%global selinuxtype targeted %global moduletype contrib %define semodule_version 0.4 Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.1 Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: python2-devel BuildRequires: uthash-devel Requires: rpm-plugin-fapolicyd >= 4.14.3-12 Recommends: %{name}-selinux Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units # we are making the dnf-plugin completelly dummy because of # https://bugzilla.redhat.com/show_bug.cgi?id=1929163 # we require the rpm-plugin from now on and the dnf-plugin still needs to be part of # the fapolicyd package because it provides safe upgrade path Patch1: fapolicyd-dnf-plugin.patch Patch2: fapolicyd-selinux.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights. %package selinux Summary: Fapolicyd selinux Group: Applications/System Requires: %{name} = %{version}-%{release} BuildRequires: selinux-policy BuildRequires: selinux-policy-devel BuildArch: noarch %{?selinux_requires} %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. %prep %setup -q # selinux %setup -q -D -T -a 1 %patch1 -p1 -b .plugin %patch2 -p1 -b .selinux # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules %build ./autogen.sh %configure \ --with-audit \ --with-rpm \ --disable-shared %make_build # selinux pushd %{name}-selinux-%{semodule_version} make popd %check make check # selinux %pre selinux %selinux_relabel_pre -s %{selinuxtype} %install %make_install mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if #cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} %post # if no pre-existing rule file if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` # Only if no pre-existing component rules if [ "$files" -eq 0 ] ; then ## Install the known libs policy cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* if [ -x /usr/sbin/restorecon ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi fagenrules --load fi fi %systemd_post %{name}.service %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service %files %doc README.md %{!?_licensedir:%global license %%doc} %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} %attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules %attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* %attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d %ghost %{_sysconfdir}/%{name}/rules.d/* %ghost %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli %attr(755,root,root) %{_sbindir}/fagenrules %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %attr(644,root,root) %{_mandir}/man1/* %ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} %ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb %{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc # selinux %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %selinux_relabel_post -s %{selinuxtype} %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{name} fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} %changelog * Wed Feb 16 2022 Radovan Sroka - 1.1-1 RHEL 8.6.0 ERRATUM - rebase to 1.1 Resolves: rhbz#1939379 - introduce rules.d feature Resolves: rhbz#2054741 - remove pretrans scriptlet Resolves: rhbz#2051485 * Mon Dec 13 2021 Zoltan Fridrich - 1.0.4-2 RHEL 8.6.0 ERRATUM - rebase to 1.0.4 - added rpm_sha256_only option - added trust.d directory - allow file names with whitespace in trust files - use full paths in trust files Resolves: rhbz#1939379 - fix libc.so getting identified as application/x-executable Resolves: rhbz#1989272 - fix fapolicyd-dnf-plugin reporting as '' Resolves: rhbz#1997414 - fix selinux DSP module definition in spec file Resolves: rhbz#2014445 * Thu Aug 19 2021 Radovan Sroka - 1.0.2-7 - fapolicyd abnormally exits by executing sosreport - fixed multiple problems with unlink() - fapolicyd breaks system upgrade, leaving system in dead state - complete fix Resolves: rhbz#1943251 * Tue Feb 16 2021 Radovan Sroka - 1.0.2-3 RHEL 8.4.0 ERRATUM - rebase to 1.0.2 - strong dependency on rpm/rpm-plugin-fapolicyd - installed dnf-plugin is dummy and we are not using it anymore - enabled integrity setting Resolves: rhbz#1887451 - added make check - Adding DISA STIG during OS installation causes 'ipa-server-install' to fail - fixed java detection Resolves: rhbz#1895435 - dnf update fails when fapolicyd is enabled Resolves: rhbz#1876975 - fapolicyd breaks system upgrade, leaving system in dead state - complete fix Resolves: rhbz#1896875 * Tue Jun 30 2020 Radovan Sroka - 1.0-3 RHEL 8.3 ERRATUM - fixed manpage fapolicyd-conf Resolves: rhbz#1817413 * Mon May 25 2020 Radovan Sroka - 1.0-2 RHEL 8.3 ERRATUM - rebase to v1.0 - installed multiple policies to /usr/share/fapolicyd - known-libs (default) - restrictive - installed fapolicyd.trust file - enhanced fapolicyd-cli Resolves: rhbz#1817413 - introduced fapolicyd-selinux that provides SELinux policy module Resolves: rhbz#1714529 * Tue Mar 03 2020 Radovan Sroka - 0.9.1-4 RHEL 8.2 ERRATUM - fixed possible heap buffer overflow in elf parser Resolves: rhbz#1807912 * Tue Feb 11 2020 Radovan Sroka - 0.9.1-3 RHEL 8.2 ERRATUM - fixed build time python interpreter detection (spec) - added python2-devel as a BuildRequires (spec) - allow running bash scripts in home directories Resolves: rhbz#1801872 * Wed Nov 20 2019 Radovan Sroka - 0.9.1-2 RHEL 8.2 ERRATUM - rebase to v0.9.1 - updated default configuration with new syntax - removed daemon mounts configuration Resolves: rhbz#1759895 - default fapolicyd policy prevents Ansible from running - added ansible rule to default ruleset Resolves: rhbz#1746464 - suspicious logs on service start Resolves: rhbz#1747494 - fapolicyd blocks dracut from generating initramfs - added dracut rule to default configuration Resolves: rhbz#1757736 - fapolicyd fails to identify perl interpreter Resolves: rhbz#1765039 * Wed Jul 24 2019 Radovan Sroka - 0.8.10-3 - added missing manpage for fapolicyd-cli Resolves: rhbz#1708015 * Mon Jul 22 2019 Radovan Sroka - 0.8.10-2 - Convert hashes to lowercase like sha256sum outputs - Stop littering STDOUT output for dnf plugin in fapolicyd Resolves: rhbz#1721496 * Tue Jun 18 2019 Radovan Sroka - 0.8.10-1 - new upstream release Resolves: rhbz#1673323 * Mon May 06 2019 Radovan Sroka - 0.8.9-1 - New upstream release - imported from fedora30 resolves: rhbz#1673323 * Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 - backport some patches to resolve dac_override for fapolicyd * Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 - New upstream release - Added new DNF plugin that can update the trust database when rpms are installed - Added support for FAN_OPEN_EXEC_PERM * Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Wed Oct 03 2018 Steve Grubb 0.8.7-1 - New upstream bugfix release * Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Jun 07 2018 Steve Grubb 0.8.6-1 - New upstream feature release * Fri May 18 2018 Steve Grubb 0.8.5-2 - Add dist tag (#1579362) * Fri Feb 16 2018 Steve Grubb 0.8.5-1 - New release