Provided by: fapolicyd_1.1.7-2_amd64 bug

NAME

       compiled.rules  -  compiled  fapolicyd  rules to determine access rights fapolicyd.rules -
       deprecated fapolicyd rules to determine access rights

DESCRIPTION

       compiled.rules is a file that is compiled by fagenrules  which  contains  the  rules  that
       fapolicyd uses to make decisions about access rights. The rules follow a simple format of:

       decision perm subject : object

       They  are  evaluated  from  top  to bottom with the first rule to match being used for the
       access control decision. The colon is mandatory to separate subject and object since  they
       share keywords.

   Decision
       The  decision  is  either allow, deny, allow_audit, deny_audit, allow_syslog, deny_syslog,
       allow_log, or deny_log.  If the rule triggers, this is the access decision that  fapolicyd
       will  tell the kernel. If the decision is one of the audit variety, then the decision will
       trigger a FANOTIFY audit event with all relevant information.  You must have at least  one
       audit  rule  loaded  to  generate  an  audit  event.  If the decision is one of the syslog
       variety, then the decision will trigger writing an event into syslog. If the  decision  is
       of  one the log variety, then it will create an audit event and a syslog event. Regardless
       of the notification, any rule with a deny in the keyword will deny access and any with  an
       allow in the keyword will allow access.

   Perm
       Perm  describes  what  kind  permission is being asked for. The permission is either open,
       execute, or any.  If none are given, then open is assumed.

   Subject
       The subject is the process that is performing actions on system resources. The  fields  in
       the rule that describe the subject are written in a name=value format. There can be one or
       more subject fields. Each field is and'ed with others to decide if a  rule  triggers.  The
       name values can be any of the following:

              all         This  matches  against  any  subject.  When used, this must be the only
                          subject in the rule.

              auid        This is the login uid that the audit system assigns users when they log
                          in  to  the  system. Daemons have a value of -1. The given value may be
                          numeric or the account name.

              uid         This is the user id that the program is running under. The given  value
                          may be numeric or the account name.

              gid         This is the group id that the program is running under. The given value
                          may be numeric or the group name.

              sessionid   This is the numeric session id that the audit system assigns  to  users
                          when they log in. Daemons have a value of -1.

              pid         This is the numeric process id that a program has.

              ppid        This  is  the  numeric  process  id  of the program's parent. Note that
                          programs that are orphaned or started directly from systemd have a ppid
                          value of 1. Kernel threads have a ppid value of 2.

              trust       This  is a boolean describing whether it is required for the subject to
                          be in the trust database or not. A value of 1 means its required  while
                          0 means its not. Trust checking is extended by the integrity setting in
                          fapolicyd.conf. When trust is used  on  the  subject,  it  could  be  a
                          daemon.  If  that  daemon  gets  updated  on  disk, the trustdb will be
                          updated to the new SHA256 hash. If the integrity setting is  not  none,
                          the  running  daemon  is  not  likely  to  be  trusted  unless  it gets
                          restarted. The default rules are not written in a way that  this  would
                          happen.  But this needs to be highlighted as it may not be obvious when
                          writing a new rule.

              comm        This is the shortened  command  name.  When  an  interpreter  starts  a
                          program,  it  usually renames the program to the script rather than the
                          interpreter.

              exe         This is the full path to the executable. Globbing is not supported. You
                          may  also use the special keyword untrusted to match on the subject not
                          being listed in the rpm database.

              dir         If you wish to match a directory, then use this by giving the full path
                          to  the  directory.  Its  recommended  to  end  with the / to ensure it
                          matches a directory. There are 3 keywords that dir supports:  execdirs,
                          systemdirs, untrusted.

                          execdirs    The  execdirs  option will match against the following list
                                      of directories:

                                      /usr/       /bin/ /sbin/ /lib/ /lib64/ /usr/libexec/

                          systemdirs  The systemdirs option will match against the same  list  as
                                      execdirs but also includes /etc/.

                          untrusted   The  untrusted option will look up the current executable's
                                      full path in the rpm database to see if the  executable  is
                                      known  to  the system. The rule will trigger if the file in
                                      question is not in  the  trust  database.  This  option  is
                                      deprecated   in  favor  of  using  obj_trust  with  execute
                                      permission when writing rules.

              ftype       This option takes the mime type of a file as an argument. If  you  wish
                          to check the mime type of a file while writing rules, run the following
                          command:

                          fapolicyd-cli --ftype /path-to-file

              device      This option will match against the device that the  executable  resides
                          on. To use it, start with /dev/ and add the target device name.

              pattern     There  are  various  ways that an attacker may try to execute code that
                          may reveal itself in the pattern of file accesses made  during  program
                          startup.  This  rule can take one of several options depending on which
                          access patterns is wished to be blocked. Fapolicyd is  able  to  detect
                          these different access patterns and provide the access decision as soon
                          as it identifies the pattern. The pattern type can be any of:

                          normal      This matches against any ELF program  that  is  dynamically
                                      linked.

