir_perms; ++') ++') ++ ++ ++######################################## ++## ++## Watch_mount dirs on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`fs_watch_mount_dos_dirs',` ++interface(`fs_watch_mount_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ watch_mount_dirs_pattern($1, dosfs_t, dosfs_t) ++') ++') ++ ++ ++ ++######################################## ++## ++## Watch_with_perm dirs on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++ifndef(`fs_watch_with_perm_dos_dirs',` ++interface(`fs_watch_with_perm_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t) ++') ++') ++ ++ ++################################################################################################### ++ ++ ++ ++ ++######################################## ++## + ## Execute fapolicyd_exec_t in the fapolicyd domain. + ## + ## +diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.backport ./fapolicyd-selinux-0.4/fapolicyd.te +--- ./fapolicyd-selinux-0.4/fapolicyd.te.backport 2021-07-20 17:31:12.161166538 +0200 ++++ ./fapolicyd-selinux-0.4/fapolicyd.te 2021-07-20 17:31:12.162166524 +0200 +@@ -1,5 +1,6 @@ + policy_module(fapolicyd, 1.0.0) + ++ + ######################################## + # + # Declarations diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec new file mode 100644 index 0000000..efeea55 --- /dev/null +++ b/SPECS/fapolicyd.spec @@ -0,0 +1,355 @@ +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.4 + +Summary: Application Whitelisting Daemon +Name: fapolicyd +Version: 1.0.3 +Release: 4%{?dist} +License: GPLv3+ +URL: http://people.redhat.com/sgrubb/fapolicyd +Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz +Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz +# we bundle uthash for rhel9 +Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz +BuildRequires: gcc +BuildRequires: kernel-headers +BuildRequires: autoconf automake make gcc libtool +BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file +BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel +BuildRequires: python3-devel + +%if 0%{?rhel} == 0 +BuildRequires: uthash-devel +%endif + +Requires: %{name}-plugin +Recommends: %{name}-selinux +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Patch1: fapolicyd-uthash-bundle.patch +Patch2: fapolicyd-selinux-allow-boot-home.patch +Patch3: fapolicyd-selinux-watch-perm.patch + +# hardcode missing selinux definitions from selinux-policy +Patch4: selinux-backport.patch + +%description +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + +%package selinux +Summary: Fapolicyd selinux +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the %{name} daemon. + +%package dnf-plugin +Summary: Fapolicyd dnf plugin +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +Provides: %{name}-plugin + +%description dnf-plugin +The %{name}-dnf-plugin notifies %{name} daemon about dnf update. +The dnf plugin will be replaced with rpm plugin later. +Don't use dnf and rpm plugin together. + + +%prep + +%setup -q + +# selinux +%setup -q -D -T -a 1 + +%if 0%{?rhel} != 0 +# uthash +%setup -q -D -T -a 2 +%patch1 -p1 -b .uthash +%endif + +%patch2 -p1 -b .home-boot +%patch3 -p1 -b .watch-perm + +%patch4 -p1 -b .backport + +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* + +%build +./autogen.sh +%configure \ + --with-audit \ + --with-rpm \ + --disable-shared + +make CFLAGS="%{optflags}" %{?_smp_mflags} + +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +%check +make check + +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%install +make DESTDIR="%{buildroot}" INSTALL='install -p' install +mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules +mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} +mkdir -p %{buildroot}/run/%{name} + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +#cleanup +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' + +%pre +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} + +%pretrans -p +if posix.access("/run/fapolicyd.pid", "f") then + os.execute([[ + c=/etc/fapolicyd/fapolicyd.rules + rule="allow perm=any uid=0 : all" + + if test -e $c; then + if systemctl is-active fapolicyd &> /dev/null; then + tmp=`mktemp` + cat $c > $tmp + echo "$rule" > $c + cat $tmp >> $c + systemctl restart fapolicyd || true + sleep 10 + cat $tmp > $c + rm -f $tmp + fi + fi + ]]) +end + + +%post +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%doc README.md +%{!?_licensedir:%global license %%doc} +%license COPYING +%attr(755,root,%{name}) %dir %{_datadir}/%{name} +%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.