diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata index e4598df..e32261e 100644 --- a/.fapolicyd.metadata +++ b/.fapolicyd.metadata @@ -1,2 +1,2 @@ -f3b2418bcbea4b2208de429e5fa449666af84b6e SOURCES/fapolicyd-1.0.2.tar.gz -30a587d8d696846ac05fbae206a8f563b2945189 SOURCES/fapolicyd-selinux-0.3.tar.gz +1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz +bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz diff --git a/.gitignore b/.gitignore index ed23384..cb0435c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/fapolicyd-1.0.2.tar.gz -SOURCES/fapolicyd-selinux-0.3.tar.gz +SOURCES/fapolicyd-1.1.tar.gz +SOURCES/fapolicyd-selinux-0.4.tar.gz diff --git a/SOURCES/fapolicyd-cli-hang.patch b/SOURCES/fapolicyd-cli-hang.patch deleted file mode 100644 index 52e7801..0000000 --- a/SOURCES/fapolicyd-cli-hang.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3f43b262b1c5b9841fd0f387cac442aefeb84da9 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Sun, 31 Jan 2021 18:49:10 +0100 -Subject: [PATCH] Added MDB_NOLOCK to cli mdb_env_open() (#114) - -- MDB_NOLOCK option resolves the issue with --dump-db hang - -Signed-off-by: Radovan Sroka ---- - src/cli/fapolicyd-cli.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c -index fe47948..befb8ce 100644 ---- a/src/cli/fapolicyd-cli.c -+++ b/src/cli/fapolicyd-cli.c -@@ -114,7 +114,7 @@ static int do_dump_db(void) - return 1; - } - mdb_env_set_maxdbs(env, 2); -- rc = mdb_env_open(env, DB_DIR, MDB_RDONLY, 0660); -+ rc = mdb_env_open(env, DB_DIR, MDB_RDONLY|MDB_NOLOCK, 0660); - if (rc) { - fprintf(stderr, "mdb_env_open failed, error %d %s\n", rc, - mdb_strerror(rc)); diff --git a/SOURCES/fapolicyd-dnf-plugin.patch b/SOURCES/fapolicyd-dnf-plugin.patch index f56763e..e0cfce3 100644 --- a/SOURCES/fapolicyd-dnf-plugin.patch +++ b/SOURCES/fapolicyd-dnf-plugin.patch @@ -1,14 +1,13 @@ -diff -up ./dnf/fapolicyd-dnf-plugin.py.plugin ./dnf/fapolicyd-dnf-plugin.py ---- ./dnf/fapolicyd-dnf-plugin.py.plugin 2021-02-11 13:41:27.837534982 +0100 -+++ ./dnf/fapolicyd-dnf-plugin.py 2021-02-11 13:41:50.750225335 +0100 -@@ -7,30 +7,8 @@ import sys - +diff --color -ru a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py +--- a/dnf/fapolicyd-dnf-plugin.py 2021-11-12 20:21:54.000000000 +0100 ++++ b/dnf/fapolicyd-dnf-plugin.py 2021-11-18 16:29:03.919237116 +0100 +@@ -8,29 +8,9 @@ class Fapolicyd(dnf.Plugin): -- name = "fapolicyd" + name = "fapolicyd" - pipe = "/var/run/fapolicyd/fapolicyd.fifo" - file = None -- + def __init__(self, base, cli): pass @@ -33,3 +32,4 @@ diff -up ./dnf/fapolicyd-dnf-plugin.py.plugin ./dnf/fapolicyd-dnf-plugin.py - self.file.write("1") - self.file.close() + pass +Only in b/dnf: fapolicyd-dnf-plugin.py.plugin diff --git a/SOURCES/fapolicyd-fanotify-read-error.patch b/SOURCES/fapolicyd-fanotify-read-error.patch deleted file mode 100644 index 7023449..0000000 --- a/SOURCES/fapolicyd-fanotify-read-error.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d12dde7f3fdeb82a9fb064e26d260f40fb2036c0 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Mon, 22 Mar 2021 10:38:31 -0400 -Subject: [PATCH] Do not exit on fanotify_event read failure - ---- - ChangeLog | 1 + - src/daemon/notify.c | 11 ++++++++--- - 2 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/daemon/notify.c b/src/daemon/notify.c -index 3e42b92..a83db39 100644 ---- a/src/daemon/notify.c -+++ b/src/daemon/notify.c -@@ -337,8 +337,13 @@ void handle_events(void) - len = read(fd, (void *) buf, sizeof(buf)); - } while (len == -1 && errno == EINTR && stop == 0); - if (len == -1 && errno != EAGAIN) { -- msg(LOG_ERR,"Error reading (%s)", strerror(errno)); -- exit(1); -+ // If we get this, we have no access to the file. We -+ // cannot formulate a reply either to deny it because -+ // we have nothing to work with. -+ msg(LOG_ERR, -+ "Error receiving fanotify_event (%s)", -+ strerror(errno)); -+ return; - } - if (stop) - return; diff --git a/SOURCES/fapolicyd-magic-override.patch b/SOURCES/fapolicyd-magic-override.patch deleted file mode 100644 index 80ecd50..0000000 --- a/SOURCES/fapolicyd-magic-override.