%global selinuxtype targeted %global moduletype contrib %define semodule_version 0.2 Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.0 Release: 3%{?dist}.2 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: python2-devel Recommends: %{name}-selinux Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Patch1: selinux.patch Patch2: fapolicyd-0.9.5-integrity.patch Patch3: selinux-pid.patch Patch4: fapolicyd-cli-args.patch Patch5: fapolicyd-magic-override.patch Patch6: fapolicyd-magic-override2.patch Patch7: fapolicyd-man-page.patch Patch8: fapolicyd-trust.patch Patch9: fapolicyd-cli-empty-db.patch Patch10: fapolicyd-cli-big-buffer.patch Patch11: fapolicyd-get-line.patch Patch12: fapolicyd-man-page-trust.patch Patch13: fapolicyd-rules-root.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights. %package selinux Summary: Fapolicyd selinux Group: Applications/System Requires: %{name} = %{version}-%{release} BuildRequires: selinux-policy BuildRequires: selinux-policy-devel BuildArch: noarch #%%{?selinux_requires} Requires: selinux-policy >= 3.14.3-54.el8 BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy BuildRequires: selinux-policy-devel Requires(post): selinux-policy-base >= 3.14.3-54.el8 Requires(post): libselinux-utils Requires(post): policycoreutils %if 032 || 0 > 7 Requires(post): policycoreutils-python-utils %else Requires(post): policycoreutils-python %endif %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. %prep %setup -q # selinux %setup -q -D -T -a 1 # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* %patch1 -p1 -b .selinux %patch2 -p1 -b .integrity %patch3 -p1 -b .pid %patch4 -p1 -b .args %patch5 -p1 %patch6 -p1 %patch7 -p1 -b .man-page %patch8 -p1 -b .trust %patch9 -p1 -b .cli-empty-db %patch10 -p1 -b .cli-big-buffer %patch11 -p1 -b .get-line %patch12 -p1 -b .man-page-trust # zstream %patch13 -p1 -b .root %build ./autogen.sh %configure \ --with-audit \ --with-rpm \ --disable-shared make CFLAGS="%{optflags}" %{?_smp_mflags} # selinux pushd %{name}-selinux-%{semodule_version} make popd # selinux %pre selinux %selinux_relabel_pre -s %{selinuxtype} %install make DESTDIR="%{buildroot}" INSTALL='install -p' install mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if #cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} %pretrans c=/etc/fapolicyd/fapolicyd.rules if test -e $c; then cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || { if systemctl is-active fapolicyd &> dev/null; then tmp=`mktemp` rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup cat $c > $tmp echo "allow perm=any uid=0 : all" > $c cat $tmp >> $c rm -f $tmp systemctl restart fapolicyd fi } fi %post %systemd_post %{name}.service c=/etc/fapolicyd/fapolicyd.rules if test -e /tmp/fapolicyd-cleanup; then cat ${c}.rpmnew > $c touch -d "`stat -c %y ${c}.rpmnew`" $c rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew systemctl restart fapolicyd fi %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service %files %doc README.md %{!?_licensedir:%global license %%doc} %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} %attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.* %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %attr(644,root,root) %{_mandir}/man1/* %attr(644,root,root) %{_datadir}/%{name}/* %ghost %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} %ghost %{_localstatedir}/run/%{name}/%{name}.fifo %ghost %{_localstatedir}/lib/%{name}/data.mdb %ghost %{_localstatedir}/lib/%{name}/lock.mdb %{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc # selinux %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{name} fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} %changelog * Fri Nov 06 2020 Radovan Sroka - 1.0-3.2 RHEL 8.3.Z ERRATUM - selinux requires inlined Resolves: rhbz#1895513 * Fri Nov 06 2020 Radovan Sroka - 1.0-3.1 RHEL 8.3.Z ERRATUM - allow root everything - ensure that root rule is in .rules Resolves: rhbz#1895513 * Tue Jun 30 2020 Radovan Sroka - 1.0-3 RHEL 8.3 ERRATUM - fixed manpage fapolicyd-conf Resolves: rhbz#1817413 * Mon May 25 2020 Radovan Sroka - 1.0-2 RHEL 8.3 ERRATUM - rebase to v1.0 - installed multiple policies to /usr/share/fapolicyd - known-libs (default) - restrictive - installed fapolicyd.trust file - enhanced fapolicyd-cli Resolves: rhbz#1817413 - introduced fapolicyd-selinux that provides SELinux policy module Resolves: rhbz#1714529 * Tue Mar 03 2020 Radovan Sroka - 0.9.1-4 RHEL 8.2 ERRATUM - fixed possible heap buffer overflow in elf parser Resolves: rhbz#1807912 * Tue Feb 11 2020 Radovan Sroka - 0.9.1-3 RHEL 8.2 ERRATUM - fixed build time python interpreter detection (spec) - added python2-devel as a BuildRequires (spec) - allow running bash scripts in home directories Resolves: rhbz#1801872 * Wed Nov 20 2019 Radovan Sroka - 0.9.1-2 RHEL 8.2 ERRATUM - rebase to v0.9.1 - updated default configuration with new syntax - removed daemon mounts configuration Resolves: rhbz#1759895 - default fapolicyd policy prevents Ansible from running - added ansible rule to default ruleset Resolves: rhbz#1746464 - suspicious logs on service start Resolves: rhbz#1747494 - fapolicyd blocks dracut from generating initramfs - added dracut rule to default configuration Resolves: rhbz#1757736 - fapolicyd fails to identify perl interpreter Resolves: rhbz#1765039 * Wed Jul 24 2019 Radovan Sroka - 0.8.10-3 - added missing manpage for fapolicyd-cli Resolves: rhbz#1708015 * Mon Jul 22 2019 Radovan Sroka - 0.8.10-2 - Convert hashes to lowercase like sha256sum outputs - Stop littering STDOUT output for dnf plugin in fapolicyd Resolves: rhbz#1721496 * Tue Jun 18 2019 Radovan Sroka - 0.8.10-1 - new upstream release Resolves: rhbz#1673323 * Mon May 06 2019 Radovan Sroka - 0.8.9-1 - New upstream release - imported from fedora30 resolves: rhbz#1673323 * Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 - backport some patches to resolve dac_override for fapolicyd * Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 - New upstream release - Added new DNF plugin that can update the trust database when rpms are installed - Added support for FAN_OPEN_EXEC_PERM * Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Wed Oct 03 2018 Steve Grubb 0.8.7-1 - New upstream bugfix release * Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Jun 07 2018 Steve Grubb 0.8.6-1 - New upstream feature release * Fri May 18 2018 Steve Grubb 0.8.5-2 - Add dist tag (#1579362) * Fri Feb 16 2018 Steve Grubb 0.8.5-1 - New release