#ASAN %%global asan_build 1 %global eln_build 1 %if %{defined eln_build} %global selinuxtype targeted %global moduletype contrib %define semodule_version master %endif Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.3.5 Release: 1.20251124163306426385.pr13.232.gaca9ba9%{?dist} License: GPL-3.0-or-later URL: http://people.redhat.com/sgrubb/fapolicyd Source0: fapolicyd-1.3.5.tar.gz Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/archive/refs/heads/%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool BuildRequires: systemd systemd-devel openssl-devel rpm-devel file-devel file BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: uthash-devel %if %{defined asan_build} BuildRequires: libasan %endif %if %{defined eln_build} Recommends: %{name}-selinux %endif Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units # applied in CI only Patch2: fapolicyd-selinux-var-run.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights. %if %{defined eln_build} %package selinux Summary: Fapolicyd selinux Group: Applications/System Requires: %{name} = %{version}-%{release} BuildRequires: selinux-policy %if 0%{?rhel} < 9 BuildRequires: selinux-policy-devel >= 3.14.3-108 %else %if 0%{?rhel} == 9 BuildRequires: selinux-policy-devel >= 38.1.2 %else BuildRequires: selinux-policy-devel >= 38.2 %endif %endif BuildArch: noarch %{?selinux_requires} %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. %endif %prep %setup -q -n fapolicyd-1.3.5 %if %{defined eln_build} # selinux %setup -q -D -T -a 1 %endif %if %{defined eln_build} %if 0%{?fedora} < 40 %define selinux_var_run 1 %endif %if 0%{?rhel} < 10 %define selinux_var_run 1 %endif %if %{defined selinux_var_run} %patch -P2 -R -p1 -b .selinux %endif %endif # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules # Detect run time linker directly from bash interpret=`readelf -e /usr/bin/bash \ | grep Requesting \ | sed 's/.$//' \ | rev | cut -d" " -f1 \ | rev` sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules %if 0%{?fedora} || 0%{?rhel} > 9 # Create a sysusers.d config file cat >fapolicyd.sysusers.conf < %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs %if %{defined eln_build} # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %endif #cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete %if 0%{?fedora} || 0%{?rhel} > 9 install -m0644 -D fapolicyd.sysusers.conf %{buildroot}%{_sysusersdir}/fapolicyd.conf %endif %define manage_default_rules default_changed=0 \ # check changed fapolicyd.rules \ if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \ diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \ default_changed=1; \ #echo "change detected in fapolicyd.rules"; \ } \ fi \ if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \ default_ruleset=''; \ # get listing of default rule files in known-libs \ [ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs`; \ # check for removed or added files \ default_count=`echo "$default_ruleset" | wc -l`; \ current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l`; \ [ $default_count -eq $current_count ] || { \ default_changed=1; \ # echo "change detected in number of rule files d:$default_count vs c:$current_count"; \ }; \ for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \ if echo "$default_ruleset" | grep -q "`basename $file`"; then \ # compare content of the rule files \ diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \ default_changed=1; \ # echo "change detected in `basename $file`"; \ }; \ else \ # added file detected \ default_changed=1; \ # echo "change detected in added rules file `basename $file`"; \ fi; \ done; \ fi; \ # remove files if no change against default rules detected \ [ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \ %check make check %pre %if 0%{?rhel} && 0%{?rhel} <= 9 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} %endif if [ $1 -eq 2 ]; then # detect changed default rules in case of upgrade %manage_default_rules fi %post # if no pre-existing rule file if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` # Only if no pre-existing component rules if [ "$files" -eq 0 ] ; then ## Install the known libs policy for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/ done chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* if [ -x /usr/sbin/restorecon ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi fagenrules >/dev/null fi fi %systemd_post %{name}.service %preun %systemd_preun %{name}.service if [ $1 -eq 0 ]; then # detect changed default rules in case of uninstall %manage_default_rules else [ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || : fi %postun %systemd_postun_with_restart %{name}.service %files %doc README.md %{!?