* +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf +%attr(755,root,root) %{_sbindir}/%{name} +%attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(644,root,root) %{_mandir}/man8/* +%attr(644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man1/* +%attr(644,root,root) %{_datadir}/%{name}/* +%ghost %{_localstatedir}/log/%{name}-access.log +%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} +%attr(770,root,%{name}) %dir /run/%{name} +%ghost /run/%{name}/%{name}.fifo +%ghost %{_localstatedir}/lib/%{name}/data.mdb +%ghost %{_localstatedir}/lib/%{name}/lock.mdb + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files dnf-plugin +%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py +%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc + + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 1.0.3-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Tue Jul 20 2021 Radovan Sroka - 1.0.3-3 +RHEL 9 BETA +- SELinux prevents fapolicyd from watch_mount/watch_with_perm on /dev/shm +Resolves: rhbz#1932225 +Resolves: rhbz#1977731 + +* Thu Apr 15 2021 Mohan Boddu - 1.0.3-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Thu Apr 01 2021 Radovan Sroka - 1.0.3-1 +- rebase to 1.0.3 +- sync fedora with rhel + +* Tue Jan 26 2021 Fedora Release Engineering - 1.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 06 2021 Radovan Sroka - 1.0.2-1 +- rebase to 1.0.2 +- enabled make check +- dnf-plugin is now required subpackage + +* Mon Nov 16 2020 Radovan Sroka - 1.0.1-1 +- rebase to 1.0.1 +- introduced uthash dependency +- SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket +Resolves: rhbz#1874491 +- SELinux prevents the fapolicyd process from writing to /var/lib/rpm directory +Resolves: rhbz#1876538 + +* Mon Jul 27 2020 Fedora Release Engineering - 1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 24 2020 Radovan Sroka - 1.0-3 +- backported few cosmetic small patches from upstream master +- rebase selinux tarbal to v0.3 +- file context pattern for /run/fapolicyd.pid is missing +Resolves: rhbz#1834674 + +* Tue May 26 2020 Miro Hrončok - 1.0-2 +- Rebuilt for Python 3.9 + +* Mon May 25 2020 Radovan Sroka - 1.0-1 +- rebase fapolicyd to 1.0 +- allowed sys_ptrace for user namespace + +* Mon Mar 23 2020 Radovan Sroka - 0.9.4-1 +- rebase fapolicyd to 0.9.4 +- polished the pattern detection engine +- rpm backend now drops most of the files in /usr/share/ to dramatically reduce + memory consumption and improve startup speed +- the commandline utility can now delete the lmdb trust database and manage + the file trust source + +* Mon Feb 24 2020 Radovan Sroka - 0.9.3-1 +- rebase fapolicyd to 0.9.3 +- dramatically improved startup time +- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy +- file type identification has been improved +- trust database statistics have been added to the reports + +* Tue Feb 04 2020 Radovan Sroka - 0.9.2-2 +- Label all fifo_file as fapolicyd_var_run_t in /var/run. +- Allow fapolicyd_t domain to create fifo files labeled as + fapolicyd_var_run_t + +* Fri Jan 31 2020 Radovan Sroka - 0.9.2-1 +- rebase fapolicyd to 0.9.2 +- allows watched mount points to be specified by file system types +- ELF file detection was improved +- the rules have been rewritten to express the policy based on subject + object trust for better performance and reliability +- exceptions for dracut and ansible were added to the rules to avoid problems + under normal system use +- adds an admin defined trust database (fapolicyd.trust) +- setting boost, queue, user, and group on the daemon + command line are deprecated + +* Tue Jan 28 2020 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 05 2019 Marek Tamaskovic - 0.9-3 +- Updated fapolicyd-selinux subpackage to v0.2 + Selinux subpackage is recommended for fapolicyd. + +* Mon Oct 07 2019 Radovan Sroka - 0.9-2 +- Added fapolicyd-selinux subpackage + +* Mon Oct 07 2019 Radovan Sroka - 0.9-1 +- rebase to v0.9 + +* Thu Oct 03 2019 Miro Hrončok - 0.8.10-2 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Wed Aug 28 2019 Radovan Sroka - 0.8.10-1 +- rebase to 0.8.10 +- generate python paths dynamically + +* Mon Aug 19 2019 Miro Hrončok - 0.8.9-5 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.8.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jun 10 22:13:18 CET 2019 Igor Gnatenko - 0.8.9-3 +- Rebuild for RPM 4.15 + +* Mon Jun 10 15:42:01 CET 2019 Igor Gnatenko - 0.8.9-2 +- Rebuild for RPM 4.15 + +* Mon May 06 2019 Radovan Sroka - 0.8.9-1 +- New upstream release + +* Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 +- backport some patches to resolve dac_override for fapolicyd + +* Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 +- New upstream release +- Added new DNF plugin that can update the trust database when rpms are installed +- Added support for FAN_OPEN_EXEC_PERM + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + + +* Wed Oct 03 2018 Steve Grubb 0.8.7-1 +- New upstream bugfix release + +* Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 07 2018 Steve Grubb 0.8.6-1 +- New upstream feature release + +* Fri May 18 2018 Steve Grubb 0.8.5-2 +- Add dist tag (#1579362) + +* Fri Feb 16 2018 Steve Grubb 0.8.5-1 +- New release