1FAPOLICYD.RULES:(5) System Administration Utilities FAPOLICYD.RULES:(5)
2
6 compiled.rules - compiled fapolicyd rules to determine access rights
7 fapolicyd.rules - deprecated fapolicyd rules to determine access rights
8
10 compiled.rules is a file that is compiled by fagenrules which contains
11 the rules that fapolicyd uses to make decisions about access rights.
12 The rules follow a simple format of:
13 decision perm subject : object
15 They are evaluated from top to bottom with the first rule to match be‐
17 ing used for the access control decision. The colon is mandatory to
18 separate subject and object since they share keywords.
19 Decision
22 The decision is either allow, deny, allow_audit, deny_audit, allow_sys‐
23 log, deny_syslog, allow_log, or deny_log. If the rule triggers, this
24 is the access decision that fapolicyd will tell the kernel. If the de‐
25 cision is one of the audit variety, then the decision will trigger a
26 FANOTIFY audit event with all relevant information. You must have at
27 least one audit rule loaded to generate an audit event. If the deci‐
28 sion is one of the syslog variety, then the decision will trigger writ‐
29 ing an event into syslog. If the decision is of one the log variety,
30 then it will create an audit event and a syslog event. Regardless of
31 the notification, any rule with a deny in the keyword will deny access
32 and any with an allow in the keyword will allow access.
33 Perm
36 Perm describes what kind permission is being asked for. The permission
37 is either open, execute, or any. If none are given, then open is as‐
38 sumed.
39 Subject
42 The subject is the process that is performing actions on system re‐
43 sources. The fields in the rule that describe the subject are written
44 in a name=value format. There can be one or more subject fields. Each
45 field is and'ed with others to decide if a rule triggers. The name val‐
46 ues can be any of the following:
47 all This matches against any subject. When used, this
50 must be the only subject in the rule.
51 auid This is the login uid that the audit system assigns
53 users when they log in to the system. Daemons have a
54 value of -1. The given value may be numeric or the
55 account name.
56 uid This is the user id that the program is running un‐
58 der. The given value may be numeric or the account
59 name.
60 gid This is the group id that the program is running un‐
62 der. The given value may be numeric or the group
63 name.
64 sessionid This is the numeric session id that the audit system
66 assigns to users when they log in. Daemons have a
67 value of -1.
68 pid This is the numeric process id that a program has.
70 ppid This is the numeric process id of the program's par‐
72 ent. Note that programs that are orphaned or started
73 directly from systemd have a ppid value of 1. Kernel
74 threads have a ppid value of 2.
75 trust This is a boolean describing whether it is required
77 for the subject to be in the trust database or not.
78 A value of 1 means its required while 0 means its
79 not. Trust checking is extended by the integrity
80 setting in fapolicyd.conf. When trust is used on the
81 subject, it could be a daemon. If that daemon gets
82 updated on disk, the trustdb will be updated to the
83 new SHA256 hash. If the integrity setting is not
84 none, the running daemon is not likely to be trusted
85 unless it gets restarted. The default rules are not
86 written in a way that this would happen. But this
87 needs to be highlighted as it may not be obvious
88 when writing a new rule.
89 comm This is the shortened command name. When an inter‐
91 preter starts a program, it usually renames the pro‐
92 gram to the script rather than the interpreter.
93 exe This is the full path to the executable. Globbing is
95 not supported. You may also use the special keyword
96 untrusted to match on the subject not being listed
97 in the rpm database.
98 dir If you wish to match a directory, then use this by
100 giving the full path to the directory. Its recom‐
101 mended to end with the / to ensure it matches a di‐
102 rectory. There are 3 keywords that dir supports: ex‐
103 ecdirs, systemdirs, untrusted.
104 execdirs The execdirs option will match against
106 the following list of directories:
107 /usr/ /bin/ /sbin/ /lib/ /lib64/
109 /usr/libexec/
110 systemdirs The systemdirs option will match against
112 the same list as execdirs but also in‐
113 cludes /etc/.
114 untrusted The untrusted option will look up the
116 current executable's full path in the
117 rpm database to see if the executable is
118 known to the system. The rule will trig‐
119 ger if the file in question is not in
120 the trust database. This option is dep‐
121 recated in favor of using obj_trust with
122 execute permission when writing rules.
123 ftype This option takes the mime type of a file as an ar‐
125 gument. If you wish to check the mime type of a file
126 while writing rules, run the following command:
127 fapolicyd-cli --ftype /path-to-file
129 device This option will match against the device that the
132 executable resides on. To use it, start with /dev/
133 and add the target device name.
134 pattern There are various ways that an attacker may try to
137 execute code that may reveal itself in the pattern
138 of file accesses made during program startup. This
139 rule can take one of several options depending on
140 which access patterns is wished to be blocked.
