Chapter 25. Securing file access by using the RHEL system role

download PDF

With the fapolicyd system role, you can prevent execution of unknown code on RHEL by using the Red Hat Ansible Automation Platform.

25.1. Configuring protection against unknown code execution with the fapolicyd RHEL system role

You can use the fapolicyd system role to prevent execution of unknown code by running an Ansible playbook.



  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    - name: Preventing execution of unknown code
      hosts: all
        fapolicyd_setup_integrity: sha256
        fapolicyd_setup_trust: rpmdb,file
          - </usr/bin/my-ls>
          - </opt/third-party/app1>
          - </opt/third-party/app2>
        - rhel-system-roles.fapolicyd

    You can further customize the protection by using the following variables of the linux-system-roles.fapolicyd RHEL system role:

    You can set one of the following types of integrity: none, sha256, and size.
    You can set trust file types file,rpmd, and deb.
    You can list executable files that you trust and that fapolicyd does not prevent from executing.
  2. Validate the playbook syntax:

    # ansible-playbook ~/playbook.yml --syntax-check

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    # ansible-playbook ~/playbook.yml

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.fapolicyd/ file
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.