diff --git a/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch b/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch deleted file mode 100644 index b9f4429..0000000 --- a/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 194ac1b87ba46ea9e26a865e8432e228cf8fefef Mon Sep 17 00:00:00 2001 -From: Steven Brzozowski -Date: Thu, 20 Oct 2022 17:55:30 -0400 -Subject: [PATCH] Add `FAN_MARK_MOUNT` when opting out of `FAN_MARK_FILESYSTEM` - (#210) - -Without `FAN_MARK_MOUNT`, fapolicyd will not receive events for any subdirectories specified by the path parameter. ---- - src/daemon/notify.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/daemon/notify.c b/src/daemon/notify.c -index 586b6df..5e4f160 100644 ---- a/src/daemon/notify.c -+++ b/src/daemon/notify.c -@@ -128,10 +128,13 @@ int init_fanotify(const conf_t *conf, mlist *m) - #if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0 - if (conf->allow_filesystem_mark) - flags |= FAN_MARK_FILESYSTEM; -+ else -+ flags |= FAN_MARK_MOUNT; - #else - if (conf->allow_filesystem_mark) - msg(LOG_ERR, - "allow_filesystem_mark is unsupported for this kernel - ignoring"); -+ flags |= FAN_MARK_MOUNT; - #endif - if (fanotify_mark(fd, flags, mask, -1, path) == -1) { - /* diff --git a/Bugfixes-for-dnf-plugin.patch b/Bugfixes-for-dnf-plugin.patch deleted file mode 100644 index dfc6759..0000000 --- a/Bugfixes-for-dnf-plugin.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9e43b117bc7efed1e67a8fb4bb60d7e9bf9104b8 Mon Sep 17 00:00:00 2001 -From: Steven Brzozowski -Date: Fri, 7 Oct 2022 14:15:53 -0400 -Subject: [PATCH] Bugfixes for dnf plugin - -* Point to the correct fifo path -* Write a newline to get fapolicyd to pick up the write ---- - dnf/fapolicyd-dnf-plugin.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py -index 3de66518..650fe89d 100644 ---- a/dnf/fapolicyd-dnf-plugin.py -+++ b/dnf/fapolicyd-dnf-plugin.py -@@ -8,7 +8,7 @@ - class Fapolicyd(dnf.Plugin): - - name = "fapolicyd" -- pipe = "/var/run/fapolicyd/fapolicyd.fifo" -+ pipe = "/run/fapolicyd/fapolicyd.fifo" - file = None - - def __init__(self, base, cli): -@@ -32,5 +32,5 @@ def transaction(self): - sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n") - return - -- self.file.write("1") -+ self.file.write("1\n") - self.file.close() diff --git a/Fix-build-error.patch b/Fix-build-error.patch deleted file mode 100644 index c7b0046..0000000 --- a/Fix-build-error.patch +++ /dev/null @@ -1,60 +0,0 @@ -From f334120c91a857f6200c4028cbb7bad2d2162792 Mon Sep 17 00:00:00 2001 -From: starlet-dx <15929766099@163.com> -Date: Wed, 9 Nov 2022 18:32:54 +0800 -Subject: [PATCH 1/1] Fix build error - ---- - src/daemon/notify.c | 5 +++-- - src/library/daemon-config.c | 14 ++++++++------ - 2 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/src/daemon/notify.c b/src/daemon/notify.c -index c91abc4..586b6df 100644 ---- a/src/daemon/notify.c -+++ b/src/daemon/notify.c -@@ -122,9 +122,10 @@ int init_fanotify(const conf_t *conf, mlist *m) - // Iterate through the mount points and add a mark - path = mlist_first(m); - while (path) { -+ unsigned int flags; - retry_mark: -- unsigned int flags = FAN_MARK_ADD; --#ifdef HAVE_DECL_FAN_MARK_FILESYSTEM -+ flags = FAN_MARK_ADD; -+#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0 - if (conf->allow_filesystem_mark) - flags |= FAN_MARK_FILESYSTEM; - #else -diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c -index 89b7f68..ba8ade0 100644 ---- a/src/library/daemon-config.c -+++ b/src/library/daemon-config.c -@@ -618,17 +618,19 @@ static