1FAPOLICYD.RULES:(5) System Administration Utilities FAPOLICYD.RULES:(5)
2
3
4
6 fapolicyd.rules - fapolicyd rules to determine access rights
7
9 fapolicyd.rules is a file that contains the rules that fapolicyd uses
10 to make decisions about access rights. The rules follow a simple format
11 of:
12
13 decision perm subject : object
14
15 They are evaluated from top to bottom with the first rule to match
16 being used for the access control decision. The colon is mandatory to
17 separate subject and object since they share keywords.
18
19
20 Decision
21 The decision is either allow, deny, allow_audit, deny_audit, allow_sys‐
22 log, deny_syslog, allow_log, or deny_log. If the rule triggers, this
23 is the access decision that fapolicyd will tell the kernel. If the
24 decision is one of the audit variety, then the decision will trigger a
25 FANOTIFY audit event with all relevant information. You must have at
26 least one audit rule loaded to generate an audit event. If the deci‐
27 sion is one of the syslog variety, then the decision will trigger writ‐
28 ing an event into syslog. If the decision is of one the log variety,
29 then it will create an audit event and a syslog event. Regardless of
30 the notification, any rule with a deny in the keyword will deny access
31 and any with an allow in the keyword will allow access.
32
33
34 Perm
35 Perm describes what kind permission is being asked for. The permission
36 is either open, execute, or any. If none are given, then open is
37 assumed.
38
39
40 Subject
41 The subject is the process that is performing actions on system
42 resources. The fields in the rule that describe the subject are written
43 in a name=value format. There can be one or more subject fields. Each
44 field is and'ed with others to decide if a rule triggers. The name val‐
45 ues can be any of the following:
46
47
48 all This matches against any subject. When used, this
49 must be the only subject in the rule.
50
51 auid This is the login uid that the audit system assigns
52 users when they log in to the system. Daemons have a
53 value of -1.
54
55 uid This is the user id that the program is running
56 under.
57
58 gid This is the group id that the program is running
59 under.
60
61 sessionid This is the numeric session id that the audit system
62 assigns to users when they log in. Daemons have a
63 value of -1.
64
65 pid This is the numeric process id that a program has.
66
67 trust This is a boolean describing whether it is required
68 for the subject to be in the trust database or not.
69 A value of 1 means its required while 0 means its
70 not. Trust checking is extended by the integrity
71 setting in fapolicyd.conf. When trust is used on the
72 subject, it could be a daemon. If that daemon gets
73 updated on disk, the trustdb will be updated to the
74 new SHA256 hash. If the integrity setting is not
75 none, the running daemon is not likely to be trusted
76 unless it gets restarted. The default rules are not
77 written in a way that this would happen. But this
78 needs to be highlighted as it may not be obvious
79 when writing a new rule.
80
81 comm This is the shortened command name. When an inter‐
82 preter starts a program, it usually renames the pro‐
83 gram to the script rather than the interpreter.
84
85 exe This is the full path to the executable. Globbing is
86 not supported. You may also use the special keyword
87 untrusted to match on the subject not being listed
88 in the rpm database.
89
90 dir If you wish to match a directory, then use this by
91 giving the full path to the directory. Its recom‐
92 mended to end with the / to ensure it matches a
93 directory. There are 3 keywords that dir supports:
94 execdirs, systemdirs, untrusted.
95
96 execdirs The execdirs option will match against
97 the following list of directories:
98
99 /usr/ /bin/ /sbin/ /lib/ /lib64/
100 /usr/libexec/
101
102 systemdirs The systemdirs option will match against
103 the same list as execdirs but also
104 includes /etc/.
105
106 untrusted The untrusted option will look up the
107 current executable's full path in the
108 rpm database to see if the executable is
109 known to the system. The rule will trig‐
110 ger if the file in question is not in
111 the trust database. This option is dep‐
112 recated in favor of using obj_trust with
113 execute permission when writing rules.
114
115 ftype This option takes the mime type of a file as an
116 argument. If you wish to check the mime type of a
117 file while writing rules, run the following command:
118
119 file --mime-type /path-to-file
120
121
122 device This option will match against the device that the
123 executable resides on. To use it, start with /dev/
124 and add the target device name.
125
126
127 pattern There are various ways that an attacker may try to
128 execute code that may reveal itself in the pattern
129 of file accesses made during program startup. This
130 rule can take one of several options depending on
131 which access patterns is wished to be blocked.
