diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata index e32261e..871a2d0 100644 --- a/.fapolicyd.metadata +++ b/.fapolicyd.metadata @@ -1,2 +1,2 @@ -1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz +3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz diff --git a/.gitignore b/.gitignore index cb0435c..b3fd084 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/fapolicyd-1.1.tar.gz +SOURCES/fapolicyd-1.1.3.tar.gz SOURCES/fapolicyd-selinux-0.4.tar.gz diff --git a/SOURCES/fapolicyd-1.1.1-ld_so.patch b/SOURCES/fapolicyd-1.1.1-ld_so.patch deleted file mode 100644 index a79cca7..0000000 --- a/SOURCES/fapolicyd-1.1.1-ld_so.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec ---- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500 -+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500 -@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter - # generate rules for python - sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules - sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules --sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules -+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules - - %build - %configure \ -diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4 ---- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500 -+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500 -@@ -1,6 +1,10 @@ - AC_DEFUN([LD_SO_PATH], - [ -- xpath=`realpath /usr/lib64/ld-2.*.so` -+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev` -+ xpath=`realpath $xpath1` -+ if test ! -f "$xpath" ; then -+ AC_MSG_ERROR([Cant find the dynamic linker]) -+ fi - echo "dynamic linker is.....$xpath" - AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker]) - ]) diff --git a/SOURCES/fapolicyd-1.1.1-static.patch b/SOURCES/fapolicyd-1.1.1-static.patch deleted file mode 100644 index 49c371b..0000000 --- a/SOURCES/fapolicyd-1.1.1-static.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c ---- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500 -+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500 -@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even - - // We need to reset everything now that execve has finished - if (s->info->state == STATE_STATIC_PARTIAL && !rc) { -- s->info->state = STATE_STATIC; -+ // If the static app itself launches an app right -+ // away, go back to collecting. -+ if (e->type & FAN_OPEN_EXEC_PERM) -+ s->info->state = STATE_COLLECTING; -+ else { -+ s->info->state = STATE_STATIC; -+ skip_path = 1; -+ } - evict = 0; - skip_path = 1; - subject_reset(s, EXE); diff --git a/SOURCES/fapolicyd-reorder-rules.patch b/SOURCES/fapolicyd-reorder-rules.patch deleted file mode 100644 index 53a797c..0000000 --- a/SOURCES/fapolicyd-reorder-rules.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Thu, 24 Mar 2022 09:59:05 +0100 -Subject: [PATCH] Reorder loop holes with patterns in rules.d - -- this keeps backwards compatibility with older wersions of rules -- the ld_so pattern was applied to root -- it caused problems with running ldd as root(previously unrestricted) - -Signed-off-by: Radovan Sroka ---- - fapolicyd.spec | 6 +++--- - rules.d/{30-dracut.rules => 20-dracut.rules} | 0 - rules.d/{30-updaters.rules => 21-updaters.rules} | 0 - rules.d/{20-patterns.rules => 30-patterns.rules} | 0 - rules.d/Makefile.am | 4 ++-- - rules.d/README-rules | 16 ++++++++-------- - 6 files changed, 13 insertions(+), 13 deletions(-) - rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%) - rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%) - rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%) - -diff --git a/fapolicyd.spec b/fapolicyd.spec -index c2aae21..261b780 100644 ---- a/fapolicyd.spec -+++ b/fapolicyd.spec -@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then - if [ "$files" -eq 0 ] ; then - ## Install the known libs policy - cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ --cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ --cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ --cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ -+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ -+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ -+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ -diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules -similarity index 100% -rename from rules.d/30-dracut.rules -rename to rules.d/20-dracut.rules -diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules -similarity index 100% -rename from rules.d/30-updaters.rules -rename to rules.d/21-updaters.rules -diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules -similarity index 100% -rename from rules.d/20-patterns.rules -rename to rules.d/30-patterns.rules -diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am -index 76b5377..9bb61a7 100644 ---- a/rules.d/Makefile.am -+++ b/rules.d/Makefile.am -@@ -23,8 +23,8 @@ - - CONFIG_CLEAN_FILES = *.rej *.orig - --EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \ -- 30-dracut.rules 30-updaters.rules \ -+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \ -+ 21-updaters.rules 30-patterns.rules \ - 40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \ - 43-known-elf.rules \ - 70-trusted-lang.rules 71-known-python.rules 72-shell.rules \ -diff --git a/rules.d/README-rules b/rules.d/README-rules -index c03c02b..30fcd01 100644 ---- a/rules.d/README-rules -+++ b/rules.d/README-rules -@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are - organized into groups with the following meanings: - - 10 - macros --20 - patterns --30 - loop holes -+20 - loop holes -+30 - patterns - 40 - ELF rules - 50 - user/group access rules - 60 - application access rules -@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following: - fapolicyd.rules.known-libs - -------------------------- - 10-languages.rules --20-patterns.rules --30-dracut.rules --30-updaters.rules -+20-dracut.rules -+21-updaters.rules -+30-patterns.rules - 40-bad-elf.rules - 41-shared-obj.rules - 42-trusted-elf.rules -@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs - fapolicyd.rules.restrictive - --------------------------- - 10-languages.rules --20-patterns.rules --30-dracut.rules --30-updaters.rules -+20-dracut.rules -+21-updaters.rules -+30-patterns.rules - 40-bad-elf.rules - 41-shared-obj.rules - 43-known-elf.rules --- -2.35.1 - diff --git a/SOURCES/fapolicyd-selinux.patch b/SOURCES/fapolicyd-selinux.patch index 26fafeb..2ece2d2 100644 --- a/SOURCES/fapolicyd-selinux.patch +++ b/SOURCES/fapolicyd-selinux.patch @@ -1,9 +1,12 @@ -diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te ---- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100 -+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-11-19 10:24:20.000002248 +0100 -@@ -63,23 +63,13 @@ +diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te +--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-29 12:06:57.958124735 +0200 +@@ -61,25 +61,15 @@ corecmd_exec_bin(fapolicyd_t) - files_mmap_usr_files(fapolicyd_t) + domain_read_all_domains_state(fapolicyd_t) + +-files_mmap_usr_files(fapolicyd_t) ++files_mmap_all_files(fapolicyd_t) files_read_all_files(fapolicyd_t) -files_watch_mount_generic_tmp_dirs(fapolicyd_t) -files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 020524c..5848518 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -2,11 +2,10 @@ %global moduletype contrib %define semodule_version 0.4 - Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.1 -Release: 6%{?dist}.1 +Version: 1.1.3 +Release: 6%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -32,12 +31,7 @@ Requires(postun): systemd-units # the fapolicyd package because it provides safe upgrade path Patch1: fapolicyd-dnf-plugin.patch Patch2: fapolicyd-selinux.patch -Patch3: fapolicyd-reorder-rules.patch -Patch4: fagenrules-group.patch -# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] -Patch5: fapolicyd-1.1.1-ld_so.patch -# 2084548 - Faulty handling of static applications [rhel-8.6.0.z] -Patch6: fapolicyd-1.1.1-static.patch +Patch3: fagenrules-group.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -66,10 +60,7 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch1 -p1 -b .plugin %patch2 -p1 -b .selinux -%patch3 -p1 -b .rules -%patch4 -p1 -b .group -%patch5 -p1 -b .ld_so -%patch6 -p1 -b .static +%patch3 -p1 -b .group # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules @@ -188,7 +179,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi - fagenrules > /dev/null 2>&1 + fagenrules --load fi fi %systemd_post %{name}.service @@ -258,20 +249,24 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Thu May 12 2022 Radovan Sroka - 1.1-6.1 -RHEL 8.6.Z ERRATUM +* Wed Jun 22 2022 Radovan Sroka - 1.1.3-6 +RHEL 8.7.0 ERRATUM +- rebase fapolicyd to the latest stable vesion +Resolves: rhbz#2100087 +- fapolicyd gets way too easily killed by OOM killer +Resolves: rhbz#2100089 +- compiled.rules file ownership and mode +Resolves: rhbz#2066653 - Faulty handling of static applications -Resolves: rhbz#2084548 - -* Wed Apr 06 2022 Radovan Sroka - 1.1-6 -RHEL 8.6.0 ERRATUM -- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path -Resolves: rhbz#2069120 - -* Sat Apr 02 2022 Radovan Sroka - 1.1-4 -RHEL 8.6.0 ERRATUM -- fapolicyd denies access to /usr/lib64/ld-2.28.so -Resolves: rhbz#2066300 +Resolves: rhbz#2084497 +- fapolicyd does not correctly handle SIGHUP +Resolves: rhbz#2070639 +- Introduce ppid rule attribute +Resolves: rhbz#2102563 +- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0] +Resolves: rhbz#2069121 +- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0] +Resolves: rhbz#2068105 * Wed Feb 16 2022 Radovan Sroka - 1.1-1 RHEL 8.6.0 ERRATUM