1FAPOLICYD.RULES:(5)     System Administration Utilities    FAPOLICYD.RULES:(5)
2
3
4

NAME

6       fapolicyd.rules - fapolicyd rules to determine access rights
7

DESCRIPTION

9       fapolicyd.rules  is  a file that contains the rules that fapolicyd uses
10       to make decisions about access rights. The rules follow a simple format
11       of:
12
13       decision perm subject : object
14
15       They  are  evaluated  from  top  to bottom with the first rule to match
16       being used for the access control decision. The colon is  mandatory  to
17       separate subject and object since they share keywords.
18
19
20   Decision
21       The decision is either allow, deny, allow_audit, or deny_audit.  If the
22       rule triggers, this is the access decision that fapolicyd will tell the
23       kernel.  If the decision is one of the audit variety, then the decision
24       will trigger a FANOTIFY audit event with all relevant information.
25
26
27   Perm
28       Perm describes what kind permission is being asked for. The  permission
29       is  either  open,  execute,  or  any.   If none are given, then open is
30       assumed.
31
32
33   Subject
34       The subject is  the  process  that  is  performing  actions  on  system
35       resources. The fields in the rule that describe the subject are written
36       in a name=value format. There can be one or more subject  fields.  Each
37       field is and'ed with others to decide if a rule triggers. The name val‐
38       ues can be any of the following:
39
40
41              all         This matches against any subject.  When  used,  this
42                          must be the only subject in the rule.
43
44              auid        This  is the numeric login uid that the audit system
45                          assigns users when they log in to the  system.  Dae‐
46                          mons have a value of -1.
47
48              uid         This is the numeric user id that the program is run‐
49                          ning under.
50
51              sessionid   This is the numeric session id that the audit system
52                          assigns  to  users  when they log in. Daemons have a
53                          value of -1.
54
55              pid         This is the numeric process id that a program has.
56
57              trust       This is a boolean describing whether it is  required
58                          for  the subject to be in the trust database or not.
59                          A value of 1 means its required while  0  means  its
60                          not.
61
62              comm        This  is  the shortened command name. When an inter‐
63                          preter starts a program, it usually renames the pro‐
64                          gram to the script rather than the interpreter.
65
66              exe         This is the full path to the executable. Globbing is
67                          not supported. You may also use the special  keyword
68                          untrusted  to  match on the subject not being listed
69                          in the rpm database.
70
71              dir         If you wish to match a directory, then use  this  by
72                          giving  the  full  path to the directory. Its recom‐
73                          mended to end with the /  to  ensure  it  matches  a
74                          directory.  There  are 3 keywords that dir supports:
75                          execdirs, systemdirs, untrusted.
76
77                          execdirs    The execdirs option will  match  against
78                                      the following list of directories:
79
80                                      /usr/       /bin/  /sbin/  /lib/ /lib64/
81                                                  /usr/libexec/
82
83                          systemdirs  The systemdirs option will match against
84                                      the  same  list  as  execdirs  but  also
85                                      includes /etc/.
86
87                          untrusted   The untrusted option will  look  up  the
88                                      current  executable's  full  path in the
89                                      rpm database to see if the executable is
90                                      known to the system. The rule will trig‐
91                                      ger if the file in question  is  not  in
92                                      the  trust database. This option is dep‐
93                                      recated in favor of using obj_trust with
94                                      execute permission when writing rules.
95
96              ftype       This  option  takes  the  mime  type of a file as an
97                          argument. If you wish to check the mime  type  of  a
98                          file while writing rules, run the following command:
99
100                          file --mime-type /path-to-file
101
102
103              device      This  option  will match against the device that the
104                          executable resides on. To use it, start  with  /dev/
105                          and add the target device name.
106
107
108              pattern     There  are  various ways that an attacker may try to
109                          execute code that may reveal itself in  the  pattern
110                          of  file  accesses made during program startup. This
111                          rule can take one of several  options  depending  on
112                          which  access  patterns  is  wished  to  be blocked.
113                          Fapolicyd is able to detect these  different  access
114                          patterns  and provide the access decision as soon as
115                          it identifies the pattern. The pattern type  can  be
116                          any of:
117
118
119                          normal      This  matches  against  any  ELF program
120                                      that is dynamically linked.
121
122                          ld_so       This  matches  against  access  patterns
123                                      that  indicate that the program is being
124                                      started directly by the runtime linker.
125
126                          static      This matches against ELF files that  are
127                                      statically linked.
128
129
130
131   Object
132       The object is the file that the subject is interacting with. The fields
133       in the rule that describe the object are written in a  name=value  for‐
134       mat.  There can be one or more object fields. Each field is and'ed with
135       others to decide if a rule triggers. The name values can be any of  the
136       following:
137
138
139              all         This  matches  against  any subject. When used, this
140                          must be the only subject in the rule.
141
142              path        This is the full path  to  the  file  that  will  be
143                          accessed.  Globbing  is  not supported. You may also
144                          use the special keyword untrusted to  match  on  the
145                          subject not being listed in the rpm database.
146
147              dir         If  you  wish  to  match  on access to any file in a
148                          directory, then use this by giving the full path  to
149                          the  directory. Its recommended to end with the / to
150                          ensure it matches a directory. There are 3  keywords
151                          that  dir supports: execdirs, systemdirs, untrusted.
152                          See the dir option under Subject for an  explanation
153                          of these keywords.
154
155              device      This  option  will match against the device that the
156                          file being accessed resides on.  To  use  it,  start
157                          with /dev/ and add the target device name.
158
159              ftype       This  option  matches  against  the mime type of the
160                          file being accessed. See  ftype  under  Subject  for
161                          more information on determining the mime type.
162
163              trust       This  is a boolean describing whether it is required
164                          for the object to be in the trust database or not. A
165                          value of 1 means its required while 0 means its not.
166
167              sha256hash  This  option  matches against the sha256 hash of the
168                          file being accessed. The hash in the rules should be
169                          all lowercase letters and do NOT start with 0x. Low‐
170                          ercase is the default output of sha256sum.
171
172

NOTES

174       When you are writing a rule for the execute permission,  remember  that
175       the file to be executed is an object. Unless you are blocking execution
176       from a specific program, then you would normally use all for  the  sub‐
177       ject side.
178
179       If you are writing rules that use patterns, just select any as the per‐
180       mission to be clear that this applies to anything. In reality,  pattern
181       matching ignores the permission but the suggestion is for documentation
182       purposes.
183
184

EXAMPLES

186       The following rules illustrate the rule syntax.
187
188       deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
189       allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
190       deny_audit perm=any pattern ld_so : all
191       deny perm=any all : all
192
193

SEE ALSO

195       fapolicyd(8), fapolicyd-cli(1) and fapolicyd.conf(5)
196
197

AUTHOR

199       Steve Grubb
200
201
202
203Red Hat                            Jan 2020                FAPOLICYD.RULES:(5)
Impressum