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -up ./init/fapolicyd-magic.magic ./init/fapolicyd-magic ---- ./init/fapolicyd-magic.magic 2021-01-05 16:27:53.000000000 +0100 -+++ ./init/fapolicyd-magic 2021-02-17 15:51:41.420604805 +0100 -@@ -1,9 +1,17 @@ - 0 string/w #!\ /usr/bin/bash Bourne-Again shell script text executable - !:mime text/x-shellscript - -+0 search/1/w #!\ /usr/bin/env\ bash Bourne-Again shell script text executable -+!:strength + 15 -+!:mime text/x-shellscript -+ - 0 string/w #!\ /usr/bin/sh Shell script text executable - !:mime text/x-shellscript - -+0 search/1/w #!\ /usr/bin/env\ sh Shell script text executable -+!:strength + 15 -+!:mime text/x-shellscript -+ - 0 string/wt #!\ /bin/rc Plan 9 shell script text executable - !:mime text/x-plan9-shellscript - -@@ -47,10 +55,18 @@ - !:strength + 15 - !:mime text/x-python - -+0 search/1/w #!\ /usr/bin/env\ python3 Python script text executable -+!:strength + 15 -+!:mime text/x-python -+ - 0 search/1/wt #!\ /usr/bin/python2 Python script text executable - !:strength + 15 - !:mime text/x-python - -+0 search/1/w #!\ /usr/bin/env\ python2 Python script text executable -+!:strength + 15 -+!:mime text/x-python -+ - 0 search/1/wt #!\ /usr/bin/python Python script text executable - !:strength + 15 - !:mime text/x-python -@@ -72,6 +88,5 @@ - 0 search/1/wt #!\ /usr/bin/tclsh Tcl/Tk script text executable - !:mime text/x-tcl - -- - 0 search/1/wt #!\ /usr/bin/stap Systemtap script text executable - !:mime text/x-systemtap diff --git a/SOURCES/fapolicyd-selinux.patch b/SOURCES/fapolicyd-selinux.patch new file mode 100644 index 0000000..26fafeb --- /dev/null +++ b/SOURCES/fapolicyd-selinux.patch @@ -0,0 +1,28 @@ +diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te +--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100 ++++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-11-19 10:24:20.000002248 +0100 +@@ -63,23 +63,13 @@ + + files_mmap_usr_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) +-files_watch_mount_generic_tmp_dirs(fapolicyd_t) +-files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) +-files_watch_mount_root_dirs(fapolicyd_t) +-files_watch_with_perm_root_dirs(fapolicyd_t) + + fs_getattr_xattr_fs(fapolicyd_t) +-fs_watch_mount_tmpfs_dirs(fapolicyd_t) +-fs_watch_with_perm_tmpfs_dirs(fapolicyd_t) + + logging_send_syslog_msg(fapolicyd_t) + dbus_system_bus_client(fapolicyd_t) + +-userdom_watch_mount_tmp_dirs(fapolicyd_t) +-userdom_watch_with_perm_tmp_dirs(fapolicyd_t) +- + optional_policy(` + rpm_read_db(fapolicyd_t) +- allow fapolicyd_t rpm_var_lib_t:file { create }; +- allow fapolicyd_t rpm_var_lib_t:dir { add_name write }; ++ rpm_manage_db(fapolicyd_t) + ') diff --git a/SOURCES/fapolicyd-startup-message.patch b/SOURCES/fapolicyd-startup-message.patch deleted file mode 100644 index 4b0b078..0000000 --- a/SOURCES/fapolicyd-startup-message.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 54b0679719bf82e25b2b007a32f26b1654912fa2 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 26 Jan 2021 15:07:05 -0500 -Subject: [PATCH] Add startup and shutdown syslog message - ---- - ChangeLog | 1 + - src/daemon/fapolicyd.c | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c -index e0e01ae..55e085d 100644 ---- a/src/daemon/fapolicyd.c -+++ b/src/daemon/fapolicyd.c -@@ -491,7 +491,7 @@ int main(int argc, const char *argv[]) - pfd[1].fd = init_fanotify(&config, m); - pfd[1].events = POLLIN; - -- msg(LOG_DEBUG, "Starting to listen for events"); -+ msg(LOG_INFO, "Starting to listen for events"); - while (!stop) { - rc = poll(pfd, 2, -1); - -@@ -526,7 +526,7 @@ int main(int argc, const char *argv[]) - #endif - } - } -- msg(LOG_DEBUG, "shutting down..."); -+ msg(LOG_INFO, "shutting down..."); - shutdown_fanotify(m); - close(pfd[0].fd); - mlist_clear(m); diff --git a/SOURCES/fapolicyd-unlink-fifo1.patch b/SOURCES/fapolicyd-unlink-fifo1.patch deleted file mode 100644 index e92f3b6..0000000 --- a/SOURCES/fapolicyd-unlink-fifo1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8cf74e7f147836e81c3583a046e4dc2b4673a14c Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Thu, 11 Mar 2021 14:45:50 +0100 -Subject: [PATCH] Ensure that fifo will be removed after termination - -- unlink_fifo() will be called after every succesful termination -because dnf/yum can hang if the pipe exists after daemon termination - -- move preconstruct_fifo() out of the scope because it is needed also -when the daemon is configured to run as root - -Signed-off-by: Radovan Sroka ---- - src/daemon/fapolicyd.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c -index 5dce666..c29611c 100644 ---- a/src/daemon/fapolicyd.c -+++ b/src/daemon/fapolicyd.c -@@ -446,6 +446,17 @@ int main(int argc, const char *argv[]) - openlog("fapolicyd", LOG_PID, LOG_DAEMON); - } - -+ // Set the exit function so there is always a fifo cleanup -+ if (atexit(unlink_fifo)) { -+ msg(LOG_ERR, "Cannot set exit function"); -+ exit(1); -+ } -+ -+ if (preconstruct_fifo(&config)) { -+ msg(LOG_ERR, "Cannot contruct a pipe"); -+ exit(1); -+ } -+ - // Setup filesystem to watch list - init_fs_list(config.watch_fs); - -@@ -454,8 +465,6 @@ int main(int argc, const char *argv[]) - - // If we are not going to be root, then setup necessary capabilities - if (config.uid != 0) { -- if (preconstruct_fifo(&config)) -- exit(1); - capng_clear(CAPNG_SELECT_BOTH); - capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, - CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE, --- -2.26.2 - diff --git a/SOURCES/fapolicyd-unlink-fifo2.patch b/SOURCES/fapolicyd-unlink-fifo2.patch deleted file mode 100644 index ea1f6f1..0000000 --- a/SOURCES/fapolicyd-unlink-fifo2.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7c2726e8d9c3aa5f8f6710a7ea147bf99877e1a5 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Tue, 16 Mar 2021 12:49:48 +0100 -Subject: [PATCH] Fixed problem with startup failed on unlink() (#120) - -- introduced in 128e22d0c638aed81337a6dbbfa664e5bfc9ea06 - -- daemon does not start when unlinking non existing db -- fapolicyd-cli returned error when there is no db to unlink - -Signed-off-by: Radovan Sroka ---- - src/library/database.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/library/database.c b/src/library/database.c -index a010923..59816cb 100644 ---- a/src/library/database.c -+++ b/src/library/database.c -@@ -718,13 +718,13 @@ int unlink_db(void) - - snprintf(path, sizeof(path), "%s/data.mdb", data_dir); - rc = unlink(path); -- if (rc) { -+ if (rc == -1 && errno != ENOENT) { - msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); - ret_val = 1; - } - snprintf(path, sizeof(path), "%s/lock.mdb", data_dir); - rc = unlink(path); -- if (rc) { -+ if (rc == -1 && errno != ENOENT) { - msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); - ret_val = 1; - } diff --git a/SOURCES/fapolicyd-unlink1.patch b/SOURCES/fapolicyd-unlink1.patch deleted file mode 100644 index 37dc715..0000000 --- a/SOURCES/fapolicyd-unlink1.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a0d93349003100ec773c3253e515c7162737c4c2 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 3 Mar 2021 13:16:07 -0500 -Subject: [PATCH] Add error message for debugging - ---- - src/library/database.