fapolicyd-filter.conf - Man Page

The filter controls which files from a trust source are added to the TrustDB. Rules are processed from top to bottom, with indentation narrowing the scope of the parent rule. A matching plus (+) rule causes a file to be included; a minus (-) rule excludes it. If no rule matches, the file is excluded by default. The filter is consulted only when trust data is imported: during system updates and when the daemon starts and rebuilds its database. Runtime policy decisions use the TrustDB itself, not the filter, so changes to the filter affect new or rebuilt trust entries rather than live access checks.

Valid line starts with character '+', '-' or '#' for comments. The rest of the line contains a path specification. Space can be used as indentation to add more specific filters to the previous one. Note, that only one space is required for one level of an indent. If  there are multiple specifications on the same indentation level they extend the previous line with lower indentation, usually a directory.  The path may be specified using the glob pattern. A directory specification has to end with a slash ‘/’.

If the result was a plus (+), the respective file from a trust source is imported to the TrustDB. Vice versa, if the result was a minus (-), the respective file is not imported.

From a performance point of view it is better to design an indented filter because in the ideal situation each component of the path is compared only once. In contrast to it, a filter without any indentation has to contain a full path which makes the pattern more complicated and thus slower to process. The motivation behind this is to have a flexible configuration and keep the TrustDB as small as possible to make the look-ups faster.

# this is simple allow list
- /usr/bin/some_binary1
- /usr/bin/some_binary2
+ /

# this is the same
+ /
 + usr/bin/
  - some_binary1
  - some_binary2

# this is similar allow list with a wildcard
- /usr/bin/some_binary?
+ /

# this is similar with another wildcard
+ /
 - usr/bin/some_binary*

# keeps everything except usr/share except python and perl files
# /usr/bin/ls - result is '+'
# /usr/share/something - result is '-'
# /usr/share/abcd.py - result is '+'
+ /
 - usr/share/
  + *.py
  + *.pl

The filter configuration is parsed into a tree where each node represents a path fragment and whether it is included or excluded. Each level of indentation in the configuration file becomes another depth level in that tree. During evaluation the daemon iteratively walks the tree with an explicit stack rather than recursion, advancing through the path as fragments match. This approach keeps evaluation deterministic and prevents deep call stacks, but it also means filter nesting cannot exceed 64 levels; longer hierarchies are rejected and reported as depth errors.

Administrators can validate how a change to fapolicyd-filter.conf behaves before rebuilding the trust database. Use fapolicyd-cli --test-filter /path/to/file to trace how the configuration is applied to a specific path and see the final include/exclude decision. When adding or updating trust entries, combine --file add or --file update with --filter so only paths that survive the filter are processed; this is useful when pointing the tool at directories to ensure the filter omits unwanted content while you test.

/etc/fapolicyd/fapolicyd-filter.conf

fapolicyd(8), fapolicyd-cli(1) fapolicy.rules(5) and glob(7)

Radovan Sroka

fapolicyd(8), rpm-filter.conf(5).