fapolicyd - Man Page

fapolicyd [--debug|--debug-deny] [--permissive] [--no-details] [--mounts=PATH] [--version] [--boostVALUE] [--queueVALUE] [--userNAME] [--groupNAME]

fapolicyd is a userspace daemon that determines access rights to files based on a trust database and file or process attributes. It can be used to either blacklist or whitelist file access and execution.

Configuring fapolicyd is done with the files in the /etc/fapolicyd/ directory. There are three files: compiled.rules , fapolicyd.conf , and fapolicyd.trust. The first one contains the access policy, the second determines the daemon's configuration, and the last allows admin defined trusted files.

The default rules will generate audit events whenever there is a denial. NOTE: you must have at least 1 audit rule loaded for the audit system to create the full FANOTIFY event. It doesn't matter which rule is loaded. To see if you have any denials, you can run the following command:

or instead of -i, you can add --format text to get an easier to read audit event.

--debug

Run the daemon in the foreground and write event information to stderr so policy decisions can be observed.

--debug-deny

Run the daemon in the foreground and write only deny decisions to stderr.

--permissive

Allow file access even when policy would deny it. This is useful when validating rules before enforcing them.

--mounts=PATH

In debug mode only, read mount information from the regular file at PATH instead of /proc/mounts. The file must use the same format as /proc/mounts. This is useful when reproducing mount-related issues with a captured or filtered mount list.

--no-details

Suppress process and file names in the shutdown usage report while keeping the aggregate statistics.

--version

Display version information and exit.

--boost ,

--queue, --user, --group These legacy options are still accepted for backward compatibility, but the current daemon ignores their values and logs that they are deprecated.

SIGTERM

causes fapolicyd to discontinue processing events, write it's performance report, and exit.

SIGHUP

causes fapolicyd to reload the trust database.

SIGUSR1

causes fapolicyd to dump it's internal statistics to /run/fapolicyd/fapolicyd.state

Whatever you do, DO NOT TRY TO ATTACH WITH PTRACE. Ptrace attachment sends a SIGSTOP which cannot be blocked. Since your whole system depends on fapolicyd approving access to glibc and various critical libraries, that will not happen until SIGCONT is sent. The system can deadlock if the continue signal is not sent.

To get audit events, you must have auditing enabled and at least one systemcall rule loaded. Otherwise you will not get any events.

If the rpmdb is set as a trust source, you should minimize the number of 32 bit packages on the system. In such cases, there may be a 32 bit and 64 file with the same pathname. Obviously only one can exist on the disk. So, this will always cause database miscompares and cause a delay in the daemon being operational.

The compiled.rules file is the resulting merge of component rules in /etc/fapolicyd/rules.d/ See the fagenrules man page for more information.

If you are running in the debug mode and wish to compare rule numbers reported in the output with which rule is actually triggering, you can see the rules with the corresponding number by running the following command:

fapolicyd-cli --list

/etc/fapolicyd/fapolicyd.conf - daemon configuration

/etc/fapolicyd/compiled.rules - access control rules

/etc/fapolicyd/fapolicyd.trust - admin defined trusted files

/var/log/fapolicyd-access.log - information about what was being accessed.

/run/fapolicyd/fapolicyd.state - internal performance metrics

fapolicyd-cli(8), fapolicyd.rules(5), fapolicyd.trust(5), fapolicyd-filter.conf(5), fagenrules(8), and fapolicyd.conf(5)

Steve Grubb

fagenrules(8), fapolicy-analyzer(8), fapolicy-analyzer-cli-profiler(8), fapolicy-analyzer-cli-rules(8), fapolicy-analyzer-cli-trust(8), fapolicyd-cli(8), fapolicyd.conf(5), fapolicyd-filter.conf(5), fapolicyd.rules(5), fapolicyd.trust(5), rpm-filter.conf(5), rpm-plugin-fapolicyd(8).