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/library/database.c b/src/library/database.c -index db52000..9497c06 100644 ---- a/src/library/database.c -+++ b/src/library/database.c -@@ -161,8 +161,10 @@ static int init_db(const conf_t *config) - return 4; - - int rc = mdb_env_open(env, data_dir, flags, 0660); -- if (rc) -+ if (rc) { -+ msg(LOG_ERR, "env_open error: %s", mdb_strerror(rc)); - return 5; -+ } - - MDB_maxkeysize = mdb_env_get_maxkeysize(env); - integrity = config->integrity; diff --git a/SOURCES/fapolicyd-unlink2.patch b/SOURCES/fapolicyd-unlink2.patch deleted file mode 100644 index 0e1fb4a..0000000 --- a/SOURCES/fapolicyd-unlink2.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 1b862f3b7c489928f1861396cebb763ae0654371 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 3 Mar 2021 13:22:10 -0500 -Subject: [PATCH] Add error message for debugging - ---- - src/library/database.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/library/database.c b/src/library/database.c -index 9497c06..831ec74 100644 ---- a/src/library/database.c -+++ b/src/library/database.c -@@ -713,12 +713,17 @@ static int check_database_copy(void) - */ - void unlink_db(void) - { -+ int rc; - char path[64]; - - snprintf(path, sizeof(path), "%s/data.mdb", data_dir); -- unlink(path); -+ rc = unlink(path); -+ if (rc) -+ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); - snprintf(path, sizeof(path), "%s/lock.mdb", data_dir); -- unlink(path); -+ rc = unlink(path); -+ if (rc) -+ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); - } - - diff --git a/SOURCES/fapolicyd-unlink3.patch b/SOURCES/fapolicyd-unlink3.patch deleted file mode 100644 index 571cab5..0000000 --- a/SOURCES/fapolicyd-unlink3.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 128e22d0c638aed81337a6dbbfa664e5bfc9ea06 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 3 Mar 2021 13:34:58 -0500 -Subject: [PATCH] If db migration fails due to unlinking problem, fail startup - ---- - ChangeLog | 1 + - src/cli/fapolicyd-cli.c | 5 +++-- - src/library/database.c | 22 ++++++++++++++++------ - src/library/database.h | 4 ++-- - 4 files changed, 22 insertions(+), 10 deletions(-) - -diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c -index 994c9a6..fb9081b 100644 ---- a/src/cli/fapolicyd-cli.c -+++ b/src/cli/fapolicyd-cli.c -@@ -1,6 +1,6 @@ - /* - * fapolicy-cli.c - CLI tool for fapolicyd -- * Copyright (c) 2019,2020 Red Hat Inc. -+ * Copyright (c) 2019-2021 Red Hat Inc. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -89,7 +89,8 @@ static char *get_line(FILE *f, unsigned *lineno) - - static int do_delete_db(void) - { -- unlink_db(); -+ if (unlink_db()) -+ return 1; - return 0; - } - -diff --git a/src/library/database.c b/src/library/database.c -index 831ec74..a010923 100644 ---- a/src/library/database.c -+++ b/src/library/database.c -@@ -1,6 +1,6 @@ - /* - * database.c - Trust database -- * Copyright (c) 2016,2018-20 Red Hat Inc. -+ * Copyright (c) 2016,2018-21 Red Hat Inc. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -711,23 +711,32 @@ static int check_database_copy(void) - /* - * This function removes the trust database files. - */ --void unlink_db(void) -+int unlink_db(void) - { -- int rc; -+ int rc, ret_val = 0; - char path[64]; - - snprintf(path, sizeof(path), "%s/data.mdb", data_dir); - rc = unlink(path); -- if (rc) -+ if (rc) { - msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); -+ ret_val = 1; -+ } - snprintf(path, sizeof(path), "%s/lock.mdb", data_dir); - rc = unlink(path); -- if (rc) -+ if (rc) { - msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno)); -+ ret_val = 1; -+ } -+ -+ return ret_val; - } - - - /* -+ * DB version 1 = unique keys (0.8 - 0.9.2) -+ * DB version 2 = allow duplicate keys (0.9.3 - ) -+ * - * This function is used to detect if we are using version1 of the database. - * If so, we have to delete the database and rebuild it. We cannot mix - * database versions because lmdb doesn't do that. -@@ -744,7 +753,8 @@ static int migrate_database(void) - msg(LOG_INFO, "Database migration will be performed."); - - // Then we have a version1 db since it does not track versions -- unlink_db(); -+ if (unlink_db()) -+ return 1; - - // Create the new, db version tracker and write current version - fd = open(vpath, O_CREAT|O_EXCL|O_WRONLY, 0640); -diff --git a/src/library/database.h b/src/library/database.h -index e828503..f4516b2 100644 ---- a/src/library/database.h -+++ b/src/library/database.h -@@ -1,6 +1,6 @@ - /* - * database.h - Header file for trust database -- * Copyright (c) 2018-20 Red Hat Inc. -+ * Copyright (c) 2018-21 Red Hat Inc. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -41,7 +41,7 @@ int init_database(conf_t *config); - int check_trust_database(const char *path, struct file_info *info, int fd); - void close_database(void); - void database_report(FILE *f); --void unlink_db(void); -+int unlink_db(void); - void unlink_fifo(void); - - #endif diff --git a/SOURCES/selinux.patch b/SOURCES/selinux.patch deleted file mode 100644 index ebedb50..0000000 --- a/SOURCES/selinux.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te ---- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-06-01 14:41:37.000000000 +0200 -+++ ./fapolicyd-selinux-0.3/fapolicyd.te 2021-03-19 10:50:13.885358270 +0100 -@@ -62,9 +62,14 @@ domain_read_all_domains_state(fapolicyd_ - files_mmap_usr_files(fapolicyd_t) - files_read_all_files(fapolicyd_t) - fs_getattr_xattr_fs(fapolicyd_t) -+kernel_read_all_sysctls(fapolicyd_t) -+kernel_read_all_proc(fapolicyd_t) - - logging_send_syslog_msg(fapolicyd_t) -+dbus_system_bus_client(fapolicyd_t) - - optional_policy(` -- rpm_read_db(fapolicyd_t) -+ rpm_read_db(fapolicyd_t) -+ allow fapolicyd_t rpm_var_lib_t:file { create }; -+ allow fapolicyd_t rpm_var_lib_t:dir { add_name write }; - ') diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index d14fde9..8090ce5 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -1,12 +1,12 @@ %global selinuxtype targeted %global moduletype contrib -%define semodule_version 0.3 +%define semodule_version 0.4 Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.0.2 -Release: 6%{?dist} +Version: 1.1 +Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -26,25 +26,12 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units - -Patch1: fapolicyd-magic-override.patch -Patch2: selinux.patch -Patch3: fapolicyd-startup-message.patch -Patch4: fapolicyd-cli-hang.patch - # we are making the dnf-plugin completelly dummy because of # https://bugzilla.redhat.com/show_bug.cgi?id=1929163 # we require the rpm-plugin from now on and the dnf-plugin still needs to be part of # the fapolicyd package because it provides safe upgrade path -Patch5: fapolicyd-dnf-plugin.patch - -Patch6: fapolicyd-unlink1.patch -Patch7: fapolicyd-unlink2.patch -Patch8: fapolicyd-unlink3.patch -Patch9: fapolicyd-unlink-fifo1.patch -Patch10: fapolicyd-unlink-fifo2.patch - -Patch11: fapolicyd-fanotify-read-error.patch +Patch1: fapolicyd-dnf-plugin.patch +Patch2: fapolicyd-selinux.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -71,26 +58,13 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. # selinux %setup -q -D -T -a 1 -%patch1 -p1 -b .magic +%patch1 -p1 -b .plugin %patch2 -p1 -b .selinux -%patch3 -p1 -b .startup -%patch4 -p1 -b .cli-hang - -%patch5 -p1 -b .plugin - -%patch6 -p1 -b .unlink1 -%patch7 -p1 -b .unlink2 -%patch8 -p1 -b .unlink3 - -%patch9 -p1 -b .unlink_fifo1 -%patch10 -p1 -b .unlink_fifo2 - -%patch11 -p1 -b .fanotify_read # generate rules for python -sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* -sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* -sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.* +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules %build ./autogen.sh @@ -99,28 +73,29 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\// --with-rpm \ --disable-shared -make CFLAGS="%{optflags}" %{?