1FAPOLICYD.CONF:(5) System Administration Utilities FAPOLICYD.CONF:(5)
2
3
4
6 fapolicyd.conf - fapolicyd configuration file
7
9 The file /etc/fapolicyd/fapolicyd.conf contains configuration informa‐
10 tion for the application whitelisting daemon configuration. This file
11 allows the admin to tune the performance and actions of the fapolicyd
12 during runtime. This file contains one configuration keyword per line,
13 an equal sign, and then followed by appropriate configuration informa‐
14 tion. All option names and values are case insensitive. The keywords
15 recognized are listed and described below. Each line should be limited
16 to 160 characters or the line will be skipped. You may add comments to
17 the file by starting the line with a '#' character.
18
19
20 permissive
21 This option is either a 0 to mean send policy decisions to the
22 kernel for enforcement. Or it can be a 1 to mean always allow
23 the access even if policy would block it. This should only be
24 used for policy testing and debug. The default value is 0.
25
26
27 nice_val
28 This option gives fapolicyd a scheduler boost. The number can be
29 from 0 to 20. The default value is 10.
30
31
32 q_size This option is used to control how big of an internal queue that
33 fapolicyd will use. If requests come in faster than fapolicyd
34 can answer, the queue holds the pending requests. If the
35 do_stat_report is enabled, when fapolicyd shutsdown it will pro‐
36 vide some statistics which includes maximum queue depth used.
37 This information can be used to help tune performance. The
38 default value is 1024.
39
40
41 uid This can be a number or an account name which fapolicyd should
42 switch to during startup. The default value is 0 because it is
43 guaranteed to exist. But it is recommended to use the fapolicyd
44 account if that exists.
45
46
47 gid This can be a number or an group name which fapolicyd should
48 switch to during startup. The default value is 0 because it is
49 guaranteed to exist. But it is recommended to use the fapolicyd
50 group if that exists.
51
52
53 do_stat_report
54 This option controls whether (1) or not (0) fapolicyd should
55 create a usage statistics report on shutdown. The report is
56 written to /var/log/fapolicyd-access.log. This report gives
57 information about number of allowed accesses and denials. Then
58 for both the subject and object cache, it dumps information
59 about size, hits, misses, and evictions. The default value is 1
60 which means create the report.
61
62
63 detailed_report
64 This option controls whether (1) or not (0) fapolicyd should add
65 subject and object information to the usage statistics report.
66 This would be information about the exact process or file path
67 in the cache from most recently used to last recently used. This
68 can be useful for forensics if an incident had occurred. But if
69 the file names are sensitive then you may want to turn this off.
70 The default value is 1 meaning add the details.
71
72
73 db_max_size
74 This option controls how many megabytes to allow the trust data‐
75 base to grow to. If you have lots of packages installed, then
76 you want to make it bigger. The default value is 100 megabytes.
77
78
79 subj_cache_size
80 This option controls how many entries the subject cache holds.
81 You want the size to be big enough that you are not getting too
82 many evictions compared to hits. But you don't want to waste
83 memory. Whenever there is an eviction, fapolicyd has to regener‐
84 ate information about the subject and this slows performance.
85 There are only 64k processes allowed at any time, so this would
86 be the upper limit. The default value is 1024.
87
88
89 obj_cache_size
90 This option controls how many entries the object cache holds.
91 You want the size to be big enough that you are not getting too
92 many evictions compared to hits. But you don't want to waste
93 memory. Whenever there is an eviction, fapolicyd has to regener‐
94 ate information about the subject and this slows performance.
95 The default value is 4096.
96
97
99 fapolicyd(8) and fapolicy.rules(5).
100
101
103 Steve Grubb
104
105
106
107Red Hat June 2018 FAPOLICYD.CONF:(5)