1FAPOLICYD.CONF:(5)      System Administration Utilities     FAPOLICYD.CONF:(5)
2
3
4

NAME

6       fapolicyd.conf - fapolicyd configuration file
7

DESCRIPTION

9       The  file /etc/fapolicyd/fapolicyd.conf contains configuration informa‐
10       tion for the application whitelisting daemon configuration.  This  file
11       allows  the  admin to tune the performance and actions of the fapolicyd
12       during runtime. This file contains one configuration keyword per  line,
13       an  equal sign, and then followed by appropriate configuration informa‐
14       tion. All option names and values are case  insensitive.  The  keywords
15       recognized  are listed and described below. Each line should be limited
16       to 160 characters or the line will be skipped. You may add comments  to
17       the file by starting the line with a '#' character.
18
19
20       permissive
21              This  option  is either a 0 to mean send policy decisions to the
22              kernel for enforcement. Or it can be a 1 to  mean  always  allow
23              the  access  even  if policy would block it. This should only be
24              used for policy testing and debug. The default value is 0.
25
26
27       nice_val
28              This option gives fapolicyd a scheduler boost. The number can be
29              from 0 to 20. The default value is 10.
30
31
32       q_size This option is used to control how big of an internal queue that
33              fapolicyd will use. If requests come in  faster  than  fapolicyd
34              can  answer,  the  queue  holds  the  pending  requests.  If the
35              do_stat_report is enabled, when fapolicyd shutsdown it will pro‐
36              vide  some  statistics  which includes maximum queue depth used.
37              This information can be  used  to  help  tune  performance.  The
38              default value is 1024.
39
40
41       uid    This  can  be a number or an account name which fapolicyd should
42              switch to during startup. The default value is 0 because  it  is
43              guaranteed  to exist. But it is recommended to use the fapolicyd
44              account if that exists.
45
46
47       gid    This can be a number or an group  name  which  fapolicyd  should
48              switch  to  during startup. The default value is 0 because it is
49              guaranteed to exist. But it is recommended to use the  fapolicyd
50              group if that exists.
51
52
53       do_stat_report
54              This  option  controls  whether  (1) or not (0) fapolicyd should
55              create a usage statistics report  on  shutdown.  The  report  is
56              written  to  /var/log/fapolicyd-access.log.  This  report  gives
57              information about number of allowed accesses and  denials.  Then
58              for  both  the  subject  and  object cache, it dumps information
59              about size, hits, misses, and evictions. The default value is  1
60              which means create the report.
61
62
63       detailed_report
64              This option controls whether (1) or not (0) fapolicyd should add
65              subject and object information to the usage  statistics  report.
66              This  would  be information about the exact process or file path
67              in the cache from most recently used to last recently used. This
68              can  be useful for forensics if an incident had occurred. But if
69              the file names are sensitive then you may want to turn this off.
70              The default value is 1 meaning add the details.
71
72
73       db_max_size
74              This option controls how many megabytes to allow the trust data‐
75              base to grow to. If you have lots of  packages  installed,  then
76              you want to make it bigger. The default value is 100 megabytes.
77
78
79       subj_cache_size
80              This  option  controls how many entries the subject cache holds.
81              You want the size to be big enough that you are not getting  too
82              many  evictions  compared  to  hits. But you don't want to waste
83              memory. Whenever there is an eviction, fapolicyd has to regener‐
84              ate  information  about  the subject and this slows performance.
85              There are only 64k processes allowed at any time, so this  would
86              be the upper limit. The default value is 1024.
87
88
89       obj_cache_size
90              This  option  controls  how many entries the object cache holds.
91              You want the size to be big enough that you are not getting  too
92              many  evictions  compared  to  hits. But you don't want to waste
93              memory. Whenever there is an eviction, fapolicyd has to regener‐
94              ate  information  about  the subject and this slows performance.
95              The default value is 4096.
96
97

SEE ALSO

99       fapolicyd(8), fapolicyd-cli(1) and fapolicy.rules(5).
100
101

AUTHOR

103       Steve Grubb
104
105
106
107Red Hat                            July 2019                FAPOLICYD.CONF:(5)
Impressum