1FAPOLICYD.RULES:(7) System Administration Utilities FAPOLICYD.RULES:(7)
2
3
4
6 fapolicyd.rules - fapolicyd rules to determine access rights
7
9 fapolicyd.rules is a file that contains the rules that fapolicyd uses
10 to make decisions about access rights. The rules follow a simple format
11 of:
12
13 access subject object
14
15 They are evaluated from top to bottom with the first rule to match
16 being used for the access control decision.
17
18
19 Access
20 The decision is either allow, deny, allow_audit, or deny_audit. If the
21 rule triggers, this is the access decision that fapolicyd will tell the
22 kernel. If the decision is one of the audit variety, then the decision
23 will trigger a FANOTIFY audit event with all relevant information.
24
25
26 Subject
27 The subject is the process that is performing actions on system
28 resources. The fields in the rule that describe the subject are written
29 in a name=value format.i There can be one or more subject fields. Each
30 field is and'ed with others to decide if a rule triggers. The name can
31 be any of the following:
32
33
34 all This matches against any subject. When used, this
35 must be the only subject in the rule.
36
37 auid This is the numeric login uid that the audit system
38 assigns users when they log in to the system. Dae‐
39 mons have a value of -1.
40
41 uid This is the numeric user id that the program is run‐
42 ning under.
43
44 sessionid This is the numeric session id that the audit system
45 assigns to users when they log in. Daemons have a
46 value of -1.
47
48 pid This is the numeric process id that a program has.
49
50 comm This is the shortened command name. When an inter‐
51 preter starts a program, it usually renames the pro‐
52 gram to the script rather than the interpreter.
53
54 exe This is the full path to the executable. Globbing is
55 not supported. You may also use the special keyword
56 untrusted to match on the subject not being listed
57 in the rpm database.
58
59 exe_dir If you wish to match a directory, then use this by
60 giving the full path to the directory. Its recom‐
61 mended to end with the / to ensure it matches a
62 directory. There are 3 keywords that exe_dir sup‐
63 ports: execdirs, systemdirs, untrusted.
64
65 execdirs The execdirs option will match against
66 the following list of directories:
67
68 /usr/ /bin/ /sbin/ /lib/ /lib64/
69 /usr/libexec/
70
71 systemdirs The execdirs option will match against
72 the same list as execdirs but also
73 includes /etc/.
74
75 untrusted The untrusted option will look up the
76 current executable's full path in the
77 rpm database to see if the executable is
78 known to the system. The rule will trig‐
79 ger if the file in question is not pack‐
80 aged.
81
82 exe_type This option takes the mime type of a file as an
83 argument. If you wish to check the mime type of a
84 file while writing rules, run the following command:
85
86 file --mime-type /path-to-file
87
88
89 exe_device This option will match against the device that the
90 executable resides on. To use it, start with /dev/
91 and add the target device name.
92
93
94 pattern There are various ways that an attacker may try to
95 execute code that may reveal itself in the pattern
96 of file accesses made during program startup. This
97 rule can take one of several options depending on
98 which access patterns is wished to be blocked.
99 Fapolicyd is able to detect these different access
100 patterns and provide the access decision as soon as
101 it identifies the pattern. The pattern type can be
102 any of:
103
104
105 normal This matches against any ELF program
106 that is dynamically linked.
107
108 bad_interpreter
109 This matches against access patterns
110 that indicate that the defaul ELF inter‐
111 preter is not being used.
112
113 ld_so This matches against access patterns
114 that indicate that the program is being
115 started directly by the runtime linker.
116
117 static This matches against ELF files that are statically
118 linked.
119
120
121
122 Object
123 The object is the file that the subject is interacting with. The fields
124 in the rule that describe the object are written in a name=value for‐
125 mat. There can be one or more object fields. Each field is and'ed with
126 others to decide if a rule triggers. The name can be any of the follow‐
127 ing:
128
129
130 all This matches against any subject. When used, this
131 must be the only subject in the rule.
132
133 path This is the full path to the file that will be
134 accessed. Globbing is not supported. You may also
135 use the special keyword untrusted to match on the
136 subject not being listed in the rpm database.
137
138 dir If you wish to match on access to any file in a
139 directory, then use this by giving the full path to
140 the directory. Its recommended to end with the / to
141 ensure it matches a directory. There are 3 keywords
142 that exe_dir supports: execdirs, systemdirs,
143 untrusted. See the exe_dir for an explanation of
144 these keywords.
145
146 device This option will match against the device that the
147 file being accessed resides on. To use it, start
148 with /dev/ and add the target device name.
149
150 ftype This option matches against the mime type of the
151 file being accessed. See exe_type for more informa‐
152 tion on determining the mime type.
153
154 sha256hash This option matches against the sha256 hash of the
155 file being accessed. The hash in the rules should be
156 all lowercase letters and do NOT start with 0x. Low‐
157 ercase is the default output of sha256sum.
158
159
161 The following rules show how rules may look.
162
163 deny_audit exe=/usr/bin/wget dir=/tmp
164 allow exe=/usr/bin/python3.4 dir=execdirs ftype=text/x-python
165 deny_audit pattern ld_so all
166 deny all all
167
168
170 fapolicyd(8), fapolicyd-cli(1) and fapolicyd.conf(5)
171
172
174 Steve Grubb
175
176
177
178Red Hat July 2019 FAPOLICYD.RULES:(7)