_licensedir:%global license %%doc} %license COPYING %attr(755,root,root) %dir %{_datadir}/%{name} %attr(755,root,root) %dir %{_datadir}/%{name}/sample-rules %attr(644,root,root) %{_datadir}/%{name}/default-ruleset.known-libs %attr(644,root,root) %{_datadir}/%{name}/sample-rules/* %attr(644,root,root) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d %attr(644,root,%{name}) %{_sysconfdir}/bash_completion.d/fapolicyd.bash_completion %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/* %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli %attr(755,root,root) %{_bindir}/%{name}-rpm-loader %attr(755,root,root) %{_sbindir}/fagenrules %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} %attr(770,root,%{name}) %dir /run/%{name} %ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb %ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb %if 0%{?fedora} || 0%{?rhel} > 9 %{_sysusersdir}/fapolicyd.conf %endif %if %{defined eln_build} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %selinux_relabel_post -s %{selinuxtype} %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{name} fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} %endif %changelog * Mon Nov 24 2025 Packit - 1.3.5-1.20251124163306426385.pr13.232.gaca9ba9 - Files with checksum excluded from %%verify should be ignored (Petr Lautrbach) - create MAGIC_PATHS so theres one source of truth (Steve Grubb) - Dont leak descriptor (Steve Grubb) - Code cleanups (Steve Grubb) - Code cleanups (Steve Grubb) - update changelog (Steve Grubb) - Add CPU cores to the state report (Steve Grubb) - Add --version to the daemon (Steve Grubb) - Update TODO list (Steve Grubb) - Revise the fapolicyd-filter.conf text (Steve Grubb) - Update filter_check handling and documentation (Steve Grubb) - Update fapolicyd-filter.conf man page (Steve Grubb) - fix fapolicyd-cli --file bash completions (Steve Grubb) - Update early_subj_cache_evictions logic (Steve Grubb) - fapolicyd_strcat inefficiency (Steve Grubb) - Improve code (Steve Grubb) - remove unintended curly brace (Steve Grubb) - Move the counter to the begining (Steve Grubb) - fix typo (Steve Grubb) - update changelog (Steve Grubb) - Repurpose subj_cache_warned (Steve Grubb) - Replace sscanf with custom parser (Steve Grubb) - Fix hash detection logic for SHA512 (Steve Grubb) - Fix sscanf warnings in database.c (Steve Grubb) - Add filter to all builds to fix Debian (Steve Grubb) - update changelog (Steve Grubb) - Update bash completions for fapolicyd (Steve Grubb) - Limit scanf buffer reading trust db (Steve Grubb) - database: drop lmdb_record.digest_len and kill hot-path strlen() scans (Steve Grubb) - update changelog (Steve Grubb) - Add --filter option to fapolicyd-cli --file (Steve Grubb) - Update changelog (Steve Grubb) - Fix missing optimizations (Steve Grubb) - Optimize digest detection a little (Steve Grubb) - Straighten out rpm_sha256_only (Steve Grubb) - Revert "Remove SHA1 as its unneeded" (Steve Grubb) - Remove SHA1 as its unneeded (Steve Grubb) - Document mixed-hash support and warning policy (Steve Grubb) - Finalize CLI/database behavior and deprecation warning (Steve Grubb) - Enhance IMA integration with mixed-algorithm support (Steve Grubb) - SHA512 Tests and validation (Steve Grubb) - Database storage backward-compatible algorithm tagging (Steve Grubb) - CLI verification inference (Steve Grubb) - Update trust-file.c for digest-length inference (Steve Grubb) - Update RPM digest handling in backend (Steve Grubb) - Add some digest helpers (Steve Grubb) - Fix indentation issues (Steve Grubb) - Generalize hashing infrastructure and rename cache slot (Steve Grubb) - Add rationale for a magic number (Steve Grubb) - update changelog (Steve Grubb) - Add various function attributes where they are needed (Steve Grubb) - Fix uninitialized access in get_ima_hash (Steve Grubb) - remove duplicate alive = 1 (Steve Grubb) - Fix initialization issues (Steve Grubb) - Fix various threading issues in code (Steve Grubb) - Add link to fapolicyd-extras repo (Steve