1FAPOLICYD(8)            System Administration Utilities           FAPOLICYD(8)
2
3
4

NAME

6       fapolicyd - File Access Policy Daemon
7

SYNOPSIS

9       fapolicyd [options]
10

DESCRIPTION

12       fapolicyd  is a userspace daemon that determines access rights to files
13       based on a trust database and file or process  attributes.  It  can  be
14       used to either blacklist or whitelist file access and execution.
15
16       Configuring fapolicyd is done with the files in the /etc/fapolicyd/ di‐
17       rectory. There are three files: compiled.rules , fapolicyd.conf  ,  and
18       fapolicyd.trust.   The first one contains the access policy, the second
19       determines the daemon's configuration, and the last  allows  admin  de‐
20       fined trusted files.
21
22       The  default  rules  will generate audit events whenever there is a de‐
23       nial. NOTE: you must have at least 1 audit rule loaded  for  the  audit
24       system  to create the full FANOTIFY event. It doesn't matter which rule
25       is loaded. To see if you have any denials, you can  run  the  following
26       command:
27
28
29              ausearch --start today -m fanotify -i
30
31       or  instead  of  -i, you can add --format text to get an easier to read
32       audit event.
33
34

OPTIONS

36       --debug
37              leave the daemon in the foreground for debugging. Event informa‐
38              tion  is  written  to stderr so that policy decisions can be ob‐
39              served.
40
41       --debug-deny
42              leave the daemon in the foreground for debugging. Event informa‐
43              tion  is written to stderr only when the decision is to deny ac‐
44              cess.
45
46       --permissive
47              the daemon will allow file access regardless of the policy deci‐
48              sion. This is useful for debugging rules before making them per‐
49              manent.
50
51       --no-details
52              when fapolicyd ends, it dumps a usage report with  various  sta‐
53              tistics  that  may be useful for tuning performance. It can also
54              detail which processes it knew about and files being accessed by
55              them.  This  can be useful for forensics investigations. In some
56              settings, this may not be desirable as the  file  names  may  be
57              sensitive.  Using  this  option  removes  process and file names
58              leaving only the statistics. The default without giving this op‐
59              tion is to generate a full report.
60

SIGNALS

62       SIGTERM
63              caused  fapolicyd  to  discontinue processing events, write it's
64              performance report, and exit.
65
66
67       SIGHUP causes fapolicyd to reload the trust database.
68
69
70       SIGUSR1
71              causes  fapolicyd  to   dump   it's   internal   statistics   to
72              /var/run/fapolicyd.state
73
74

NOTES

76       Whatever  you  do,  DO NOT TRY TO ATTACH WITH PTRACE. Ptrace attachment
77       sends a SIGSTOP which cannot be blocked. Since your  whole  system  de‐
78       pends  on  fapolicyd approving access to glibc and various critical li‐
79       braries, that will not happen until SIGCONT is  sent.  The  system  can
80       deadlock if the continue signal is not sent.
81
82       To  get  audit  events, you must have auditing enabled and at least one
83       systemcall rule loaded. Otherwise you will not get any events.
84
85       If the rpmdb is set as a trust source, you should minimize  the  number
86       of  32 bit packages on the system. In such cases, there may be a 32 bit
87       and 64 file with the same pathname. Obviously only one can exist on the
88       disk. So, this will always cause database miscompares and cause a delay
89       in the daemon being operational.
90
91       The compiled.rules file is the resulting merge of  component  rules  in
92       /etc/fapolicyd/rules.d/  See  the fagenrules man page for more informa‐
93       tion.
94
95       If you are running in the debug mode and wish to compare  rule  numbers
96       reported  in the output with which rule is actually triggering, you can
97       see the rules with the corresponding number by  running  the  following
98       command:
99
100       fapolicyd-cli --list
101
102

FILES

104       /etc/fapolicyd/fapolicyd.conf - daemon configuration
105
106       /etc/fapolicyd/compiled.rules - access control rules
107
108       /etc/fapolicyd/fapolicyd.trust - admin defined trusted files
109
110       /var/log/fapolicyd-access.log  -  information  about what was being ac‐
111       cessed.
112
113       /var/run/fapolicyd.state - internal performance metrics
114
115

SEE ALSO

117       fapolicyd-cli(8),  fapolicyd.rules(5),  fapolicyd.trust(5),  fapolicyd-
118       filter.conf(5), fagenrules(8), and fapolicyd.conf(5)
119
120

AUTHOR

122       Steve Grubb
123
124
125
126Red Hat                           March 2022                      FAPOLICYD(8)
Impressum