fapolicyd man page

fapolicyd — File Access Policy Daemon

Synopsis

fapolicyd [options]

Description

fapolicyd is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access.

Configuring fapolicyd is done with the files in /etc/fapolicyd/. There are two files, fapolicyd.rules and fapolicyd.conf
. The first one sets the access rights and the second determines the daemon's configuration.

Options

--debug

leave the daemon in the foreground for debugging. Event information is written to stderr so that policy decisions can be observed.

--debug-deny

leave the daemon in the foreground for debugging. Event information is written to stderr only when the decision is to deny access.

--permissive

the daemon will allow file access regardless of the policy decision. This is useful for debugging rules before making them permanent.

--boost NN

increase the daemon's scheduling priority by this much. The number should be positive and less than or equal to 20. The default boost is 10.

--queue NNNN

the internal queue of pending decisions is set by this number. It should be a positive number. The default size is 1024.

--user NN

run as a particular user rather than root. This may either be numeric or a user name from the passwd database.

--group NN

run using a particular group rather than root. This may either be numeric or a user name from the passwd database.

--no-details

when fapolicyd ends, it dumps a usage report with various statistics that may be useful for tuning performance. It can also detail which processes it knew about and files being accessed by them. This can be useful for forensics investigations. In some settings, this may not be desirable as the file names may be sensitive. Using this option removes process and file names leaving only the statistics. The default without giving this option is to generate a full report.

Signals

SIGTERM

caused fapolicyd to discontinue processing events and exit.

Notes

To get audit events, you must have auditing enabled and at least one systemcall rule loaded. Otherwise you will not get any events.

Files

/etc/fapolicyd/fapolicyd.conf - daemon configuration

/etc/fapolicyd/fapolicyd.rules - access control rules

/var/log/fapolicyd-access.log - information about what was being accessed.

See Also

fapolicyd-cli(1), fapolicyd.rules(5) and fapolicyd.conf(5)

Author

Steve Grubb

Referenced By

fapolicyd-cli(1), fapolicyd.conf(5), fapolicyd.rules(5).

July 2019 Red Hat System Administration Utilities