                          ld_so       This matches against access patterns that indicate that the
                                      program is being started directly by the runtime linker.

                          ld_preload  This matches against access patterns that indicate that the
                                      program is being started with either LD_PRELOAD or LD_AUDIT
                                      present in the environment. Note  that  even  without  this
                                      rule,  you  have  protection  against LD_PRELOAD of unknown
                                      binaries when the rules are written such that trust is used
                                      to  determine  if a library should be opened. In that case,
                                      the preloaded library would be denied but  the  application
                                      will still execute. This rule makes it so that even trusted
                                      libraries can  be  denied  and  the  application  will  not
                                      execute.

                          static      This matches against ELF files that are statically linked.

   Object
       The  object  is the file that the subject is interacting with. The fields in the rule that
       describe the object are written in a name=value format. There can be one  or  more  object
       fields. Each field is and'ed with others to decide if a rule triggers. The name values can
       be any of the following:

              all         This matches against any obbject. When used,  this  must  be  the  only
                          object in the rule.

              path        This  is  the  full path to the file that will be accessed. Globbing is
                          not supported. You may also use the special keyword untrusted to  match
                          on the object not being listed in the rpm database.

              dir         If  you  wish  to  match on access to any file in a directory, then use
                          this by giving the full path to the directory. Its recommended  to  end
                          with  the / to ensure it matches a directory. There are 3 keywords that
                          dir supports: execdirs, systemdirs, untrusted. See the dir option under
                          Subject for an explanation of these keywords.

              device      This  option will match against the device that the file being accessed
                          resides on. To use it, start with /dev/ and add the target device name.

              ftype       This option matches against the mime type of the file  being  accessed.
                          See  ftype  under  Subject for more information on determining the mime
                          type.

              trust       This is a boolean describing whether it is required for the  object  to
                          be  in the trust database or not. A value of 1 means its required while
                          0 means its not. Trust checking is extended by the integrity setting in
                          fapolicyd.conf.

              sha256hash  This option matches against the sha256 hash of the file being accessed.
                          The hash in the rules should be all lowercase letters and do NOT  start
                          with 0x. Lowercase is the default output of sha256sum.

SETS

       Set  is  a  named  group  of  values  of the same type. Fapolicyd internally distinguishes
       between INT and STRING set types. You can define your own set and use it as a value for  a
       specific rule attribute. The definition is in key=value syntax and starts with a set name.
       The set name has to start with '%' and the rest is alphanumeric or '_'.  The  value  is  a
       comma  separated  list. The set type is inherited from the first item in the list. If that
       can be turned into number then whole list is expected to carry numbers. One can use  these
       sets as a value for subject and object attributes. It is also possible to use a plain list
       as an attribute value without previous definition. The  assigned  set  has  to  match  the
       attribute type. It is not possible set groups for TRUST and PATTERN attributes.

   SETS EXAMPLES
       # definition
       %python=/usr/bin/python2.7,/usr/bin/python3.6
       allow exe=%python : all trust=1
       #
       # definition
       # number set
       %uuids=0,1000
       allow uid=%uuids : all

NOTES

       When  writing  rules, you should keep them focused to one goal and store them in one file.
       These rule files are kept in the /etc/fapolicyd/rules.d directory. During daemon  startup,
       fagenrules  will  run  and  compile  all  these  component  files  into  one  master file,
       compiled.rules. See the fagenrules man page for more information.

       When you are writing a rule for the execute permission,  remember  that  the  file  to  be
       executed  is  an object.  For example, you type ssh into the shell. The shell calls execve
       on /usr/bin/ssh. At that instant in time, ssh is the  object  that  bash  is  working  on.
       However,  if  you  are blocking execution from a specific program, then you would normally
       state the program on the subject side and use all for the object side.

       If you are writing rules that use patterns, just select any as the permission to be  clear
       that this applies to anything. In reality, pattern matching ignores the permission but the
       suggestion is for documentation purposes.

       Some interpreters do not immediately read all lines of input. Rather, they read content as
       needed  until they get to end of file. This means that if they do stuff like networking or
       sleeping or anything that takes time, someone with the privileges to modify the  file  can
       add  to  it  after the file's integrity has been checked. This is not unique to fapolicyd,
       it's simply how things work. Make sure that trusted file permissions are not excessive  so
       that no unexpected file content modifications can occur.

EXAMPLES

       The following rules illustrate the rule syntax.

       deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
       allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
       deny_audit perm=any pattern ld_so : all
       deny perm=any all : all

SEE ALSO

       fapolicyd(8), fagenrules (8), fapolicyd-cli(8), and fapolicyd.conf(5)

AUTHOR

       Steve Grubb