diff --git a/SOURCES/fagenrules-group.patch b/SOURCES/fagenrules-group.patch new file mode 100644 index 0000000..744bb64 --- /dev/null +++ b/SOURCES/fagenrules-group.patch @@ -0,0 +1,13 @@ +diff -up ./init/fagenrules.fix ./init/fagenrules +--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200 ++++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200 +@@ -117,7 +117,8 @@ fi + + # We copy the file so that it gets the right selinux label + cp ${TmpRules} ${DestinationFile} +-chmod 0640 ${DestinationFile} ++chmod 0644 ${DestinationFile} ++chgrp fapolicyd ${DestinationFile} + + # Restore context on MLS system. + # /tmp is SystemLow & fapolicyd.rules is SystemHigh diff --git a/SOURCES/fapolicyd-reorder-rules.patch b/SOURCES/fapolicyd-reorder-rules.patch new file mode 100644 index 0000000..53a797c --- /dev/null +++ b/SOURCES/fapolicyd-reorder-rules.patch @@ -0,0 +1,110 @@ +From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Thu, 24 Mar 2022 09:59:05 +0100 +Subject: [PATCH] Reorder loop holes with patterns in rules.d + +- this keeps backwards compatibility with older wersions of rules +- the ld_so pattern was applied to root +- it caused problems with running ldd as root(previously unrestricted) + +Signed-off-by: Radovan Sroka +--- + fapolicyd.spec | 6 +++--- + rules.d/{30-dracut.rules => 20-dracut.rules} | 0 + rules.d/{30-updaters.rules => 21-updaters.rules} | 0 + rules.d/{20-patterns.rules => 30-patterns.rules} | 0 + rules.d/Makefile.am | 4 ++-- + rules.d/README-rules | 16 ++++++++-------- + 6 files changed, 13 insertions(+), 13 deletions(-) + rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%) + rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%) + rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%) + +diff --git a/fapolicyd.spec b/fapolicyd.spec +index c2aae21..261b780 100644 +--- a/fapolicyd.spec ++++ b/fapolicyd.spec +@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ +-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ +-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ +-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ ++cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ ++cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ ++cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ +diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules +similarity index 100% +rename from rules.d/30-dracut.rules +rename to rules.d/20-dracut.rules +diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules +similarity index 100% +rename from rules.d/30-updaters.rules +rename to rules.d/21-updaters.rules +diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules +similarity index 100% +rename from rules.d/20-patterns.rules +rename to rules.d/30-patterns.rules +diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am +index 76b5377..9bb61a7 100644 +--- a/rules.d/Makefile.am ++++ b/rules.d/Makefile.am +@@ -23,8 +23,8 @@ + + CONFIG_CLEAN_FILES = *.rej *.orig + +-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \ +- 30-dracut.rules 30-updaters.rules \ ++EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \ ++ 21-updaters.rules 30-patterns.rules \ + 40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \ + 43-known-elf.rules \ + 70-trusted-lang.rules 71-known-python.rules 72-shell.rules \ +diff --git a/rules.d/README-rules b/rules.d/README-rules +index c03c02b..30fcd01 100644 +--- a/rules.d/README-rules ++++ b/rules.d/README-rules +@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are + organized into groups with the following meanings: + + 10 - macros +-20 - patterns +-30 - loop holes ++20 - loop holes ++30 - patterns + 40 - ELF rules + 50 - user/group access rules + 60 - application access rules +@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following: + fapolicyd.rules.known-libs + -------------------------- + 10-languages.rules +-20-patterns.rules +-30-dracut.rules +-30-updaters.rules ++20-dracut.rules ++21-updaters.rules ++30-patterns.rules + 40-bad-elf.rules + 41-shared-obj.rules + 42-trusted-elf.rules +@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs + fapolicyd.rules.restrictive + --------------------------- + 10-languages.rules +-20-patterns.rules +-30-dracut.rules +-30-updaters.rules ++20-dracut.rules ++21-updaters.rules ++30-patterns.rules + 40-bad-elf.rules + 41-shared-obj.rules + 43-known-elf.rules +-- +2.35.1 + diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 8090ce5..1a05f8f 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.1 -Release: 1%{?dist} +Release: 4%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -32,6 +32,8 @@ Requires(postun): systemd-units # the fapolicyd package because it provides safe upgrade path Patch1: fapolicyd-dnf-plugin.patch Patch2: fapolicyd-selinux.patch +Patch3: fapolicyd-reorder-rules.patch +Patch4: fagenrules-group.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -60,6 +62,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch1 -p1 -b .plugin %patch2 -p1 -b .selinux +%patch3 -p1 -b .rules +%patch4 -p1 -b .group # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules @@ -96,6 +100,12 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d +# get list of file names between known-libs and restrictive from sample-rules/README-rules +cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \ + | grep -A 100 'known-libs' \ + | grep -B 100 'restrictive' \ + | grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs +chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} @@ -106,8 +116,49 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_ #cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete +%define manage_default_rules default_changed=0 \ + # check changed fapolicyd.rules \ + if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \ + diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in fapolicyd.rules"; \ + } \ + fi \ + if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \ + default_ruleset='' \ + # get listing of default rule files in known-libs \ + [ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \ + # check for removed or added files \ + default_count=`echo "$default_ruleset" | wc -l` \ + current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \ + [ $default_count -eq $current_count ] || { \ + default_changed=1; \ + #echo "change detected in number of rule files d:$default_count vs c:$current_count"; \ + } \ + for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \ + if echo "$default_ruleset" | grep -q "`basename $file`"; then \ + # compare content of the rule files \ + diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in `basename $file`"; \ + } \ + else \ + # added file detected \ + default_changed=1 \ + #echo "change detected in added rules file `basename $file`"; \ + fi \ + done \ + fi \ + # remove files if no change against default rules detected \ + [ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \ + + %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +if [ $1 -eq 2 ]; then +# detect changed default rules in case of upgrade +%manage_default_rules +fi %post # if no pre-existing rule file @@ -116,29 +167,27 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then # Only if no pre-existing component rules if [ "$files" -eq 0 ] ; then ## Install the known libs policy - cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ + for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do + cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/ + done chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* if [ -x /usr/sbin/restorecon ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi - fagenrules --load + fagenrules > /dev/null 2>&1 fi fi %systemd_post %{name}.service %preun %systemd_preun %{name}.service +if [ $1 -eq 0 ]; then +# detect changed default rules in case of uninstall +%manage_default_rules +else + [ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || : +fi %postun %systemd_postun_with_restart %{name}.service @@ -149,16 +198,17 @@ fi %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} %attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs %attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* %attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d -%ghost %{_sysconfdir}/%{name}/rules.d/* -%ghost %{_sysconfdir}/%{name}/%{name}.rules +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/* +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust -%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} @@ -195,6 +245,11 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Sat Apr 2 2022 Radovan Sroka - 1.1-4 +RHEL 8.6.0 ERRATUM +- fapolicyd denies access to /usr/lib64/ld-2.28.so +Resolves: rhbz#2066300 + * Wed Feb 16 2022 Radovan Sroka - 1.1-1 RHEL 8.6.0 ERRATUM - rebase to 1.1