Provided by: fapolicyd_1.3.2+20231212+git973a86d1b4-1.1_amd64 bug

NAME

       fapolicyd - File Access Policy Daemon

SYNOPSIS

       fapolicyd [options]

DESCRIPTION

       fapolicyd  is  a  userspace daemon that determines access rights to files based on a trust
       database and file or process attributes. It can be used to either blacklist  or  whitelist
       file access and execution.

       Configuring  fapolicyd  is done with the files in the /etc/fapolicyd/ directory. There are
       three files: compiled.rules  ,  fapolicyd.conf  ,  and  fapolicyd.trust.   The  first  one
       contains the access policy, the second determines the daemon's configuration, and the last
       allows admin defined trusted files.

       The default rules will generate audit events whenever there is a denial.  NOTE:  you  must
       have  at least 1 audit rule loaded for the audit system to create the full FANOTIFY event.
       It doesn't matter which rule is loaded. To see if you have any denials, you  can  run  the
       following command:

              ausearch --start today -m fanotify -i

       or instead of -i, you can add --format text to get an easier to read audit event.

OPTIONS

       --debug
              leave  the  daemon in the foreground for debugging. Event information is written to
              stderr so that policy decisions can be observed.

       --debug-deny
              leave the daemon in the foreground for debugging. Event information is  written  to
              stderr only when the decision is to deny access.

       --permissive
              the daemon will allow file access regardless of the policy decision. This is useful
              for debugging rules before making them permanent.

       --no-details
              when fapolicyd ends, it dumps a usage report with various statistics  that  may  be
              useful for tuning performance. It can also detail which processes it knew about and
              files being accessed by them. This can be useful for forensics  investigations.  In
              some  settings, this may not be desirable as the file names may be sensitive. Using
              this option removes process and file names leaving only the statistics. The default
              without giving this option is to generate a full report.

SIGNALS

       SIGTERM
              causes  fapolicyd  to discontinue processing events, write it's performance report,
              and exit.

       SIGHUP causes fapolicyd to reload the trust database.

       SIGUSR1
              causes fapolicyd to dump it's internal statistics to /var/run/fapolicyd.state

NOTES

       Whatever you do, DO NOT TRY TO ATTACH WITH PTRACE. Ptrace attachment sends a SIGSTOP which
       cannot  be blocked. Since your whole system depends on fapolicyd approving access to glibc
       and various critical libraries, that will not happen until SIGCONT is sent. The system can
       deadlock if the continue signal is not sent.

       To  get  audit  events,  you  must  have auditing enabled and at least one systemcall rule
       loaded. Otherwise you will not get any events.

       If the rpmdb is set as a trust source, you should minimize the number of 32  bit  packages
       on  the  system.  In such cases, there may be a 32 bit and 64 file with the same pathname.
       Obviously only one can exist on the disk. So, this will always cause database  miscompares
       and cause a delay in the daemon being operational.

       The    compiled.rules    file   is   the   resulting   merge   of   component   rules   in
       /etc/fapolicyd/rules.d/ See the fagenrules man page for more information.

       If you are running in the debug mode and wish to compare  rule  numbers  reported  in  the
       output  with  which  rule  is  actually  triggering,  you  can  see  the  rules  with  the
       corresponding number by running the following command:

       fapolicyd-cli --list

FILES

       /etc/fapolicyd/fapolicyd.conf - daemon configuration

       /etc/fapolicyd/compiled.rules - access control rules

       /etc/fapolicyd/fapolicyd.trust - admin defined trusted files

       /var/log/fapolicyd-access.log - information about what was being accessed.

       /var/run/fapolicyd.state - internal performance metrics

SEE ALSO

       fapolicyd-cli(8),   fapolicyd.rules(5),   fapolicyd.trust(5),    fapolicyd-filter.conf(5),
       fagenrules(8), and fapolicyd.conf(5)

AUTHOR

       Steve Grubb