fapolicyd.rules - Man Page

fapolicyd rules to determine access rights

Description

fapolicyd.rules is a file that contains the rules that fapolicyd uses to make decisions about access rights. The rules follow a simple format of:

decision perm subject : object

They are evaluated from top to bottom with the first rule to match being used for the access control decision. The colon is mandatory to separate subject and object since they share keywords.

Decision

The decision is either allow, deny, allow_audit, deny_audit, allow_syslog, deny_syslog, allow_log, or deny_log. If the rule triggers, this is the access decision that fapolicyd will tell the kernel. If the decision is one of the audit variety, then the decision will trigger a FANOTIFY audit event with all relevant information. If the decision is one of the syslog variety, then the decision will trigger writing an event into syslog. If the decision is of one the log variety, then it will create an audit event and a syslog event. Regardless of the notification, any rule with a deny in the keyword will deny access and any with an allow in the keyword will allow access.

Perm

Perm describes what kind permission is being asked for. The permission is either open, execute, or any. If none are given, then open is assumed.

Subject

The subject is the process that is performing actions on system resources. The fields in the rule that describe the subject are written in a name=value format. There can be one or more subject fields. Each field is and'ed with others to decide if a rule triggers. The name values can be any of the following:

all

This matches against any subject. When used, this must be the only subject in the rule.

auid

This is the numeric login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1.

uid

This is the numeric user id that the program is running under.

sessionid

This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1.

pid

This is the numeric process id that a program has.

trust

This is a boolean describing whether it is required for the subject to be in the trust database or not. A value of 1 means its required while 0 means its not.

comm

This is the shortened command name. When an interpreter starts a program, it usually renames the program to the script rather than the interpreter.

exe

This is the full path to the executable. Globbing is not supported. You may also use the special keyword untrusted to match on the subject not being listed in the rpm database.

dir

If you wish to match a directory, then use this by giving the full path to the directory. Its recommended to end with the / to ensure it matches a directory. There are 3 keywords that dir supports: execdirs, systemdirs, untrusted.

execdirs

The execdirs option will match against the following list of directories:

/usr/

/bin/ /sbin/ /lib/ /lib64/ /usr/libexec/

systemdirs

The systemdirs option will match against the same list as execdirs but also includes /etc/.

untrusted

The untrusted option will look up the current executable's full path in the rpm database to see if the executable is known to the system. The rule will trigger if the file in question is not in the trust database. This option is deprecated in favor of using obj_trust with execute permission when writing rules.

ftype

This option takes the mime type of a file as an argument. If you wish to check the mime type of a file while writing rules, run the following command:

file --mime-type /path-to-file
device

This option will match against the device that the executable resides on. To use it, start with /dev/ and add the target device name.

pattern

There are various ways that an attacker may try to execute code that may reveal itself in the pattern of file accesses made during program startup. This rule can take one of several options depending on which access patterns is wished to be blocked. Fapolicyd is able to detect these different access patterns and provide the access decision as soon as it identifies the pattern. The pattern type can be any of:

normal

This matches against any ELF program that is dynamically linked.

ld_so

This matches against access patterns that indicate that the program is being started directly by the runtime linker.

static

This matches against ELF files that are statically linked.

Object

The object is the file that the subject is interacting with. The fields in the rule that describe the object are written in a name=value format. There can be one or more object fields. Each field is and'ed with others to decide if a rule triggers. The name values can be any of the following:

all

This matches against any subject. When used, this must be the only subject in the rule.

path

This is the full path to the file that will be accessed. Globbing is not supported. You may also use the special keyword untrusted to match on the subject not being listed in the rpm database.

dir

If you wish to match on access to any file in a directory, then use this by giving the full path to the directory. Its recommended to end with the / to ensure it matches a directory. There are 3 keywords that dir supports: execdirs, systemdirs, untrusted. See the dir option under Subject for an explanation of these keywords.

device

This option will match against the device that the file being accessed resides on. To use it, start with /dev/ and add the target device name.

ftype

This option matches against the mime type of the file being accessed. See ftype under Subject for more information on determining the mime type.

trust

This is a boolean describing whether it is required for the object to be in the trust database or not. A value of 1 means its required while 0 means its not.

sha256hash

This option matches against the sha256 hash of the file being accessed. The hash in the rules should be all lowercase letters and do NOT start with 0x. Lowercase is the default output of sha256sum.

Sets

Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for a specific rule attribute. The definition is in key=value syntax and starts with a set name. The set name has to start with % and the rest is alphanumeric. The value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. The assigned set has to match the attribute type. It is not possible set groups for TRUST and PATTERN attributes.

Sets Examples

# definition
%python=/usr/bin/python2.7,/usr/bin/python3.6
allow exe=%python : all trust=1
#
# definition
# number set
%uuids=0,1000
allow uid=%uuids : all

Notes

When you are writing a rule for the execute permission, remember that the file to be executed is an object. Unless you are blocking execution from a specific program, then you would normally use all for the subject side.

If you are writing rules that use patterns, just select any as the permission to be clear that this applies to anything. In reality, pattern matching ignores the permission but the suggestion is for documentation purposes.

Examples

The following rules illustrate the rule syntax.

deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
deny_audit perm=any pattern ld_so : all
deny perm=any all : all

See Also

fapolicyd(8), fapolicyd-cli(1) and fapolicyd.conf(5)

Author

Steve Grubb

Referenced By

fapolicyd(8), fapolicyd-cli(1).

May 2020 Red Hat System Administration Utilities