1FAPOLICYD(8)            System Administration Utilities           FAPOLICYD(8)
2
3
4

NAME

6       fapolicyd - File Access Policy Daemon
7

SYNOPSIS

9       fapolicyd [options]
10

DESCRIPTION

12       fapolicyd  is a userspace daemon that determines access rights to files
13       based on a trust database and file or process  attributes.  It  can  be
14       used to either blacklist or whitelist file access and execution.
15
16       Configuring  fapolicyd  is  done  with the files in the /etc/fapolicyd/
17       directory. There are three files: fapolicyd.rules  ,  fapolicyd.conf  ,
18       and fapolicyd.trust
19        . The first one sets the access rights, the second determines the dae‐
20       mon's configuration, and the last allows admin defined trusted files.
21
22       The default rules will  generate  audit  events  whenever  there  is  a
23       denial.  To see if you have any denials, you can run the following com‐
24       mand:
25
26
27              ausearch --start today -m fanotify -i
28
29       or instead of -i, you can add --format text to get an  easier  to  read
30       audit event.
31
32

OPTIONS

34       --debug
35              leave the daemon in the foreground for debugging. Event informa‐
36              tion is written to  stderr  so  that  policy  decisions  can  be
37              observed.
38
39       --debug-deny
40              leave the daemon in the foreground for debugging. Event informa‐
41              tion is written to stderr only when  the  decision  is  to  deny
42              access.
43
44       --permissive
45              the daemon will allow file access regardless of the policy deci‐
46              sion. This is useful for debugging rules before making them per‐
47              manent.
48
49       --no-details
50              when  fapolicyd  ends, it dumps a usage report with various sta‐
51              tistics that may be useful for tuning performance. It  can  also
52              detail which processes it knew about and files being accessed by
53              them. This can be useful for forensics investigations.  In  some
54              settings,  this  may  not  be desirable as the file names may be
55              sensitive. Using this option  removes  process  and  file  names
56              leaving  only  the  statistics.  The default without giving this
57              option is to generate a full report.
58

SIGNALS

60       SIGTERM
61              caused fapolicyd to discontinue processing events and exit.
62
63

NOTES

65       To get audit events, you must have auditing enabled and  at  least  one
66       systemcall rule loaded. Otherwise you will not get any events.
67
68       If  the  rpmdb is set as a trust source, you should minimize the number
69       of 32 bit packages on the system. In such cases, there may be a 32  bit
70       and 64 file with the same pathname. Obviously only one can exist on the
71       disk. So, this will always cause database miscompares and cause a delay
72       in the daemon being operational.
73
74       If  you  are running in the debug mode and wish to compare rule numbers
75       reported in the output with which rule is actually triggering, you  can
76       see  the  rules  with the corresponding number by running the following
77       command:
78
79       fapolicyd-cli --list
80
81

FILES

83       /etc/fapolicyd/fapolicyd.conf - daemon configuration
84
85       /etc/fapolicyd/fapolicyd.rules - access control rules
86
87       /etc/fapolicyd/fapolicyd.trust - admin defined trusted files
88
89       /var/log/fapolicyd-access.log  -  information  about  what  was   being
90       accessed.
91
92

SEE ALSO

94       fapolicyd-cli(1),  fapolicyd.rules(5),  fapolicyd.trust(5), and fapoli‐
95       cyd.conf(5)
96
97

AUTHOR

99       Steve Grubb
100
101
102
103Red Hat                          January 2020                     FAPOLICYD(8)
Impressum