fapolicyd.rules man page

fapolicyd.rules ā€” fapolicyd rules to determine access rights

Description

fapolicyd.rules is a file that contains the rules that fapolicyd uses to make decisions about access rights. The rules follow a simple format of:

access decision subject object

They are evaluated from top to bottom with the first rule to match being used for the access control decision.

Access

The decision is either allow or deny. If the rule triggers, this is the access decision that fapolicyd will tell the kernel.

Subject

The subject is the process that is performing actions on system resources. The fields in the rule that describe the subject are written in a name=value format.i There can be one or more subject fields. Each field is and'ed with others to decide if a rule triggers. The name can be any of the following:

all

This matches against any subject. When used, this must be the only subject in the rule.

auid

This is the numeric login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1.

uid

This is the numeric user id that the program is running under.

sessionid

This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1.

pid

This is the numeric process id that a program has.

comm

This is the shortened command name. When an interpreter starts a program, it usually renames the program to the script rather than the interpreter.

exe

This is the full path to the executable. Globbing is not supported. You may also use the special keyword unpackaged to match on the subject not being listed in the rpm database.

exe_dir

If you wish to match a directory, then use this by giving the full path to the directory. Its recommended to end with the / to ensure it matches a directory. There are 3 keywords that exe_dir supports: execdirs, systemdirs, unpackaged.

execdirs

The execdirs option will match against the following list of directories:

/usr/

/bin/ /sbin/ /lib/ /lib64/ /usr/libexec/

systemdirs

The execdirs option will match against the same list as execdirs but also includes /etc/.

unpackaged

The unpackaged option will look up the current executable's full path in the rpm database to see if the execuatble is known to the system. The rule will trigger if the file in question is not packaged.

exe_type

This option takes the mime type of a file as an argument. If you wish to check the mime type of a file while writing rules, run the following command:

file --mime-type /path-to-file
exe_device

This option will match against the device that the executable resides on. To use it, start with /dev/ and add the target device name.

Object

The object is the file that the subject is interacting with. The fields in the rule that describe the obbject are written in a name=value format. There can be one or more object fields. Each field is and'ed with others to decide if a rule triggers. The name can be any of the following:

all

This matches against any subject. When used, this must be the only subject in the rule.

path

This is the full path to the file that will be accessed. Globbing is not supported. You may also use the special keyword unpackaged to match on the subject not being listed in the rpm database.

dir

If you wish to match on access to any file in a directory, then use this by giving the full path to the directory. Its recommended to end with the / to ensure it matches a directory. There are 3 keywords that exe_dir supports: execdirs, systemdirs, unpackaged. See the exe_dir for an explanation of these keywords.

device

This option will match against the device that the file being accessed resides on. To use it, start with /dev/ and add the target device name.

ftype

This option matches against the mime type of the file being accessed. See exe_type for more information on determining the mime type.

sha256hash

This option matches against the sha256 hash of the file being accessed.

Examples

The following rules show how rules may look.

deny exe=/usr/bin/wget dir=/tmp
allow exe=/usr/bin/python3.4 dir=execdirs ftype=text/x-python
deny all all

See Also

fapolicyd(8)

Author

Steve Grubb

Referenced By

fapolicyd(8).

May 2016 Red Hat System Administration Utilities