Projects
Eulaceura:Factory
fapolicyd
_service:obs_scm:fapolicyd.spec
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:fapolicyd.spec of Package fapolicyd
%global selinuxtype targeted %global moduletype contrib %define semodule_version 0.6 Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.3.2 Release: 1 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz # we bundle uthash for rhel9 Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool BuildRequires: systemd systemd-devel openssl-devel rpm-devel file-devel file BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: uthash-devel Requires: rpm Recommends: %{name}-selinux Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Patch0: selinux.patch Patch1: fapolicyd-uthash-bundle.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights. %package selinux Summary: Fapolicyd selinux Group: Applications/System Requires: %{name} = %{version}-%{release} Requires: selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype} BuildRequires: selinux-policy-devel BuildArch: noarch %{?selinux_requires} %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. %prep %setup -q %setup -q -D -T -a 1 %patch 0 -p1 -b .selinux %setup -q -D -T -a 2 %patch 1 -p1 -b .uthash # generate rules for python sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules # Detect run time linker directly from bash interpret=`readelf -e /usr/bin/bash \ | grep Requesting \ | sed 's/.$//' \ | rev | cut -d" " -f1 \ | rev` sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules %build cp INSTALL INSTALL.tmp ./autogen.sh %configure \ --with-audit \ --with-rpm \ --disable-shared %make_build # selinux pushd %{name}-selinux-%{semodule_version} make popd %check make check # selinux %pre selinux %selinux_relabel_pre -s %{selinuxtype} %install %make_install install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if #cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} %post # if no pre-existing rule file if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` # Only if no pre-existing component rules if [ "$files" -eq 0 ] ; then ## Install the known libs policy cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* if [ -x /usr/sbin/restorecon ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi fagenrules --load fi fi %systemd_post %{name}.service %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service %files %doc README.md %{!?_licensedir:%global license %%doc} %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} %attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules %attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* %attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d %attr(644,root,root) %{_sysconfdir}/bash_completion.d/* %ghost %{_sysconfdir}/%{name}/rules.d/* %ghost %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli %attr(755,root,root) %{_sbindir}/fagenrules %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} %ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %selinux_relabel_post -s %{selinuxtype} %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{name} fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} %changelog * Thu Oct 19 2023 yaoxin <yao_xin001@hoperun.com> - 1.3.2-1 - Upgrade to 1.3.2 * Wed Nov 09 2022 yaoxin <yaoxin30@h-partners.com> - 1.1.5-1 - Package init
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2