141 Fapolicyd is able to detect these different access
142 patterns and provide the access decision as soon as
143 it identifies the pattern. The pattern type can be
144 any of:
145 normal This matches against any ELF program
148 that is dynamically linked.
149 ld_so This matches against access patterns
151 that indicate that the program is being
152 started directly by the runtime linker.
153 ld_preload This matches against access patterns
155 that indicate that the program is being
156 started with either LD_PRELOAD or LD_AU‐
157 DIT present in the environment. Note
158 that even without this rule, you have
159 protection against LD_PRELOAD of unknown
160 binaries when the rules are written such
161 that trust is used to determine if a li‐
162 brary should be opened. In that case,
163 the preloaded library would be denied
164 but the application will still execute.
165 This rule makes it so that even trusted
166 libraries can be denied and the applica‐
167 tion will not execute.
168 static This matches against ELF files that are
170 statically linked.
171 Object
175 The object is the file that the subject is interacting with. The fields
176 in the rule that describe the object are written in a name=value for‐
177 mat. There can be one or more object fields. Each field is and'ed with
178 others to decide if a rule triggers. The name values can be any of the
179 following:
180 all This matches against any obbject. When used, this
183 must be the only object in the rule.
184 path This is the full path to the file that will be ac‐
186 cessed. Globbing is not supported. You may also use
187 the special keyword untrusted to match on the object
188 not being listed in the rpm database.
189 dir If you wish to match on access to any file in a di‐
191 rectory, then use this by giving the full path to
192 the directory. Its recommended to end with the / to
193 ensure it matches a directory. There are 3 keywords
194 that dir supports: execdirs, systemdirs, untrusted.
195 See the dir option under Subject for an explanation
196 of these keywords.
197 device This option will match against the device that the
199 file being accessed resides on. To use it, start
200 with /dev/ and add the target device name.
201 ftype This option matches against the mime type of the
203 file being accessed. See ftype under Subject for
204 more information on determining the mime type.
205 trust This is a boolean describing whether it is required
207 for the object to be in the trust database or not. A
208 value of 1 means its required while 0 means its not.
209 Trust checking is extended by the integrity setting
210 in fapolicyd.conf.
211 sha256hash This option matches against the sha256 hash of the
213 file being accessed. The hash in the rules should be
214 all lowercase letters and do NOT start with 0x. Low‐
215 ercase is the default output of sha256sum.
216
219 Set is a named group of values of the same type. Fapolicyd internally
220 distinguishes between INT and STRING set types. You can define your own
221 set and use it as a value for a specific rule attribute. The definition
222 is in key=value syntax and starts with a set name. The set name has to
223 start with '%' and the rest is alphanumeric or '_'. The value is a
224 comma separated list. The set type is inherited from the first item in
225 the list. If that can be turned into number then whole list is expected
226 to carry numbers. One can use these sets as a value for subject and ob‐
227 ject attributes. It is also possible to use a plain list as an attri‐
228 bute value without previous definition. The assigned set has to match
229 the attribute type. It is not possible set groups for TRUST and PATTERN
230 attributes.
231 SETS EXAMPLES
235 # definition
236 %python=/usr/bin/python2.7,/usr/bin/python3.6
237 allow exe=%python : all trust=1
238 #
239 # definition
240 # number set
241 %uuids=0,1000
242 allow uid=%uuids : all
243
246 When writing rules, you should keep them focused to one goal and store
247 them in one file. These rule files are kept in the /etc/fapoli‐
248 cyd/rules.d directory. During daemon startup, fagenrules will run and
249 compile all these component files into one master file, compiled.rules.
250 See the fagenrules man page for more information.
251 When you are writing a rule for the execute permission, remember that
253 the file to be executed is an object. For example, you type ssh into
254 the shell. The shell calls execve on /usr/bin/ssh. At that instant in
255 time, ssh is the object that bash is working on. However, if you are
256 blocking execution from a specific program, then you would normally
257 state the program on the subject side and use all for the object side.
258 If you are writing rules that use patterns, just select any as the per‐
260 mission to be clear that this applies to anything. In reality, pattern
261 matching ignores the permission but the suggestion is for documentation
262 purposes.
263 Some interpreters do not immediately read all lines of input. Rather,
265 they read content as needed until they get to end of file. This means
266 that if they do stuff like networking or sleeping or anything that
267 takes time, someone with the privileges to modify the file can add to
268 it after the file's integrity has been checked. This is not unique to
269 fapolicyd, it's simply how things work. Make sure that trusted file
270 permissions are not excessive so that no unexpected file content modi‐
271 fications can occur.
272
275 The following rules illustrate the rule syntax.
276 deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
278 allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
279 deny_audit perm=any pattern ld_so : all
280 deny perm=any all : all
281
284 fapolicyd(8), fagenrules (8), fapolicyd-cli(1), and fapolicyd.conf(5)
285
288 Steve Grubb
289Red Hat June 2022 FAPOLICYD.RULES:(5)