diff --git a/SOURCES/fapolicyd-1.1.1-ld_so.patch b/SOURCES/fapolicyd-1.1.1-ld_so.patch new file mode 100644 index 0000000..a79cca7 --- /dev/null +++ b/SOURCES/fapolicyd-1.1.1-ld_so.patch @@ -0,0 +1,27 @@ +diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec +--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500 ++++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500 +@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter + # generate rules for python + sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules + sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules ++sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules + + %build + %configure \ +diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4 +--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500 ++++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500 +@@ -1,6 +1,10 @@ + AC_DEFUN([LD_SO_PATH], + [ +- xpath=`realpath /usr/lib64/ld-2.*.so` ++ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev` ++ xpath=`realpath $xpath1` ++ if test ! -f "$xpath" ; then ++ AC_MSG_ERROR([Cant find the dynamic linker]) ++ fi + echo "dynamic linker is.....$xpath" + AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker]) + ]) diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 1a05f8f..0dbbc56 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.1 -Release: 4%{?dist} +Release: 6%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -34,6 +34,8 @@ Patch1: fapolicyd-dnf-plugin.patch Patch2: fapolicyd-selinux.patch Patch3: fapolicyd-reorder-rules.patch Patch4: fagenrules-group.patch +# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] +Patch5: fapolicyd-1.1.1-ld_so.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -64,11 +66,19 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch2 -p1 -b .selinux %patch3 -p1 -b .rules %patch4 -p1 -b .group +%patch5 -p1 -b .ld_so # generate rules for python -sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules -sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules -sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules +sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules + +interpret=`readelf -e /usr/bin/bash \ + | grep Requesting \ + | sed 's/.$//' \ + | rev | cut -d" " -f1 \ + | rev` + +sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules %build ./autogen.sh @@ -245,7 +255,11 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Sat Apr 2 2022 Radovan Sroka - 1.1-4 +* Wed Apr 06 2022 Radovan Sroka - 1.1-6 +- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path +Resolves: rhbz#2069120 + +* Sat Apr 02 2022 Radovan Sroka - 1.1-4 RHEL 8.6.0 ERRATUM - fapolicyd denies access to /usr/lib64/ld-2.28.so Resolves: rhbz#2066300