1FAPOLICYD(8)            System Administration Utilities           FAPOLICYD(8)
2
3
4

NAME

6       fapolicyd - File Access Policy Daemon
7

SYNOPSIS

9       fapolicyd [options]
10

DESCRIPTION

12       fapolicyd  is a userspace daemon that determines access rights to files
13       based on a trust database and file or process  attributes.  It  can  be
14       used to either blacklist or whitelist file access and execution.
15
16       Configuring fapolicyd is done with the files in the /etc/fapolicyd/ di‐
17       rectory. There are three files: compiled.rules , fapolicyd.conf  ,  and
18       fapolicyd.trust.   The first one contains the access policy, the second
19       determines the daemon's configuration, and the last  allows  admin  de‐
20       fined trusted files.
21
22       The  default  rules  will generate audit events whenever there is a de‐
23       nial. NOTE: you must have at least 1 audit rule loaded  for  the  audit
24       system  to create the full FANOTIFY event. It doesn't matter which rule
25       is loaded. To see if you have any denials, you can  run  the  following
26       command:
27
28
29              ausearch --start today -m fanotify -i
30
31       or  instead  of  -i, you can add --format text to get an easier to read
32       audit event.
33
34

OPTIONS

36       --debug
37              leave the daemon in the foreground for debugging. Event informa‐
38              tion  is  written  to stderr so that policy decisions can be ob‐
39              served.
40
41       --debug-deny
42              leave the daemon in the foreground for debugging. Event informa‐
43              tion  is written to stderr only when the decision is to deny ac‐
44              cess.
45
46       --permissive
47              the daemon will allow file access regardless of the policy deci‐
48              sion. This is useful for debugging rules before making them per‐
49              manent.
50
51       --no-details
52              when fapolicyd ends, it dumps a usage report with  various  sta‐
53              tistics  that  may be useful for tuning performance. It can also
54              detail which processes it knew about and files being accessed by
55              them.  This  can be useful for forensics investigations. In some
56              settings, this may not be desirable as the  file  names  may  be
57              sensitive.  Using  this  option  removes  process and file names
58              leaving only the statistics. The default without giving this op‐
59              tion is to generate a full report.
60

SIGNALS

62       SIGTERM
63              caused  fapolicyd  to  discontinue processing events, write it's
64              performance report, and exit.
65
66
67       SIGHUP causes fapolicyd to reload the trust database.
68
69

NOTES

71       Whatever you do, DO NOT TRY TO ATTACH WITH  PTRACE.  Ptrace  attachment
72       sends  a  SIGSTOP  which cannot be blocked. Since your whole system de‐
73       pends on fapolicyd approving access to glibc and various  critical  li‐
74       braries,  that  will  not  happen until SIGCONT is sent. The system can
75       deadlock if the continue signal is not sent.
76
77       To get audit events, you must have auditing enabled and  at  least  one
78       systemcall rule loaded. Otherwise you will not get any events.
79
80       If  the  rpmdb is set as a trust source, you should minimize the number
81       of 32 bit packages on the system. In such cases, there may be a 32  bit
82       and 64 file with the same pathname. Obviously only one can exist on the
83       disk. So, this will always cause database miscompares and cause a delay
84       in the daemon being operational.
85
86       The  compiled.rules  file  is the resulting merge of component rules in
87       /etc/fapolicyd/rules.d/ See the fagenrules man page for  more  informa‐
88       tion.
89
90       If  you  are running in the debug mode and wish to compare rule numbers
91       reported in the output with which rule is actually triggering, you  can
92       see  the  rules  with the corresponding number by running the following
93       command:
94
95       fapolicyd-cli --list
96
97

FILES

99       /etc/fapolicyd/fapolicyd.conf - daemon configuration
100
101       /etc/fapolicyd/compiled.rules - access control rules
102
103       /etc/fapolicyd/fapolicyd.trust - admin defined trusted files
104
105       /var/log/fapolicyd-access.log - information about what  was  being  ac‐
106       cessed.
107
108

SEE ALSO

110       fapolicyd-cli(1),    fapolicyd.rules(5),   fapolicyd.trust(5),   fagen‐
111       rules(8), and fapolicyd.conf(5)
112
113

AUTHOR

115       Steve Grubb
116
117
118
119Red Hat                           March 2022                      FAPOLICYD(8)
Impressum