Grubb) - Optimize the kworker thread support (Steve Grubb) - Update changelog (Steve Grubb) - Add support for kworker threads (Steve Grubb) - open the 1.4.2 development cycle (Steve Grubb) - update the changelog (Steve Grubb) - Also reload the filter on reconfigure (Steve Grubb) - prepare next release (Steve Grubb) - Fix possible NULL pointer from being used (Steve Grubb) - update todo list (Steve Grubb) - Update the trust list on reconfigure. (Steve Grubb) - Start the 1.4.1 development cycle (Steve Grubb) - Fix deadlock of reconfigure (Steve Grubb) - Update README for next release (Steve Grubb) - Prepare the 1.4 release (Steve Grubb) - Fix "too long" warning for last line without newline (Petr Lautrbach) - Refactor _backend struct to remove list (Steve Grubb) - Fix various issues from static analysis (Steve Grubb) - update changelog (Steve Grubb) - Add memfd support to the debian backend (Steve Grubb) - Add initial support for debian memfd update (Steve Grubb) - Do a couple code cleanups (Steve Grubb) - update changelog (Steve Grubb) - Document trust-file.c usage (Steve Grubb) - Restore some linked list functionality in file backend (Steve Grubb) - Switch the file backend over to memfd (Steve Grubb) - Update comments to reflect the new code (Steve Grubb) - Tidy up any existing memfd snapshot if one exists (Steve Grubb) - Switch rpm backend to memfd (Steve Grubb) - Separate out backend_total_entries based on memfd or not (Steve Grubb) - Separate the linked list traversals (Steve Grubb) - rpmbackend pass along memfd (Steve Grubb) - Create API for backends to use memfds (Steve Grubb) - Add comments to update_thread_main (Steve Grubb) - Allow fapolicyd to have other paths (Steve Grubb) - update changelog (Steve Grubb) - point to the new repo with fapolicyd tests (Milos Malik) - fix indentation (Steve Grubb) - Add some documentation (Steve Grubb) - Defer fd_fgets buffer compaction (Steve Grubb) - Add tests for fd_fgets (Steve Grubb) - Add tests for new_event function (Steve Grubb) - Add elf parsing tests (Steve Grubb) - Extend rules testing (Steve Grubb) - Fix gcc warning (Steve Grubb) - Update fetch_proc_status (Steve Grubb) - Introduce read_proc_status() (Steve Grubb) - Add header for atomic_bool (Steve Grubb) - update changelog (Steve Grubb) - Improved the trust database mismatch warnings (Steve Grubb) - Drop permissive variable and rely on config (Steve Grubb) - Add missing stop variable (Steve Grubb) - update changelog (Steve Grubb) - add a note for the future (Steve Grubb) - Implement configuration reload on SIGHUP (Steve Grubb) - Add a reason why it couldn't be opened to the error (Steve Grubb) - Update rule file loading error handling (Steve Grubb) - Don't ignore /run (Renaud Métrich) - Ignore /sys/ but not /sys* (Renaud Métrich) - Update magic for python 3.14rc3 (Petr Lautrbach) - update changelog (Steve Grubb) - Add global verbose variable to fapolicyd-cli (Steve Grubb) - more info on ignore_mounts (Steve Grubb) - fix typo (Steve Grubb) - Add discussion on why missing noexec fails (Steve Grubb) - Add another safe use case to ignore_mounts discussion (Steve Grubb) - Add another option to the TROUBLESHOOTING section (Steve Grubb) - update changelog (Steve Grubb) - Fix typo in check_path (Steve Grubb) - Add check-ignore_mounts in the TROUBLESHOOTINg section (Steve Grubb) - Update discussion of ignore_mounts in the man page (Steve Grubb) - Add documentation for ignore_mounts (Steve Grubb) - update changelog (Steve Grubb) - Fix config.permissive (Steve Grubb) - cli: Fix overlayfs entry (Steve Grubb) - cli: add --check-ignore_mounts option (Steve Grubb) - Raise Warning to Error (Steve Grubb) - Ensure ignore_mounts only uses noexec mount points (Steve Grubb) - Adjust init_fanotify behavior (Steve Grubb) - Add ignore list option for fapolicyd (Steve Grubb) - open the 1.3.8 development cycle (Petr Lautrbach) - raise object eviction thresholds so we dont have too many suggestions to raise it (Steve Grubb) - update changelog (Steve Grubb) - Update subject identity collection to gather effective & fsuid/gig (Steve Grubb) - Update types to unsigned for GID and UID (Steve Grubb) - update changelog (Steve Grubb) - Use uthash for duplicate detection in file backend (Steve Grubb) - Add Object cache warning (Steve Grubb) - add comment explaining why this is there (Steve Grubb) - Get rid of