132 Fapolicyd is able to detect these different access
133 patterns and provide the access decision as soon as
134 it identifies the pattern. The pattern type can be
135 any of:
136
137
138 normal This matches against any ELF program
139 that is dynamically linked.
140
141 ld_so This matches against access patterns
142 that indicate that the program is being
143 started directly by the runtime linker.
144
145 ld_preload This matches against access patterns
146 that indicate that the program is being
147 started with either LD_PRELOAD or
148 LD_AUDIT present in the environment.
149 Note that even without this rule, you
150 have protection against LD_PRELOAD of
151 unknown binaries when the rules are
152 written such that trust is used to
153 determine if a library should be opened.
154 In that case, the preloaded library
155 would be denied but the application will
156 still execute. This rule makes it so
157 that even trusted libraries can be
158 denied and the application will not exe‐
159 cute.
160
161 static This matches against ELF files that are
162 statically linked.
163
164
165
166 Object
167 The object is the file that the subject is interacting with. The fields
168 in the rule that describe the object are written in a name=value for‐
169 mat. There can be one or more object fields. Each field is and'ed with
170 others to decide if a rule triggers. The name values can be any of the
171 following:
172
173
174 all This matches against any subject. When used, this
175 must be the only subject in the rule.
176
177 path This is the full path to the file that will be
178 accessed. Globbing is not supported. You may also
179 use the special keyword untrusted to match on the
180 subject not being listed in the rpm database.
181
182 dir If you wish to match on access to any file in a
183 directory, then use this by giving the full path to
184 the directory. Its recommended to end with the / to
185 ensure it matches a directory. There are 3 keywords
186 that dir supports: execdirs, systemdirs, untrusted.
187 See the dir option under Subject for an explanation
188 of these keywords.
189
190 device This option will match against the device that the
191 file being accessed resides on. To use it, start
192 with /dev/ and add the target device name.
193
194 ftype This option matches against the mime type of the
195 file being accessed. See ftype under Subject for
196 more information on determining the mime type.
197
198 trust This is a boolean describing whether it is required
199 for the object to be in the trust database or not. A
200 value of 1 means its required while 0 means its not.
201 Trust checking is extended by the integrity setting
202 in fapolicyd.conf.
203
204 sha256hash This option matches against the sha256 hash of the
205 file being accessed. The hash in the rules should be
206 all lowercase letters and do NOT start with 0x. Low‐
207 ercase is the default output of sha256sum.
208
209
211 Set is a named group of values of the same type. Fapolicyd internally
212 distinguishes between INT and STRING set types. You can define your own
213 set and use it as a value for a specific rule attribute. The definition
214 is in key=value syntax and starts with a set name. The set name has to
215 start with '%' and the rest is alphanumeric or '_'. The value is a
216 comma separated list. The set type is inherited from the first item in
217 the list. If that can be turned into number then whole list is expected
218 to carry numbers. One can use these sets as a value for subject and
219 object attributes. It is also possible to use a plain list as an
220 attribute value without previous definition. The assigned set has to
221 match the attribute type. It is not possible set groups for TRUST and
222 PATTERN attributes.
223
224
225
226 SETS EXAMPLES
227 # definition
228 %python=/usr/bin/python2.7,/usr/bin/python3.6
229 allow exe=%python : all trust=1
230 #
231 # definition
232 # number set
233 %uuids=0,1000
234 allow uid=%uuids : all
235
236
238 When you are writing a rule for the execute permission, remember that
239 the file to be executed is an object. For example, you type ssh into
240 the shell. The shell calls execve on /usr/bin/ssh. At that instant in
241 time, ssh is the object that bash is working on. If you are blocking
242 execution from a specific program, then you would normally state the
243 program on the subject side and use all for the object side.
244
245 If you are writing rules that use patterns, just select any as the per‐
246 mission to be clear that this applies to anything. In reality, pattern
247 matching ignores the permission but the suggestion is for documentation
248 purposes.
249
250
252 The following rules illustrate the rule syntax.
253
254 deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
255 allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
256 deny_audit perm=any pattern ld_so : all
257 deny perm=any all : all
258
259
261 fapolicyd(8), fapolicyd-cli(1) and fapolicyd.conf(5)
262
263
265 Steve Grubb
266
267
268
269Red Hat Feb 2021 FAPOLICYD.RULES:(5)