int fs_mark_parser(const struct nv_pair *nv, int line, - conf_t *config) - { - int rc = 0; --#ifndef HAVE_DECL_FAN_MARK_FILESYSTEM -- msg(LOG_WARNING, -- "allow_filesystem_mark is unsupported on this kernel - ignoring"); --#else -- rc = unsigned_int_parser(&(config->allow_filesystem_mark), nv->value, line); -+#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0 -+ rc = unsigned_int_parser(&(config->allow_filesystem_mark), -+ nv->value, line); - - if (rc == 0 && config->allow_filesystem_mark > 1) { - msg(LOG_WARNING, -- "allow_filesystem_mark value reset to 0 - line %d", line); -+ "allow_filesystem_mark value reset to 0 - line %d", -+ line); - config->allow_filesystem_mark = 0; - } -+#else -+ msg(LOG_WARNING, -+ "allow_filesystem_mark is unsupported on this kernel - ignoring"); - #endif - - return rc; --- -2.30.0 - diff --git a/fapolicyd-1.1.5.tar.gz b/fapolicyd-1.1.5.tar.gz deleted file mode 100644 index 86b8c8f..0000000 Binary files a/fapolicyd-1.1.5.tar.gz and /dev/null differ diff --git a/fapolicyd-1.3.2.tar.gz b/fapolicyd-1.3.2.tar.gz new file mode 100644 index 0000000..74d6de9 Binary files /dev/null and b/fapolicyd-1.3.2.tar.gz differ diff --git a/fapolicyd-selinux-0.4.tar.gz b/fapolicyd-selinux-0.4.tar.gz deleted file mode 100644 index 02fa38c..0000000 Binary files a/fapolicyd-selinux-0.4.tar.gz and /dev/null differ diff --git a/fapolicyd-selinux-0.6.tar.gz b/fapolicyd-selinux-0.6.tar.gz new file mode 100644 index 0000000..95a1098 Binary files /dev/null and b/fapolicyd-selinux-0.6.tar.gz differ diff --git a/fapolicyd-selinux-allow-boot-home.patch b/fapolicyd-selinux-allow-boot-home.patch deleted file mode 100644 index f676d59..0000000 --- a/fapolicyd-selinux-allow-boot-home.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 6 Apr 2021 16:06:48 +0200 -Subject: [PATCH] Allow fapolicyd watch boot and home directories - -The fapolicyd service needs watch_mount and watch_with_perm permissions -for fanotify/inotify/dnotify calls on the following directories: -- /boot and /boot/efi directories -- /home directories - -Note the /boot/efi directory has the dosfs_t label. ---- - fapolicyd.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te -index f5d0052..c12f385 100644 ---- a/fapolicyd-selinux-0.4/fapolicyd.te -+++ b/fapolicyd-selinux-0.4/fapolicyd.te -@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t) - - files_mmap_usr_files(fapolicyd_t) - files_read_all_files(fapolicyd_t) -+files_watch_mount_boot_dirs(fapolicyd_t) -+files_watch_with_perm_boot_dirs(fapolicyd_t) - files_watch_mount_generic_tmp_dirs(fapolicyd_t) - files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) -+files_watch_mount_home(fapolicyd_t) -+files_watch_with_perm_home(fapolicyd_t) - files_watch_mount_root_dirs(fapolicyd_t) - files_watch_with_perm_root_dirs(fapolicyd_t) - - fs_getattr_xattr_fs(fapolicyd_t) - fs_watch_mount_tmpfs_dirs(fapolicyd_t) - fs_watch_with_perm_tmpfs_dirs(fapolicyd_t) -+fs_watch_mount_dos_dirs(fapolicyd_t) -+fs_watch_with_perm_dos_dirs(fapolicyd_t) - - logging_send_syslog_msg(fapolicyd_t) - dbus_system_bus_client(fapolicyd_t) diff --git a/fapolicyd-selinux-watch-perm.patch b/fapolicyd-selinux-watch-perm.patch deleted file mode 100644 index 4128b8e..0000000 --- a/fapolicyd-selinux-watch-perm.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 15 Apr 2021 16:56:08 +0200 -Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and - directories - -For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag -to mark the file's mount point to monitor. As this can be any file or -directory on the filesystem, the SELinux watch_mount and watch_with_perm -permissions are allowed for the file_type attribute. ---- - fapolicyd.