1FAPOLICYD.RULES:(5) System Administration Utilities FAPOLICYD.RULES:(5)
2
6 compiled.rules - compiled fapolicyd rules to determine access rights
7 fapolicyd.rules - deprecated fapolicyd rules to determine access rights
8
10 compiled.rules is a file that is compiled by fagenrules which contains
11 the rules that fapolicyd uses to make decisions about access rights.
12 The rules follow a simple format of:
13 decision perm subject : object
15 They are evaluated from top to bottom with the first rule to match be‐
17 ing used for the access control decision. The colon is mandatory to
18 separate subject and object since they share keywords.
19 Decision
22 The decision is either allow, deny, allow_audit, deny_audit, allow_sys‐
23 log, deny_syslog, allow_log, or deny_log. If the rule triggers, this
24 is the access decision that fapolicyd will tell the kernel. If the de‐
25 cision is one of the audit variety, then the decision will trigger a
26 FANOTIFY audit event with all relevant information. You must have at
27 least one audit rule loaded to generate an audit event. If the deci‐
28 sion is one of the syslog variety, then the decision will trigger writ‐
29 ing an event into syslog. If the decision is of one the log variety,
30 then it will create an audit event and a syslog event. Regardless of
31 the notification, any rule with a deny in the keyword will deny access
32 and any with an allow in the keyword will allow access.
33 Perm
36 Perm describes what kind permission is being asked for. The permission
37 is either open, execute, or any. If none are given, then open is as‐
38 sumed.
39 Subject
42 The subject is the process that is performing actions on system re‐
43 sources. The fields in the rule that describe the subject are written
44 in a name=value format. There can be one or more subject fields. Each
45 field is and'ed with others to decide if a rule triggers. The name val‐
46 ues can be any of the following:
47 all This matches against any subject. When used, this
50 must be the only subject in the rule.
51 auid This is the login uid that the audit system assigns
53 users when they log in to the system. Daemons have a
54 value of -1.
55 uid This is the user id that the program is running un‐
57 der.
58 gid This is the group id that the program is running un‐
60 der.
61 sessionid This is the numeric session id that the audit system
63 assigns to users when they log in. Daemons have a
64 value of -1.
65 pid This is the numeric process id that a program has.
67 ppid This is the numeric process id of the program's par‐
69 ent. Note that programs that are orphaned or started
70 directly from systemd have a ppid value of 1. Kernel
71 threads have a ppid value of 2.
72 trust This is a boolean describing whether it is required
74 for the subject to be in the trust database or not.
75 A value of 1 means its required while 0 means its
76 not. Trust checking is extended by the integrity
77 setting in fapolicyd.conf. When trust is used on the
78 subject, it could be a daemon. If that daemon gets
79 updated on disk, the trustdb will be updated to the
80 new SHA256 hash. If the integrity setting is not
81 none, the running daemon is not likely to be trusted
82 unless it gets restarted. The default rules are not
83 written in a way that this would happen. But this
84 needs to be highlighted as it may not be obvious
85 when writing a new rule.
86 comm This is the shortened command name. When an inter‐
88 preter starts a program, it usually renames the pro‐
89 gram to the script rather than the interpreter.
90 exe This is the full path to the executable. Globbing is
92 not supported. You may also use the special keyword
93 untrusted to match on the subject not being listed
94 in the rpm database.
95 dir If you wish to match a directory, then use this by
97 giving the full path to the directory. Its recom‐
98 mended to end with the / to ensure it matches a di‐
99 rectory. There are 3 keywords that dir supports: ex‐
100 ecdirs, systemdirs, untrusted.
101 execdirs The execdirs option will match against
103 the following list of directories:
104 /usr/ /bin/ /sbin/ /lib/ /lib64/
106 /usr/libexec/
107 systemdirs The systemdirs option will match against
109 the same list as execdirs but also in‐
110 cludes /etc/.
111 untrusted The untrusted option will look up the
113 current executable's full path in the
114 rpm database to see if the executable is
115 known to the system. The rule will trig‐
116 ger if the file in question is not in
117 the trust database. This option is dep‐
118 recated in favor of using obj_trust with
119 execute permission when writing rules.
120 ftype This option takes the mime type of a file as an ar‐
122 gument. If you wish to check the mime type of a file
123 while writing rules, run the following command:
124 fapolicyd-cli --ftype /path-to-file
126 device This option will match against the device that the
129 executable resides on. To use it, start with /dev/
130 and add the target device name.
131 pattern There are various ways that an attacker may try to
134 execute code that may reveal itself in the pattern
135 of file accesses made during program startup. This
136 rule can take one of several options depending on
137 which access patterns is wished to be blocked.
138 Fapolicyd is able to detect these different access
139 patterns and provide the access decision as soon as
140 it identifies the pattern. The pattern type can be
141 any of:
142 normal This matches against any ELF program
145 that is dynamically linked.
