To reproduce

1. Add trust changes
2. Deploy
3. Select "No" when asked to keep changes

Noteworthy

• Usually on the first or second deployment the UI becomes unresponsive.
• Same behavior whether the timer expires or you manually click No.
• Did not encounter issues If the deployment is accepted.
• The rollback of configuration is indeed written to disk (ie. the original is restored).
• The daemon is in active state after the app locks, so it appears to be properly started
• Consistently reproducible on fc34 using rule-text-write branch's RPM
• Did not observe issue on RHEL 8 using the same branch

Adds a user guide entry under the help menu.

• Generates the user guide from the online wiki documentation
• Integrates the user guide build process into CI and the RPM build
• Installs the user guide to /usr/share/help via RPM
• Internationalization support is included for the documentation
• Adds target to root Makefile that pulls and builds help locally
  • make help-docs
  • Useful for contributing translations

Closes #645

Summary

Build an RPM that includes the Rust bindings and the Python dist. The standard tools for building Python RPMs or Rust RPMs didn't play well with our layout. So what we have is a two stage process of building a bdist wheel and then using that wheel to build the RPM. The source RPM includes the wheel as the source file.

This PR includes GitHub actions workflow to build the RPM. When pushing a tag the RPM will be published as a release, otherwise RPM is built and discarded. A future PR will add some automated testing immediately after the build stage.

Wiki pages related to this PR

• https://github.com/ctc-oss/fapolicy-analyzer/wiki/RPM-Packaging
• https://github.com/ctc-oss/fapolicy-analyzer/wiki/Publishing-Releases

How the RPM is packaged

1. build a wheel
2. use the wheel as the rpm source
3. install the wheel in the rpm build
4. capture the python site-install files

Build the builder image

From the root of the project

docker build -t rpmbuilder -f scripts/rpm/Dockerfile .

Build the rpm in the builder container

docker run --rm -it -v /tmp:/output rpmbuilder

RPMs will end up in /tmp on the host machine.

Test the rpm in a container

todo #115

Installing the RPM

dnf install -y fapolicy-analyzer-0.0.4-1.x86_64.rpm

closes #114

Implement rollback in the case of a non-confirmation after deployment, which results in the system rolling back to the previous state.

This is somewhat handy when dealing only in trust, but it becomes very useful when we progress to altering rules.

closes #13

Eliminate the calls to systemctl for service status checks, using dbus instead. This removes one potential pinch point where deployed rules can limit the call to systemctl. A side-effect of this is that the monitoring function now works even in the case of fully locked down system (ie. only the deny+any+all+all rule).

This also aligns both stages of deployment, deployment and rollback. Those stages used to be handled differently, where initial deployment only was a pipe write to refresh trust, while rollback deployment was a full daemon reload. Then the pipe write went away to align rule and trust writing, but there were some straggling issues that were left behind. These changes align the backends for both modes and resolve issues where fixes were present in one mode but not the other.

Closes #565

In the case where the fapolicyd service is not found the only indication of failure is a stack trace.

The close button becomes unresponsive, the dialog must be closed out with the X

From fc34 vm

1. Run fapolicy-analyzer
2. Close and run again

[[email protected] ~]$ fapolicy-analyzer 
Error executing command as another user: No authentication agent found.
Terminating pkttyagent.

Support for validating relative executable paths by using the existing PATH from the users environment. This also supports evaluating a custom PATH provided through the profiler GUI.

This fixes the issue from #655 where users are forced to use absolute paths to avoid a validation error reporting that the file cannot be found.

Closes #655

Update the Subject and Object list views of the Policy Event Analysis tool to use the color scheme shown in significance-of-color. Specifically the Subjects need update to show pink (or lighter red) if they have only Partial (P) access, and the Objects should be pink if they can only be accessed for a limited set of modes.

We need an offline copy of the user manual.

1. Maintain the docs as the GitHub Wiki
2. During RPM CI builds we clone the Wiki and build the User Guide section Markdown into HTML
3. Bundle the HTML as the doc
4. Have a placeholder HTML for non-RPM (like dev env) that just has a link to the Wiki

Added a static class function to check the validity of arguments. This function can be called in the UI layer prior to the creation of the Profiling Session object.

Several places with stdout

On deployment

waiting on daemon to be Inactive...
daemon is now Inactive
waiting on daemon to be Active...
daemon is now Active

UI files should be named X.ui rather than X.glade.

The exception would be if we were using the glade format, but we are using the modern GtkBuilder format.

We are an application, we are not a Python library.

Things may be simplified if we were to RPM install under /usr/share/fapolicy-analyzer rather than under the Python site-lib.

HT: While perusing some modern gnome apps, came across Wike, which does this.

Trust.d could be missing due to

1. Older fapolicyd version
2. Removed

This does not need to be a failure case, it simply results in no trust being sourced from trust.d

The bz issue is #2153687

The initial review shows several [!] findings that need addressed. Going to track them all together here.

• [x] [?]: Package contains desktop file if it is a GUI application.
  • #616
• [x] [!]: Sources are verified with gpgverify first in %prep if upstream publishes signatures.
• [x] [!]: Package meets the Packaging Guidelines::Python -- Please, use macros instead of python3 interpreter.
• [x] Suggested: use "tar -xzf" instead of "tar xzf"
• [x] Suggested: use "%autosetup -p0" instead of "%autosetup -p1"
• [x] Rpmlint: E: explicit-lib-dependency dbus-libs
• [x] Rpmlint: W: no-manual-page-for-binary fapolicy-analyzer
  • #200
• [ ] Rpmlint: W: invalid-url Source1: vendor-rs.tar.gz
• [ ] Rpmlint: W: invalid-url Source0: fapolicy-analyzer.tar.gz
• [x] Rpmlint: W: incoherent-version-in-changelog 0.6.1-1 ['0.6.2-1.fc38', '0.6.2-1']
• [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/util/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/css/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/glade/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/init.py
• [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/styles/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/language-specs/init.py
• [ ] Rpmlint: W: file-not-in-%lang /usr/lib64/python3.11/site-packages/fapolicy_analyzer/locale/es/LC_MESSAGES/fapolicy_analyzer.mo