_smp_mflags} +%make_build # selinux pushd %{name}-selinux-%{semodule_version} make popd +%check +make check + # selinux %pre selinux %selinux_relabel_pre -s %{selinuxtype} -%check -make check - %install -make DESTDIR="%{buildroot}" INSTALL='install -p' install +%make_install mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf -install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} @@ -129,39 +104,37 @@ install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if #cleanup -find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} -%pretrans -p -if posix.access("/run/fapolicyd.pid", "f") then - os.execute([[ - c=/etc/fapolicyd/fapolicyd.rules - release=/etc/redhat-release - rule="allow perm=any uid=0 : all" - if test -e $release; then - if grep -q '8.1' $release; then - rule="allow uid=0 all" - fi - fi - - if test -e $c; then - if systemctl is-active fapolicyd &> /dev/null; then - tmp=`mktemp` - cat $c > $tmp - echo "$rule" > $c - cat $tmp >> $c - systemctl restart fapolicyd || true - sleep 10 - cat $tmp > $c - rm -f $tmp - fi - fi - ]]) -end - %post +# if no pre-existing rule file +if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` + # Only if no pre-existing component rules + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ + chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* + if [ -x /usr/sbin/restorecon ] ; then + # restore correct label + /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* + fi + fagenrules --load + fi +fi %systemd_post %{name}.service %preun @@ -175,33 +148,38 @@ end %{!?_licensedir:%global license %%doc} %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} -%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.* +%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* +%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d +%ghost %{_sysconfdir}/%{name}/rules.d/* +%ghost %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust -%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(755,root,root) %{_sbindir}/fagenrules %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %attr(644,root,root) %{_mandir}/man1/* -%attr(644,root,root) %{_datadir}/%{name}/* -%ghost %{_localstatedir}/log/%{name}-access.log +%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} -%ghost %{_localstatedir}/run/%{name}/%{name}.fifo -%ghost %{_localstatedir}/lib/%{name}/data.mdb -%ghost %{_localstatedir}/lib/%{name}/lock.mdb +%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb %{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc - # selinux %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %post selinux @@ -217,16 +195,35 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Tue Mar 23 2021 Radovan Sroka - 1.0.2-6 -RHEL 8.4.0 ERRATUM +* Wed Feb 16 2022 Radovan Sroka - 1.1-1 +RHEL 8.6.0 ERRATUM +- rebase to 1.1 +Resolves: rhbz#1939379 +- introduce rules.d feature +Resolves: rhbz#2054741 +- remove pretrans scriptlet +Resolves: rhbz#2051485 + +* Mon Dec 13 2021 Zoltan Fridrich - 1.0.4-2 +RHEL 8.6.0 ERRATUM +- rebase to 1.0.4 +- added rpm_sha256_only option +- added trust.d directory +- allow file names with whitespace in trust files +- use full paths in trust files +Resolves: rhbz#1939379 +- fix libc.so getting identified as application/x-executable +Resolves: rhbz#1989272 +- fix fapolicyd-dnf-plugin reporting as '' +Resolves: rhbz#1997414 +- fix selinux DSP module definition in spec file +Resolves: rhbz#2014445 + +* Thu Aug 19 2021 Radovan Sroka - 1.0.2-7 - fapolicyd abnormally exits by executing sosreport -Resolves: rhbz#1940289 - -* Thu Mar 18 2021 Radovan Sroka - 1.0.2-5 -RHEL 8.4.0 ERRATUM - fixed multiple problems with unlink() - fapolicyd breaks system upgrade, leaving system in dead state - complete fix -Resolves: rhbz#1896875 +Resolves: rhbz#1943251 * Tue Feb 16 2021 Radovan Sroka - 1.0.2-3 RHEL 8.4.0 ERRATUM