146 ld_so This matches against access patterns
148 that indicate that the program is being
149 started directly by the runtime linker.
150 ld_preload This matches against access patterns
152 that indicate that the program is being
153 started with either LD_PRELOAD or LD_AU‐
154 DIT present in the environment. Note
155 that even without this rule, you have
156 protection against LD_PRELOAD of unknown
157 binaries when the rules are written such
158 that trust is used to determine if a li‐
159 brary should be opened. In that case,
160 the preloaded library would be denied
161 but the application will still execute.
162 This rule makes it so that even trusted
163 libraries can be denied and the applica‐
164 tion will not execute.
165 static This matches against ELF files that are
167 statically linked.
168 Object
172 The object is the file that the subject is interacting with. The fields
173 in the rule that describe the object are written in a name=value for‐
174 mat. There can be one or more object fields. Each field is and'ed with
175 others to decide if a rule triggers. The name values can be any of the
176 following:
177 all This matches against any subject. When used, this
180 must be the only subject in the rule.
181 path This is the full path to the file that will be ac‐
183 cessed. Globbing is not supported. You may also use
184 the special keyword untrusted to match on the sub‐
185 ject not being listed in the rpm database.
186 dir If you wish to match on access to any file in a di‐
188 rectory, then use this by giving the full path to
189 the directory. Its recommended to end with the / to
190 ensure it matches a directory. There are 3 keywords
191 that dir supports: execdirs, systemdirs, untrusted.
192 See the dir option under Subject for an explanation
193 of these keywords.
194 device This option will match against the device that the
196 file being accessed resides on. To use it, start
197 with /dev/ and add the target device name.
198 ftype This option matches against the mime type of the
200 file being accessed. See ftype under Subject for
201 more information on determining the mime type.
202 trust This is a boolean describing whether it is required
204 for the object to be in the trust database or not. A
205 value of 1 means its required while 0 means its not.
206 Trust checking is extended by the integrity setting
207 in fapolicyd.conf.
208 sha256hash This option matches against the sha256 hash of the
210 file being accessed. The hash in the rules should be
211 all lowercase letters and do NOT start with 0x. Low‐
212 ercase is the default output of sha256sum.
213
216 Set is a named group of values of the same type. Fapolicyd internally
217 distinguishes between INT and STRING set types. You can define your own
218 set and use it as a value for a specific rule attribute. The definition
219 is in key=value syntax and starts with a set name. The set name has to
220 start with '%' and the rest is alphanumeric or '_'. The value is a
221 comma separated list. The set type is inherited from the first item in
222 the list. If that can be turned into number then whole list is expected
223 to carry numbers. One can use these sets as a value for subject and ob‐
224 ject attributes. It is also possible to use a plain list as an attri‐
225 bute value without previous definition. The assigned set has to match
226 the attribute type. It is not possible set groups for TRUST and PATTERN
227 attributes.
228 SETS EXAMPLES
232 # definition
233 %python=/usr/bin/python2.7,/usr/bin/python3.6
234 allow exe=%python : all trust=1
235 #
236 # definition
237 # number set
238 %uuids=0,1000
239 allow uid=%uuids : all
240
243 When writing rules, you should keep them focused to one goal and store
244 them in one file. These rule files are kept in the /etc/fapoli‐
245 cyd/rules.d directory. During daemon startup, fagenrules will run and
246 compile all these component files into one master file, compiled.rules.
247 See the fagenrules man page for more information.
248 When you are writing a rule for the execute permission, remember that
250 the file to be executed is an object. For example, you type ssh into
251 the shell. The shell calls execve on /usr/bin/ssh. At that instant in
252 time, ssh is the object that bash is working on. However, if you are
253 blocking execution from a specific program, then you would normally
254 state the program on the subject side and use all for the object side.
255 If you are writing rules that use patterns, just select any as the per‐
257 mission to be clear that this applies to anything. In reality, pattern
258 matching ignores the permission but the suggestion is for documentation
259 purposes.
260 Some interpreters do not immediately read all lines of input. Rather,
262 they read content as needed until they get to end of file. This means
263 that if they do stuff like networking or sleeping or anything that
264 takes time, someone with the privileges to modify the file can add to
265 it after the file's integrity has been checked. This is not unique to
266 fapolicyd, it's simply how things work. Make sure that trusted file
267 permissions are not excessive so that no unexpected file content modi‐
268 fications can occur.
269
272 The following rules illustrate the rule syntax.
273 deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
275 allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
276 deny_audit perm=any pattern ld_so : all
277 deny perm=any all : all
278
281 fapolicyd(8), fagenrules (8), fapolicyd-cli(1), and fapolicyd.conf(5)
282
285 Steve Grubb
286Red Hat June 2022 FAPOLICYD.RULES:(5)