extra if statement (Steve Grubb) - Drop epel-8 target from packit (Petr Lautrbach) - Update github workflows (Petr Lautrbach) - update changelog (Steve Grubb) - update changelog (Steve Grubb) - Extend do_stat_report to output mount points (Steve Grubb) - Fix fapolicyd-cli elf detection (Steve Grubb) - Revise the shell detection magic rules (Steve Grubb) - fix += to be = (Steve Grubb) - Try to fix Debian dependencies (Steve Grubb) - Add unit tests for rules module (Steve Grubb) - initialize and use hash size in the lru (Steve Grubb) - Update buffer length checks in process.c (Steve Grubb) - Missing error handling for unknown types in add_attr_set (Steve Grubb) - Incomplete path‑traversal check in filter_check (Steve Grubb) - Missing NUL termination in get_file_type_from_fd (Steve Grubb) - Missing NUL termination in get_type_from_pid (Steve Grubb) - Handle NULL finfo in new_event (Steve Grubb) - Subject cache not freed when object cache setup fails (Steve Grubb) - Update init_db cleanup logic (Steve Grubb) - Add error handling in list_append (Steve Grubb) - update changelog (Steve Grubb) - Transform queue to a lockless design (Steve Grubb) - update changelog (Steve Grubb) - make max_depth atomic and remove unneeded includes (Steve Grubb) - Enhance queue struct and API for thread safety (Steve Grubb) - open the 1.3.7 development cycle (Petr Lautrbach) - remove new line (Steve Grubb) - reformat command so its visible (Steve Grubb) - Add more info about the trust database (Steve Grubb) - Add a couple more files to drop (Steve Grubb) - Move the fixtures directory (Steve Grubb) - update changelog (Steve Grubb) - Change language about test-filter decision (Steve Grubb) - Drop a few more files from trust db (Steve Grubb) - Fix Debian builds (Steve Grubb) - Update README with filter information (Steve Grubb) - cleanup the code (Steve Grubb) - Fix output of --test-filter option (Steve Grubb) - update documentation (Steve Grubb) - Update FILTER_TRACE for rule action logging (Steve Grubb) - Refactor do_test_filter for tracing output (Steve Grubb) - update changelog (Steve Grubb) - Unexpected files in the trust database (Steve Grubb) - Add --test-filter to fapolicy-cli (Steve Grubb) - Fix build flags for Debian (Steve Grubb) - update changelog (Steve Grubb) - Avoid shutdown race (Steve Grubb) - Add documentation to filter.conf (Steve Grubb) - Add note for future improvements (Steve Grubb) - Refactor unescape function in escape.c (Steve Grubb) - move filter paths to the paths.h file (Steve Grubb) - Add todo note (Steve Grubb) - Refactor escape_shell function (Steve Grubb) - Refactor check_escape_shell in escape.c (Steve Grubb) - Create escape_test.c unit tests (Steve Grubb) - Revise fapolicyd_strtrim to use glibc functions (Steve Grubb) - Fix memory leaks in filter_test (Steve Grubb) - Fix uninitialzed object array element (Steve Grubb) - Fix uninitialzed subject array element (Steve Grubb) - Revert commit 643fdce91be22504b53e3f6cb2c5e1842d391095 (Steve Grubb) - Drop device keyword for subjects (Steve Grubb) - update changelog (Steve Grubb) - Reduce importance of performance guardrail test (Steve Grubb) - Fix memory leaks on exit (Steve Grubb) - Drop strmdup function (Steve Grubb) - Refactor stack allocation in filter.c (Steve Grubb) - only run filter test when rpm is used (Steve Grubb) - Improve documentation of the filter code (Steve Grubb) - Enhance the filter testing suite (Steve Grubb) - Add filter tests (Steve Grubb) - Testing optimization (Steve Grubb) - Fix formatting of rpm-backend.c (Steve Grubb) - Fix leaking descriptor (Steve Grubb) - update changelog (Steve Grubb) - event: silence false “increase subj_cache_size” warnings for script re-execs (Steve Grubb) - Do not exit in do_database_reload when stop in progress (#360) (Petr Lautrbach) - Add missing libmd for Debian builds (Steve Grubb) - Add missing libmd for Debian builds (Steve Grubb) - update changelog (Steve Grubb) - Move fapolicyd-rpm-loader to bin directory so Fedora works ok (Steve Grubb) - update changelog (Steve Grubb) - open the 1.3.6 development cycle (Steve Grubb) - Add /var/lib/fapolicyd to tmpfiles (#359) (Petr Lautrbach) - Increase the subject cache size (Steve Grubb) - Fix memory leaks in the AVL tests (Steve Grubb) - Modify queue to use ring buffer (Steve Grubb) * Fri Oct 31 2025 Petr Lautrbach - 1.4.2-1 - New release