search

linux-application-whitelisting / fapolicyd

File Access Policy Daemon
GNU General Public License v3.0
199 stars 56 forks source link

fapolicyd amazon linux 2 kernel 5.10 fails to build w/ dependencies #178

Closed sheperdsonbrown closed 2 years ago

sheperdsonbrown commented 2 years ago

Does fapolicyd not build for RHEL 7?

I cannot build rpm correctly with os dependencies for amazon linux 2:

uname -r > 5.10.96-90.460.amzn2.x86_64

rpm -E %{rhel} > 7

cat /etc/os-release > NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" HOME_URL="https://amazonlinux.com/"

I've also used the compiled version from http://people.redhat.com/sgrubb/fapolicyd/index.html

# wget http://people.redhat.com/sgrubb/fapolicyd/fapolicyd-1.0.4.tar.gz
# tar -xzvf fapolicyd-1.0.4.tar.gz 
# cd fapolicyd-1.0.4/
# yum install gcc autoconf automake libtool make libudev-devel kernel-headers systemd-devel libgcrypt-devel rpm-devel file file-devel libcap-ng-devel libseccomp-devel lmdb-devel uthash-devel python3-devel

# ./autogen.sh 
+ autoreconf -fv --install
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force 
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
autoreconf: Leaving directory `.'
+ cp INSTALL.tmp INSTALL
**cp: cannot stat ‘INSTALL.tmp’: No such file or directory**

# make -k
policyd_cli-file-cli.o  ./.libs/libfapolicyd.a -lpthread -llmdb -lseccomp -lcap-ng -lmagic -lgcrypt -ludev -lrpmio -lrpm -pthread
make[3]: Leaving directory `/root/fapolicyd-1.0.4/src'
make[2]: *** [all-recursive] Error 1
make[2]: Target `all' not remade because of errors.
make[2]: Leaving directory `/root/fapolicyd-1.0.4/src'
Making all in init
make[2]: Entering directory `/root/fapolicyd-1.0.4/init'
file -C -m ../init/fapolicyd-magic
make[2]: Leaving directory `/root/fapolicyd-1.0.4/init'
Making all in doc
make[2]: Entering directory `/root/fapolicyd-1.0.4/doc'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/root/fapolicyd-1.0.4/doc'
make[2]: Entering directory `/root/fapolicyd-1.0.4'
make[2]: Leaving directory `/root/fapolicyd-1.0.4'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/fapolicyd-1.0.4'
**make: *** [all] Error 2**

165

stevegrubb commented 2 years ago

When you use the tar file from people.redhat.com, you do not need to run autogen.sh. That is only needed if you are building from the git repo. Unpack the tar file, run configure, and then make. Fapolicyd is not built for RHEL 7 because the kernel lacks the FANOTIFY machinery to allow it to work. I have no idea if it builds with the older libraries.

sheperdsonbrown commented 2 years ago

Thanks very much for the clarification. Not sure if this is related to an issue with older libraries, but I've configured the system (fapolicy files in /etc/fapolicyd) and went to run from /src via:

# ./fapolicyd --permissive --debug
Loaded 9 rules
Changed to uid 1003
Initializing the database
Database migration will be performed.
Failed writing db version No such file or directory

If this is outside scope of original question more than happy to close this issue. I've made sure to add the fapolicyd user to root/user group. Not sure where to add the directory for said operation to complete.

stevegrubb commented 2 years ago

The trust database lives in /var/lib/fapolicyd If that directory does not exist on your system, then you should create one.

sheperdsonbrown commented 2 years ago

Hi @stevegrubb

Apologies to rehash this thread, but I am encountering another problem after removing autogen.sh from the rpm build (as suggested above).

The make script seems to run fine but I've encountered some deep issue when trying to link fapolicyd with the fapolicyd-selinux package. 

make[3]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/src'
make[2]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/src'
Making all in init
make[2]: Entering directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/init'
file -C -m ../init/fapolicyd-magic
make[2]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/init'
Making all in doc
make[2]: Entering directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/doc'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/doc'
Making all in rules.d
make[2]: Entering directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/rules.d'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/rules.d'
make[2]: Entering directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1'
make[2]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1'
make[1]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1'
+ pushd fapolicyd-selinux-0.4
~/rpmbuild/BUILD/fapolicyd-1.1/fapolicyd-selinux-0.4 ~/rpmbuild/BUILD/fapolicyd-1.1
+ make
make -f /usr/share/selinux/devel/Makefile fapolicyd.pp
make[1]: Entering directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/fapolicyd-selinux-0.4'
Compiling targeted fapolicyd module
/usr/bin/checkmodule:  loading policy configuration from tmp/fapolicyd.tmp
fapolicyd.te:45:ERROR 'syntax error' at token 'mmap_read_files_pattern' on line 4068:
mmap_read_files_pattern(fapolicyd_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [tmp/fapolicyd.mod] Error 1
make[1]: Leaving directory `/home/fapolicyd/rpmbuild/BUILD/fapolicyd-1.1/fapolicyd-selinux-0.4'
make: *** [fapolicyd.pp] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.8KWkNL (%prep)

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.8KWkNL (%prep)
stevegrubb commented 2 years ago

This looks like a selinux policy problem. It should be filed against that repo so that this issue can go back to closed. Not sure what the problem is, but the selinux policy is tightly coupled to the version of selinux on the system. If there is a mismatch, it could break like above.

radosroka commented 2 years ago

It means that the macro definition cannot be found in your system's selinux-policy. It is either old or not Red Hat based. You can find the definition and copy it to the beginning of .te file but there can be other missing macros.

sheperdsonbrown commented 2 years ago

Thanks for the insight. I am attempting to build on AL2 currently which has been a huge headache. I'll open up the issue for troubleshooting in the correct location!