1FAPOLICYD(8) System Administration Utilities FAPOLICYD(8)
2
6 fapolicyd - File Access Policy Daemon
7
9 fapolicyd [options]
10
12 fapolicyd is a userspace daemon that determines access rights to files
13 based on a trust database and file or process attributes. It can be
14 used to either blacklist or whitelist file access and execution.
15 Configuring fapolicyd is done with the files in the /etc/fapolicyd/ di‐
17 rectory. There are three files: compiled.rules , fapolicyd.conf , and
18 fapolicyd.trust. The first one contains the access policy, the second
19 determines the daemon's configuration, and the last allows admin de‐
20 fined trusted files.
21 The default rules will generate audit events whenever there is a de‐
23 nial. NOTE: you must have at least 1 audit rule loaded for the audit
24 system to create the full FANOTIFY event. It doesn't matter which rule
25 is loaded. To see if you have any denials, you can run the following
26 command:
27 ausearch --start today -m fanotify -i
30 or instead of -i, you can add --format text to get an easier to read
32 audit event.
33
36 --debug
37 leave the daemon in the foreground for debugging. Event informa‐
38 tion is written to stderr so that policy decisions can be ob‐
39 served.
40 --debug-deny
42 leave the daemon in the foreground for debugging. Event informa‐
43 tion is written to stderr only when the decision is to deny ac‐
44 cess.
45 --permissive
47 the daemon will allow file access regardless of the policy deci‐
48 sion. This is useful for debugging rules before making them per‐
49 manent.
50 --no-details
52 when fapolicyd ends, it dumps a usage report with various sta‐
53 tistics that may be useful for tuning performance. It can also
54 detail which processes it knew about and files being accessed by
55 them. This can be useful for forensics investigations. In some
56 settings, this may not be desirable as the file names may be
57 sensitive. Using this option removes process and file names
58 leaving only the statistics. The default without giving this op‐
59 tion is to generate a full report.
60
62 SIGTERM
63 caused fapolicyd to discontinue processing events, write it's
64 performance report, and exit.
65 SIGHUP causes fapolicyd to reload the trust database.
68 SIGUSR1
71 causes fapolicyd to dump it's internal statistics to
72 /var/run/fapolicyd.state
73
76 Whatever you do, DO NOT TRY TO ATTACH WITH PTRACE. Ptrace attachment
77 sends a SIGSTOP which cannot be blocked. Since your whole system de‐
78 pends on fapolicyd approving access to glibc and various critical li‐
79 braries, that will not happen until SIGCONT is sent. The system can
80 deadlock if the continue signal is not sent.
81 To get audit events, you must have auditing enabled and at least one
83 systemcall rule loaded. Otherwise you will not get any events.
84 If the rpmdb is set as a trust source, you should minimize the number
86 of 32 bit packages on the system. In such cases, there may be a 32 bit
87 and 64 file with the same pathname. Obviously only one can exist on the
88 disk. So, this will always cause database miscompares and cause a delay
89 in the daemon being operational.
90 The compiled.rules file is the resulting merge of component rules in
92 /etc/fapolicyd/rules.d/ See the fagenrules man page for more informa‐
93 tion.
94 If you are running in the debug mode and wish to compare rule numbers
96 reported in the output with which rule is actually triggering, you can
97 see the rules with the corresponding number by running the following
98 command:
99 fapolicyd-cli --list
101
104 /etc/fapolicyd/fapolicyd.conf - daemon configuration
105 /etc/fapolicyd/compiled.rules - access control rules
107 /etc/fapolicyd/fapolicyd.trust - admin defined trusted files
109 /var/log/fapolicyd-access.log - information about what was being ac‐
111 cessed.
112 /var/run/fapolicyd.state - internal performance metrics
114
117 fapolicyd-cli(1), fapolicyd.rules(5), fapolicyd.trust(5), fagen‐
118 rules(8), and fapolicyd.conf(5)
119
122 Steve Grubb
123Red Hat March 2022 FAPOLICYD(8)