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te -index c12f385..582e03f 100644 ---- a/fapolicyd-selinux-0.4/fapolicyd.te -+++ b/fapolicyd-selinux-0.4/fapolicyd.te -@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched }; - allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; - allow fapolicyd_t self:unix_dgram_socket create_socket_perms; - -+gen_require(` -+ attribute file_type; -+') -+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm }; -+allow fapolicyd_t file_type:file { watch_mount watch_with_perm }; -+ - manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) - logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) - diff --git a/fapolicyd-uthash-bundle.patch b/fapolicyd-uthash-bundle.patch index 81c4ea8..864bc1b 100644 --- a/fapolicyd-uthash-bundle.patch +++ b/fapolicyd-uthash-bundle.patch @@ -16,7 +16,7 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c --- ./src/library/rpm-backend.c.uthash 2022-09-29 11:57:26.297879027 +0200 +++ ./src/library/rpm-backend.c 2022-09-29 11:58:45.470119807 +0200 @@ -32,7 +32,7 @@ - #include + #include #include -#include diff --git a/fapolicyd.spec b/fapolicyd.spec index 5b10d3f..baf7bb8 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -1,10 +1,10 @@ %global selinuxtype targeted %global moduletype contrib -%define semodule_version 0.4 +%define semodule_version 0.6 Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.1.5 +Version: 1.3.2 Release: 1 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd @@ -27,12 +27,8 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Patch0: selinux.patch Patch1: fapolicyd-uthash-bundle.patch -Patch2: fapolicyd-selinux-watch-perm.patch -Patch3: fapolicyd-selinux-allow-boot-home.patch -Patch4: Fix-build-error.patch -Patch5: Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch -Patch6: Bugfixes-for-dnf-plugin.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -54,21 +50,13 @@ BuildArch: noarch The %{name}-selinux package contains selinux policy for the %{name} daemon. %prep - %setup -q -# selinux %setup -q -D -T -a 1 +%patch 0 -p1 -b .selinux %setup -q -D -T -a 2 -%patch1 -p1 -b .uthash - -%patch2 -p1 -b .watch-perm -%patch3 -p1 -b .home - -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 +%patch 1 -p1 -b .uthash # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules @@ -176,6 +164,7 @@ fi %ghost %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf @@ -184,7 +173,6 @@ fi %attr(755,root,root) %{_sbindir}/fagenrules %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* -%attr(644,root,root) %{_mandir}/man1/* %ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} @@ -210,5 +198,8 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Thu Oct 19 2023 yaoxin - 1.3.2-1 +- Upgrade to 1.3.2 + * Wed Nov 09 2022 yaoxin - 1.1.5-1 - Package init diff --git a/selinux.patch b/selinux.patch new file mode 100644 index 0000000..2ea84c6 --- /dev/null +++ b/selinux.patch @@ -0,0 +1,13 @@ +diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te +--- ./fapolicyd-selinux-0.6/fapolicyd.te.fix 2023-06-15 17:11:47.964646794 +0200 ++++ ./fapolicyd-selinux-0.6/fapolicyd.te 2023-06-15 17:13:10.426477653 +0200 +@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',` + + ifdef(`fs_watch_all_fs',` + fs_watch_all_fs(fapolicyd_t) ++') ++ ++ifdef(`files_watch_sb_all_mountpoints',` + files_watch_sb_all_mountpoints(fapolicyd_t) + ') +