1FAPOLICYD.RULES:(5) System Administration Utilities FAPOLICYD.RULES:(5)
2
3
4
6 fapolicyd.rules - fapolicyd rules to determine access rights
7
9 fapolicyd.rules is a file that contains the rules that fapolicyd uses
10 to make decisions about access rights. The rules follow a simple format
11 of:
12
13 decision perm subject : object
14
15 They are evaluated from top to bottom with the first rule to match
16 being used for the access control decision. The colon is mandatory to
17 separate subject and object since they share keywords.
18
19
20 Decision
21 The decision is either allow, deny, allow_audit, or deny_audit. If the
22 rule triggers, this is the access decision that fapolicyd will tell the
23 kernel. If the decision is one of the audit variety, then the decision
24 will trigger a FANOTIFY audit event with all relevant information.
25
26
27 Perm
28 Perm describes what kind permission is being asked for. The permission
29 is either open, execute, or any. If none are given, then open is
30 assumed.
31
32
33 Subject
34 The subject is the process that is performing actions on system
35 resources. The fields in the rule that describe the subject are written
36 in a name=value format. There can be one or more subject fields. Each
37 field is and'ed with others to decide if a rule triggers. The name val‐
38 ues can be any of the following:
39
40
41 all This matches against any subject. When used, this
42 must be the only subject in the rule.
43
44 auid This is the numeric login uid that the audit system
45 assigns users when they log in to the system. Dae‐
46 mons have a value of -1.
47
48 uid This is the numeric user id that the program is run‐
49 ning under.
50
51 sessionid This is the numeric session id that the audit system
52 assigns to users when they log in. Daemons have a
53 value of -1.
54
55 pid This is the numeric process id that a program has.
56
57 trust This is a boolean describing whether it is required
58 for the subject to be in the trust database or not.
59 A value of 1 means its required while 0 means its
60 not.
61
62 comm This is the shortened command name. When an inter‐
63 preter starts a program, it usually renames the pro‐
64 gram to the script rather than the interpreter.
65
66 exe This is the full path to the executable. Globbing is
67 not supported. You may also use the special keyword
68 untrusted to match on the subject not being listed
69 in the rpm database.
70
71 dir If you wish to match a directory, then use this by
72 giving the full path to the directory. Its recom‐
73 mended to end with the / to ensure it matches a
74 directory. There are 3 keywords that dir supports:
75 execdirs, systemdirs, untrusted.
76
77 execdirs The execdirs option will match against
78 the following list of directories:
79
80 /usr/ /bin/ /sbin/ /lib/ /lib64/
81 /usr/libexec/
82
83 systemdirs The systemdirs option will match against
84 the same list as execdirs but also
85 includes /etc/.
86
87 untrusted The untrusted option will look up the
88 current executable's full path in the
89 rpm database to see if the executable is
90 known to the system. The rule will trig‐
91 ger if the file in question is not in
92 the trust database. This option is dep‐
93 recated in favor of using obj_trust with
94 execute permission when writing rules.
95
96 ftype This option takes the mime type of a file as an
97 argument. If you wish to check the mime type of a
98 file while writing rules, run the following command:
99
100 file --mime-type /path-to-file
101
102
103 device This option will match against the device that the
104 executable resides on. To use it, start with /dev/
105 and add the target device name.
106
107
108 pattern There are various ways that an attacker may try to
109 execute code that may reveal itself in the pattern
110 of file accesses made during program startup. This
111 rule can take one of several options depending on
112 which access patterns is wished to be blocked.
113 Fapolicyd is able to detect these different access
114 patterns and provide the access decision as soon as
115 it identifies the pattern. The pattern type can be
116 any of:
117
118
119 normal This matches against any ELF program
120 that is dynamically linked.
121
122 ld_so This matches against access patterns
123 that indicate that the program is being
124 started directly by the runtime linker.
125
126 static This matches against ELF files that are
127 statically linked.
128
129
130
131 Object
132 The object is the file that the subject is interacting with. The fields
133 in the rule that describe the object are written in a name=value for‐
134 mat. There can be one or more object fields. Each field is and'ed with
135 others to decide if a rule triggers. The name values can be any of the
136 following:
137
138
139 all This matches against any subject. When used, this
140 must be the only subject in the rule.
141
142 path This is the full path to the file that will be
143 accessed. Globbing is not supported. You may also
144 use the special keyword untrusted to match on the
145 subject not being listed in the rpm database.
146
147 dir If you wish to match on access to any file in a
148 directory, then use this by giving the full path to
149 the directory. Its recommended to end with the / to
150 ensure it matches a directory. There are 3 keywords
151 that dir supports: execdirs, systemdirs, untrusted.
152 See the dir option under Subject for an explanation
153 of these keywords.
154
155 device This option will match against the device that the
156 file being accessed resides on. To use it, start
157 with /dev/ and add the target device name.
158
159 ftype This option matches against the mime type of the
160 file being accessed. See ftype under Subject for
161 more information on determining the mime type.
162
163 trust This is a boolean describing whether it is required
164 for the object to be in the trust database or not. A
165 value of 1 means its required while 0 means its not.
166
167 sha256hash This option matches against the sha256 hash of the
168 file being accessed. The hash in the rules should be
169 all lowercase letters and do NOT start with 0x. Low‐
170 ercase is the default output of sha256sum.
171
172
174 When you are writing a rule for the execute permission, remember that
175 the file to be executed is an object. Unless you are blocking execution
176 from a specific program, then you would normally use all for the sub‐
177 ject side.
178
179 If you are writing rules that use patterns, just select any as the per‐
180 mission to be clear that this applies to anything. In reality, pattern
181 matching ignores the permission but the suggestion is for documentation
182 purposes.
183
184
186 The following rules illustrate the rule syntax.
187
188 deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
189 allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
190 deny_audit perm=any pattern ld_so : all
191 deny perm=any all : all
192
193
195 fapolicyd(8), fapolicyd-cli(1) and fapolicyd.conf(5)
196
197
199 Steve Grubb
200
201
202
203Red Hat Jan 2020 FAPOLICYD.RULES:(5)